##// END OF EJS Templates
docs: update LDAP documentation according to user feedback.
marcink -
r2656:f7a8197c default
parent child Browse files
Show More
@@ -0,0 +1,112 b''
1 .. _config-ldap-groups-ref:
2
3 LDAP/AD With User Groups Sync
4 -----------------------------
5
6 |RCM| supports LDAP (Lightweight Directory Access Protocol) or
7 AD (active Directory) authentication.
8 All LDAP versions are supported, with the following |RCM| plugins managing each:
9
10 * For LDAP/AD with user group sync use ``LDAP + User Groups (egg:rhodecode-enterprise-ee#ldap_group)``
11
12 RhodeCode reads all data defined from plugin and creates corresponding
13 accounts on local database after receiving data from LDAP. This is done on
14 every user log-in including operations like pushing/pulling/checkout.
15 In addition group membership is read from LDAP and following operations are done:
16
17 - automatic addition of user to |RCM| user group
18 - automatic removal of user from any other |RCM| user groups not specified in LDAP.
19 The removal is done *only* on groups that are marked to be synced from ldap.
20 This setting can be changed in advanced settings on user groups
21 - automatic creation of user groups if they aren't yet existing in |RCM|
22 - marking user as super-admins if he is a member of any admin group defined in plugin settings
23
24 This plugin is available only in EE Edition.
25
26 .. important::
27
28 The email used with your |RCE| super-admin account needs to match the email
29 address attached to your admin profile in LDAP. This is because
30 within |RCE| the user email needs to be unique, and multiple users
31 cannot share an email account.
32
33 Likewise, if as an admin you also have a user account, the email address
34 attached to the user account needs to be different.
35
36
37 LDAP Configuration Steps
38 ^^^^^^^^^^^^^^^^^^^^^^^^
39
40 To configure |LDAP|, use the following steps:
41
42 1. From the |RCM| interface, select
43 :menuselection:`Admin --> Authentication`
44 2. Enable the ldap+ groups plugin and select :guilabel:`Save`
45 3. Select the :guilabel:`Enabled` check box in the plugin configuration section
46 4. Add the required LDAP information and :guilabel:`Save`, for more details,
47 see :ref:`config-ldap-groups-examples`
48
49 For a more detailed description of LDAP objects, see :ref:`ldap-gloss-ref`:
50
51 .. _config-ldap-groups-examples:
52
53 Example LDAP configuration
54 ^^^^^^^^^^^^^^^^^^^^^^^^^^
55 .. code-block:: bash
56
57 # Auth Cache TTL, Defines the caching for authentication to offload LDAP server.
58 # This means that cache result will be saved for 3600 before contacting LDAP server to verify the user access
59 3600
60 # Host, comma seperated format is optionally possible to specify more than 1 server
61 https://ldap1.server.com/ldap-admin/,https://ldap2.server.com/ldap-admin/
62 # Default LDAP Port, use 689 for LDAPS
63 389
64 # Account, used for SimpleBind if LDAP server requires an authentication
65 e.g admin@server.com
66 # Password used for simple bind
67 ldap-user-password
68 # LDAP connection security
69 LDAPS
70 # Certificate checks level
71 DEMAND
72 # Base DN
73 cn=Rufus Magillacuddy,ou=users,dc=rhodecode,dc=com
74 # User Search Base
75 ou=groups,ou=users
76 # LDAP search filter to narrow the results
77 (objectClass=person)
78 # LDAP search scope
79 SUBTREE
80 # Login attribute
81 sAMAccountName
82 # First Name Attribute to read
83 givenName
84 # Last Name Attribute to read
85 sn
86 # Email Attribute to read email address from
87 mail
88 # group extraction method
89 rfc2307bis
90 # Group search base
91 ou=RC-Groups
92 # Group Name Attribute, field to read the group name from
93 sAMAAccountName
94 # User Member of Attribute, field in which groups are stored
95 memberOf
96 # LDAP Group Search Filter, allows narrowing the results
97
98 # Admin Groups. Comma separated list of groups. If user is member of
99 # any of those he will be marked as super-admin in RhodeCode
100 admins, management
101
102
103 Below is example setup that can be used with Active Directory and ldap groups.
104
105 .. image:: ../images/ldap-groups-example.png
106 :alt: LDAP/AD setup example
107 :scale: 50 %
108
109 .. toctree::
110
111 ldap-active-directory
112 ldap-authentication No newline at end of file
1 NO CONTENT: new file 100644, binary diff hidden
NO CONTENT: new file 100644, binary diff hidden
1 NO CONTENT: file renamed from docs/auth/crowd-auth.rst to docs/auth/auth-crowd.rst
NO CONTENT: file renamed from docs/auth/crowd-auth.rst to docs/auth/auth-crowd.rst
@@ -1,14 +1,17 b''
1 .. _config-ldap-ref:
1 .. _config-ldap-ref:
2
2
3 LDAP
3 LDAP/AD
4 ----
4 -------
5
5
6 |RCM| supports LDAP (Lightweight Directory Access Protocol) or
6 |RCM| supports LDAP (Lightweight Directory Access Protocol) or
7 AD (active Directory) authentication.
7 AD (active Directory) authentication.
8 All LDAP versions are supported, with the following |RCM| plugins managing each:
8 All LDAP versions are supported, with the following |RCM| plugins managing each:
9
9
10 * For LDAPv3 use ``LDAP (egg:rhodecode-enterprise-ce#ldap)``
10 * For LDAP or Active Directory use ``LDAP (egg:rhodecode-enterprise-ce#ldap)``
11 * For LDAPv3 with user group sync use ``LDAP + User Groups (egg:rhodecode-enterprise-ee#ldap_group)``
11
12 RhodeCode reads all data defined from plugin and creates corresponding
13 accounts on local database after receiving data from LDAP. This is done on
14 every user log-in including operations like pushing/pulling/checkout.
12
15
13
16
14 .. important::
17 .. important::
@@ -21,6 +24,7 b' All LDAP versions are supported, with th'
21 Likewise, if as an admin you also have a user account, the email address
24 Likewise, if as an admin you also have a user account, the email address
22 attached to the user account needs to be different.
25 attached to the user account needs to be different.
23
26
27
24 LDAP Configuration Steps
28 LDAP Configuration Steps
25 ^^^^^^^^^^^^^^^^^^^^^^^^
29 ^^^^^^^^^^^^^^^^^^^^^^^^
26
30
@@ -28,7 +32,7 b' To configure |LDAP|, use the following s'
28
32
29 1. From the |RCM| interface, select
33 1. From the |RCM| interface, select
30 :menuselection:`Admin --> Authentication`
34 :menuselection:`Admin --> Authentication`
31 2. Enable the required plugin and select :guilabel:`Save`
35 2. Enable the ldap plugin and select :guilabel:`Save`
32 3. Select the :guilabel:`Enabled` check box in the plugin configuration section
36 3. Select the :guilabel:`Enabled` check box in the plugin configuration section
33 4. Add the required LDAP information and :guilabel:`Save`, for more details,
37 4. Add the required LDAP information and :guilabel:`Save`, for more details,
34 see :ref:`config-ldap-examples`
38 see :ref:`config-ldap-examples`
@@ -41,15 +45,16 b' Example LDAP configuration'
41 ^^^^^^^^^^^^^^^^^^^^^^^^^^
45 ^^^^^^^^^^^^^^^^^^^^^^^^^^
42 .. code-block:: bash
46 .. code-block:: bash
43
47
44 # Auth Cache TTL
48 # Auth Cache TTL, Defines the caching for authentication to offload LDAP server.
49 # This means that cache result will be saved for 3600 before contacting LDAP server to verify the user access
45 3600
50 3600
46 # Host
51 # Host, comma seperated format is optionally possible to specify more than 1 server
47 https://ldap1.server.com/ldap-admin/,https://ldap2.server.com/ldap-admin/
52 https://ldap1.server.com/ldap-admin/,https://ldap2.server.com/ldap-admin/
48 # Port
53 # Default LDAP Port, use 689 for LDAPS
49 389
54 389
50 # Account
55 # Account, used for SimpleBind if LDAP server requires an authentication
51 cn=admin,dc=rhodecode,dc=com
56 e.g admin@server.com
52 # Password
57 # Password used for simple bind
53 ldap-user-password
58 ldap-user-password
54 # LDAP connection security
59 # LDAP connection security
55 LDAPS
60 LDAPS
@@ -57,32 +62,26 b' Example LDAP configuration'
57 DEMAND
62 DEMAND
58 # Base DN
63 # Base DN
59 cn=Rufus Magillacuddy,ou=users,dc=rhodecode,dc=com
64 cn=Rufus Magillacuddy,ou=users,dc=rhodecode,dc=com
60 # User Search Base
65 # LDAP search filter to narrow the results
61 ou=groups,ou=users
62 # LDAP search filter
63 (objectClass=person)
66 (objectClass=person)
64 # LDAP search scope
67 # LDAP search scope
65 SUBTREE
68 SUBTREE
66 # Login attribute
69 # Login attribute
67 rmagillacuddy
70 sAMAccountName
68 # First Name Attribute
71 # First Name Attribute to read
69 Rufus
72 givenName
70 # Last Name Attribute
73 # Last Name Attribute to read
71 Magillacuddy
74 sn
72 # Email Attribute
75 # Email Attribute to read email address from
73 LDAP-Registered@email.ac
76 mail
74 # User Member of Attribute
77
75 Organizational Role
78
76 # Group search base
79 Below is example setup that can be used with Active Directory/LDAP server.
77 cn=users,ou=groups,dc=rhodecode,dc=com
80
78 # LDAP Group Search Filter
81 .. image:: ../images/ldap-example.png
79 (objectclass=posixGroup)
82 :alt: LDAP/AD setup example
80 # Group Name Attribute
83 :scale: 50 %
81 users
84
82 # Group Member Of Attribute
83 cn
84 # Admin Groups
85 admin,devops,qa
86
85
87 .. toctree::
86 .. toctree::
88
87
1 NO CONTENT: file renamed from docs/auth/pam-auth.rst to docs/auth/auth-pam.rst
NO CONTENT: file renamed from docs/auth/pam-auth.rst to docs/auth/auth-pam.rst
1 NO CONTENT: file renamed from docs/auth/token-auth.rst to docs/auth/auth-token.rst
NO CONTENT: file renamed from docs/auth/token-auth.rst to docs/auth/auth-token.rst
@@ -3,35 +3,30 b''
3 Authentication Options
3 Authentication Options
4 ======================
4 ======================
5
5
6 |RCE| provides a built in authentication plugin
6 |RCE| provides a built in authentication against its own database. This is
7 ``rhodecode.lib.auth_rhodecode``. This is enabled by default and accessed
7 implemented using ``rhodecode.lib.auth_rhodecode`` plugin. This plugin is
8 through the administrative interface. Additionally,
8 enabled by default.
9 |RCE| provides a Pluggable Authentication System (PAS). This gives the
9 Additionally, |RCE| provides a Pluggable Authentication System. This gives the
10 administrator greater control over how users authenticate with the system.
10 administrator greater control over how users authenticate with the system.
11
11
12 .. important::
12 .. important::
13
13
14 You can disable the built in |RCM| authentication plugin
14 You can disable the built in |RCM| authentication plugin
15 ``rhodecode.lib.auth_rhodecode`` and force all authentication to go
15 ``rhodecode.lib.auth_rhodecode`` and force all authentication to go
16 through your authentication plugin. However, if you do this,
16 through your authentication plugin of choice e.g LDAP only.
17 and your external authentication tools fails, you will be unable to
17 However, if you do this, and your external authentication tools fails,
18 access |RCM|.
18 you will be unable to access |RCM|.
19
19
20 |RCM| comes with the following user authentication management plugins:
20 |RCM| comes with the following user authentication management plugins:
21
21
22 .. only:: latex
23
24 * :ref:`config-ldap-ref`
25 * :ref:`config-pam-ref`
26 * :ref:`config-crowd-ref`
27 * :ref:`config-token-ref`
28
22
29 .. toctree::
23 .. toctree::
30
24
31 ldap-config-steps
25 auth-ldap
32 crowd-auth
26 auth-ldap-groups
33 pam-auth
27 auth-crowd
34 token-auth
28 auth-pam
29 auth-token
35 ssh-connection
30 ssh-connection
36
31
37
32
@@ -104,7 +104,6 b' exclude_patterns = ['
104
104
105 # Other RST files
105 # Other RST files
106 'admin/rhodecode-backup.rst',
106 'admin/rhodecode-backup.rst',
107 'auth/ldap-configuration-example.rst',
108 'issue-trackers/redmine.rst',
107 'issue-trackers/redmine.rst',
109 'known-issues/error-msg-guide.rst',
108 'known-issues/error-msg-guide.rst',
110 'tutorials/docs-build.rst',
109 'tutorials/docs-build.rst',
1 NO CONTENT: file was removed
NO CONTENT: file was removed
General Comments 0
You need to be logged in to leave comments. Login now