##// END OF EJS Templates
docs: updated references for rhodecode extensions
docs: updated references for rhodecode extensions

File last commit:

r2656:f7a8197c default
r3289:9530a430 default
Show More
111 lines | 4.1 KiB | text/x-rst | RstLexer
/ docs / auth / auth-ldap-groups.rst

LDAP/AD With User Groups Sync

|RCM| supports LDAP (Lightweight Directory Access Protocol) or AD (active Directory) authentication. All LDAP versions are supported, with the following |RCM| plugins managing each:

  • For LDAP/AD with user group sync use LDAP + User Groups (egg:rhodecode-enterprise-ee#ldap_group)

RhodeCode reads all data defined from plugin and creates corresponding accounts on local database after receiving data from LDAP. This is done on every user log-in including operations like pushing/pulling/checkout. In addition group membership is read from LDAP and following operations are done:

  • automatic addition of user to |RCM| user group
  • automatic removal of user from any other |RCM| user groups not specified in LDAP. The removal is done only on groups that are marked to be synced from ldap. This setting can be changed in advanced settings on user groups
  • automatic creation of user groups if they aren't yet existing in |RCM|
  • marking user as super-admins if he is a member of any admin group defined in plugin settings

This plugin is available only in EE Edition.


The email used with your |RCE| super-admin account needs to match the email address attached to your admin profile in LDAP. This is because within |RCE| the user email needs to be unique, and multiple users cannot share an email account.

Likewise, if as an admin you also have a user account, the email address attached to the user account needs to be different.

LDAP Configuration Steps

To configure |LDAP|, use the following steps:

  1. From the |RCM| interface, select :menuselection:`Admin --> Authentication`
  2. Enable the ldap+ groups plugin and select :guilabel:`Save`
  3. Select the :guilabel:`Enabled` check box in the plugin configuration section
  4. Add the required LDAP information and :guilabel:`Save`, for more details, see :ref:`config-ldap-groups-examples`

For a more detailed description of LDAP objects, see :ref:`ldap-gloss-ref`:

Example LDAP configuration

# Auth Cache TTL, Defines the caching for authentication to offload LDAP server.
# This means that cache result will be saved for 3600 before contacting LDAP server to verify the user access
# Host, comma seperated format is optionally possible to specify more than 1 server
# Default LDAP Port, use 689 for LDAPS
# Account, used for SimpleBind if LDAP server requires an authentication
e.g admin@server.com
# Password used for simple bind
# LDAP connection security
# Certificate checks level
# Base DN
cn=Rufus Magillacuddy,ou=users,dc=rhodecode,dc=com
# User Search Base
# LDAP search filter to narrow the results
# LDAP search scope
# Login attribute
# First Name Attribute to read
# Last Name Attribute to read
# Email Attribute to read email address from
# group extraction method
# Group search base
# Group Name Attribute, field to read the group name from
# User Member of Attribute, field in which groups are stored
# LDAP Group Search Filter, allows narrowing the results

# Admin Groups. Comma separated list of groups. If user is member of
# any of those he will be marked as super-admin in RhodeCode
admins, management

Below is example setup that can be used with Active Directory and ldap groups.

LDAP/AD setup example