|LDAP| Glossary
This topic aims to give you a concise overview of the different settings and requirements that enabling |LDAP| on |RCE| requires.
Required settings
The following LDAP attributes are required when enabling |LDAP| on |RCE|.
- Hostname or IP Address: Use a comma separated list for failover support.
- First Name
- Surname
- Port: Port 389 for unencrypted LDAP or port 636 for SSL-encrypted LDAP (LDAPS).
- Base DN (Distinguished Name): The Distinguished Name (DN) is how searches for users will be performed, and these searches can be controlled by using an LDAP Filter or LDAP Search Scope. A DN is a sequence of relative distinguished names (RDN) connected by commas. For example,
DN: cn='Monty Python',ou='people',dc='example',dc='com'
Connection security level: The following are the valid types:
No encryption: This connection type uses a plain non-encrypted connection.
LDAPS connection: This connection type uses end-to-end SSL. To enable an LDAPS connection you must set the following requirements:
- You must specify port 636
- Certificate checks are required.
- To enable START_TLS on LDAP connection, set the path to the SSL certificate in the default LDAP configuration file. The default ldap.conf file is located in /etc/openldap/ldap.conf.
TLS_CACERT /etc/ssl/certs/ca.crt
- The LDAP username or account used to connect to |RCE|. This will be added to the LDAP filter for locating the user object.
- For example, if an LDAP filter is specified as LDAPFILTER, the login attribute is specified as uid, and the user connects as jsmith, then the LDAP Filter will be like the following example.
(&(LDAPFILTER)(uid=jsmith))
- The LDAP search scope must be set. This limits how far LDAP will search for
a matching object.
- BASE Only allows searching of the Base DN.
- ONELEVEL Searches all entries under the Base DN, but not the Base DN itself.
- SUBTREE Searches all entries below the Base DN, but not Base DN itself.
Note
When using SUBTREE LDAP filtering it is useful to limit object location.
Optional settings
The following are optional when enabling LDAP on |RCM|
An LDAP account is only required if the LDAP server does not allow anonymous browsing of records.
An LDAP password is only required if the LDAP server does not allow anonymous browsing of records
Using an LDAP filter is optional. An LDAP filter defined by RFC 2254. This is more useful that the LDAP Search Scope if set to SUBTREE. The filter is useful for limiting which LDAP objects are identified as representing Users for authentication. The filter is augmented by Login Attribute below. This can commonly be left blank.
Certificate Checks are only required if you need to use LDAPS. You can use the following levels of LDAP service with RhodeCode Enterprise:
- NEVER : A serve certificate will never be requested or checked.
- ALLOW : A server certificate is requested. Failure to provide a certificate or providing a bad certificate will not terminate the session.
- TRY : A server certificate is requested. Failure to provide a certificate does not halt the session; providing a bad certificate halts the session.
- DEMAND : A server certificate is requested and must be provided and authenticated for the session to proceed.
- HARD : The same as DEMAND.
Note
Only DEMAND or HARD offer full SSL security while the other options are vulnerable to man-in-the-middle attacks.
|RCE| uses OPENLDAP libraries. This allows DEMAND or HARD LDAPS connections to use self-signed certificates or certificates that do not have traceable certificates of authority. To enable this functionality install the SSL certificates in the following directory: /etc/openldap/cacerts
Below is example setup that can be used with Active Directory and ldap groups.
