##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

docs: move authentication info to separate file...
Thomas De Schampheleire -
r7262:2898ea3f default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
This diff has been collapsed as it changes many lines, (604 lines changed) Show them Hide them
@@ -1,181 +1,16 b''
1 .. _setup:
1 .. _authentication:
2
2 Authentication setup
3 =====
3 ====================
4 Setup
5 =====
6
7
8 Preparing front-end
9 -------------------
10
11 Temporarily, in the current Kallithea version, some extra steps are required to
12 build front-end files:
13
14 Find the right ``kallithea/public/less`` path with::
15
16 python -c "import os, kallithea; print os.path.join(os.path.dirname(os.path.abspath(kallithea.__file__)), 'public', 'less')"
17
18 Then run::
19
20 npm install
21 npm run less
22
23
24 Setting up Kallithea
25 --------------------
26
27 First, you will need to create a Kallithea configuration file. Run the
28 following command to do so::
29
30 gearbox make-config my.ini
31
32 This will create the file ``my.ini`` in the current directory. This
33 configuration file contains the various settings for Kallithea, e.g.
34 proxy port, email settings, usage of static files, cache, Celery
35 settings, and logging. Extra settings can be specified like::
36
37 gearbox make-config my.ini host=8.8.8.8 "[handler_console]" formatter=color_formatter
38
39 Next, you need to create the databases used by Kallithea. It is recommended to
40 use PostgreSQL or SQLite (default). If you choose a database other than the
41 default, ensure you properly adjust the database URL in your ``my.ini``
42 configuration file to use this other database. Kallithea currently supports
43 PostgreSQL, SQLite and MySQL databases. Create the database by running
44 the following command::
45
46 gearbox setup-db -c my.ini
47
48 This will prompt you for a "root" path. This "root" path is the location where
49 Kallithea will store all of its repositories on the current machine. After
50 entering this "root" path ``setup-db`` will also prompt you for a username
51 and password for the initial admin account which ``setup-db`` sets
52 up for you.
53
54 The ``setup-db`` values can also be given on the command line.
55 Example::
56
57 gearbox setup-db -c my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
58
59 The ``setup-db`` command will create all needed tables and an
60 admin account. When choosing a root path you can either use a new
61 empty location, or a location which already contains existing
62 repositories. If you choose a location which contains existing
63 repositories Kallithea will add all of the repositories at the chosen
64 location to its database. (Note: make sure you specify the correct
65 path to the root).
66
67 .. note:: the given path for Mercurial_ repositories **must** be write
68 accessible for the application. It's very important since
69 the Kallithea web interface will work without write access,
70 but when trying to do a push it will fail with permission
71 denied errors unless it has write access.
72
73 You are now ready to use Kallithea. To run it simply execute::
74
75 gearbox serve -c my.ini
76
77 - This command runs the Kallithea server. The web app should be available at
78 http://127.0.0.1:5000. The IP address and port is configurable via the
79 configuration file created in the previous step.
80 - Log in to Kallithea using the admin account created when running ``setup-db``.
81 - The default permissions on each repository is read, and the owner is admin.
82 Remember to update these if needed.
83 - In the admin panel you can toggle LDAP, anonymous, and permissions
84 settings, as well as edit more advanced options on users and
85 repositories.
86
4
87
5 Users can be authenticated in different ways. By default, Kallithea
88 Internationalization (i18n support)
6 uses its internal user database. Alternative authentication
89 -----------------------------------
7 methods include LDAP, PAM, Crowd, and container-based authentication.
90
91 The Kallithea web interface is automatically displayed in the user's preferred
92 language, as indicated by the browser. Thus, different users may see the
93 application in different languages. If the requested language is not available
94 (because the translation file for that language does not yet exist or is
95 incomplete), the language specified in setting ``i18n.lang`` in the Kallithea
96 configuration file is used as fallback. If no fallback language is explicitly
97 specified, English is used.
98
99 If you want to disable automatic language detection and instead configure a
100 fixed language regardless of user preference, set ``i18n.enabled = false`` and
101 set ``i18n.lang`` to the desired language (or leave empty for English).
102
103
104 Using Kallithea with SSH
105 ------------------------
106
107 Kallithea currently only hosts repositories using http and https. (The addition
108 of ssh hosting is a planned future feature.) However you can easily use ssh in
109 parallel with Kallithea. (Repository access via ssh is a standard "out of
110 the box" feature of Mercurial_ and you can use this to access any of the
111 repositories that Kallithea is hosting. See PublishingRepositories_)
112
113 Kallithea repository structures are kept in directories with the same name
114 as the project. When using repository groups, each group is a subdirectory.
115 This allows you to easily use ssh for accessing repositories.
116
117 In order to use ssh you need to make sure that your web server and the users'
118 login accounts have the correct permissions set on the appropriate directories.
119
120 .. note:: These permissions are independent of any permissions you
121 have set up using the Kallithea web interface.
122
123 If your main directory (the same as set in Kallithea settings) is for
124 example set to ``/srv/repos`` and the repository you are using is
125 named ``kallithea``, then to clone via ssh you should run::
126
127 hg clone ssh://user@kallithea.example.com/srv/repos/kallithea
128
129 Using other external tools such as mercurial-server_ or using ssh key-based
130 authentication is fully supported.
131
132 .. note:: In an advanced setup, in order for your ssh access to use
133 the same permissions as set up via the Kallithea web
134 interface, you can create an authentication hook to connect
135 to the Kallithea db and run check functions for permissions
136 against that.
137
138
139 Setting up Whoosh full text search
140 ----------------------------------
141
142 Kallithea provides full text search of repositories using `Whoosh`__.
143
144 .. __: https://whoosh.readthedocs.io/en/latest/
145
146 For an incremental index build, run::
147
148 gearbox make-index -c my.ini
149
150 For a full index rebuild, run::
151
152 gearbox make-index -c my.ini -f
153
154 The ``--repo-location`` option allows the location of the repositories to be overridden;
155 usually, the location is retrieved from the Kallithea database.
156
157 The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
158
159 gearbox make-index -c my.ini --index-only=vcs,kallithea
160
161 To keep your index up-to-date it is necessary to do periodic index builds;
162 for this, it is recommended to use a crontab entry. Example::
163
164 0 3 * * * /path/to/virtualenv/bin/gearbox make-index -c /path/to/kallithea/my.ini
165
166 When using incremental mode (the default), Whoosh will check the last
167 modification date of each file and add it to be reindexed if a newer file is
168 available. The indexing daemon checks for any removed files and removes them
169 from index.
170
171 If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
172 or in the admin panel you can check the "build from scratch" checkbox.
173
8
174 .. _ldap-setup:
9 .. _ldap-setup:
175
10
176
11
177 Setting up LDAP support
12 LDAP Authentication
178 -----------------------
13 -------------------
179
14
180 Kallithea supports LDAP authentication. In order
15 Kallithea supports LDAP authentication. In order
181 to use LDAP, you have to install the python-ldap_ package. This package is
16 to use LDAP, you have to install the python-ldap_ package. This package is
@@ -417,7 +252,7 b' Container-based authentication'
417 In a container-based authentication setup, Kallithea reads the user name from
252 In a container-based authentication setup, Kallithea reads the user name from
418 the ``REMOTE_USER`` server variable provided by the WSGI container.
253 the ``REMOTE_USER`` server variable provided by the WSGI container.
419
254
420 After setting up your container (see `Apache with mod_wsgi`_), you'll need
255 After setting up your container (see :ref:`apache_mod_wsgi`), you'll need
421 to configure it to require authentication on the location configured for
256 to configure it to require authentication on the location configured for
422 Kallithea.
257 Kallithea.
423
258
@@ -428,8 +263,8 b' In a proxy pass-through authentication s'
428 from the ``X-Forwarded-User`` request header, which should be configured to be
263 from the ``X-Forwarded-User`` request header, which should be configured to be
429 sent by the reverse-proxy server.
264 sent by the reverse-proxy server.
430
265
431 After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
266 After setting up your proxy solution (see :ref:`apache_virtual_host_reverse_proxy`,
432 `Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to
267 :ref:`apache_subdirectory` or :ref:`nginx_virtual_host`), you'll need to
433 configure the authentication and add the username in a request header named
268 configure the authentication and add the username in a request header named
434 ``X-Forwarded-User``.
269 ``X-Forwarded-User``.
435
270
@@ -530,421 +365,4 b' could set the request headers however yo'
530 using any account of their liking.
365 using any account of their liking.
531
366
532
367
533 Integration with issue trackers
534 -------------------------------
535
536 Kallithea provides a simple integration with issue trackers. It's possible
537 to define a regular expression that will match an issue ID in commit messages,
538 and have that replaced with a URL to the issue.
539
540 This is achieved with following three variables in the ini file::
541
542 issue_pat = #(\d+)
543 issue_server_link = https://issues.example.com/{repo}/issue/\1
544 issue_sub =
545
546 ``issue_pat`` is the regular expression describing which strings in
547 commit messages will be treated as issue references. The expression can/should
548 have one or more parenthesized groups that can later be referred to in
549 ``issue_server_link`` and ``issue_sub`` (see below). If you prefer, named groups
550 can be used instead of simple parenthesized groups.
551
552 If the pattern should only match if it is preceded by whitespace, add the
553 following string before the actual pattern: ``(?:^|(?<=\s))``.
554 If the pattern should only match if it is followed by whitespace, add the
555 following string after the actual pattern: ``(?:$|(?=\s))``.
556 These expressions use lookbehind and lookahead assertions of the Python regular
557 expression module to avoid the whitespace to be part of the actual pattern,
558 otherwise the link text will also contain that whitespace.
559
560 Matched issue references are replaced with the link specified in
561 ``issue_server_link``, in which any backreferences are resolved. Backreferences
562 can be ``\1``, ``\2``, ... or for named groups ``\g<groupname>``.
563 The special token ``{repo}`` is replaced with the full repository path
564 (including repository groups), while token ``{repo_name}`` is replaced with the
565 repository name (without repository groups).
566
567 The link text is determined by ``issue_sub``, which can be a string containing
568 backreferences to the groups specified in ``issue_pat``. If ``issue_sub`` is
569 empty, then the text matched by ``issue_pat`` is used verbatim.
570
571 The example settings shown above match issues in the format ``#<number>``.
572 This will cause the text ``#300`` to be transformed into a link:
573
574 .. code-block:: html
575
576 <a href="https://issues.example.com/example_repo/issue/300">#300</a>
577
578 The following example transforms a text starting with either of 'pullrequest',
579 'pull request' or 'PR', followed by an optional space, then a pound character
580 (#) and one or more digits, into a link with the text 'PR #' followed by the
581 digits::
582
583 issue_pat = (pullrequest|pull request|PR) ?#(\d+)
584 issue_server_link = https://issues.example.com/\2
585 issue_sub = PR #\2
586
587 The following example demonstrates how to require whitespace before the issue
588 reference in order for it to be recognized, such that the text ``issue#123`` will
589 not cause a match, but ``issue #123`` will::
590
591 issue_pat = (?:^|(?<=\s))#(\d+)
592 issue_server_link = https://issues.example.com/\1
593 issue_sub =
594
595 If needed, more than one pattern can be specified by appending a unique suffix to
596 the variables. For example, also demonstrating the use of named groups::
597
598 issue_pat_wiki = wiki-(?P<pagename>\S+)
599 issue_server_link_wiki = https://wiki.example.com/\g<pagename>
600 issue_sub_wiki = WIKI-\g<pagename>
601
602 With these settings, wiki pages can be referenced as wiki-some-id, and every
603 such reference will be transformed into:
604
605 .. code-block:: html
606
607 <a href="https://wiki.example.com/some-id">WIKI-some-id</a>
608
609 Refer to the `Python regular expression documentation`_ for more details about
610 the supported syntax in ``issue_pat``, ``issue_server_link`` and ``issue_sub``.
611
612
613 Hook management
614 ---------------
615
616 Hooks can be managed in similar way to that used in ``.hgrc`` files.
617 To manage hooks, choose *Admin > Settings > Hooks*.
618
619 The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.
620
621 To add another custom hook simply fill in the first textbox with
622 ``<name>.<hook_type>`` and the second with the hook path. Example hooks
623 can be found in ``kallithea.lib.hooks``.
624
625
626 Changing default encoding
627 -------------------------
628
629 By default, Kallithea uses UTF-8 encoding.
630 This is configurable as ``default_encoding`` in the .ini file.
631 This affects many parts in Kallithea including user names, filenames, and
632 encoding of commit messages. In addition Kallithea can detect if the ``chardet``
633 library is installed. If ``chardet`` is detected Kallithea will fallback to it
634 when there are encode/decode errors.
635
636 The Mercurial encoding is configurable as ``hgencoding``. It is similar to
637 setting the ``HGENCODING`` environment variable, but will override it.
638
639
640 Celery configuration
641 --------------------
642
643 Kallithea can use the distributed task queue system Celery_ to run tasks like
644 cloning repositories or sending emails.
645
646 Kallithea will in most setups work perfectly fine out of the box (without
647 Celery), executing all tasks in the web server process. Some tasks can however
648 take some time to run and it can be better to run such tasks asynchronously in
649 a separate process so the web server can focus on serving web requests.
650
651 For installation and configuration of Celery, see the `Celery documentation`_.
652 Note that Celery requires a message broker service like RabbitMQ_ (recommended)
653 or Redis_.
654
655 The use of Celery is configured in the Kallithea ini configuration file.
656 To enable it, simply set::
657
658 use_celery = true
659
660 and add or change the ``celery.*`` and ``broker.*`` configuration variables.
661
662 Remember that the ini files use the format with '.' and not with '_' like
663 Celery. So for example setting `BROKER_HOST` in Celery means setting
664 `broker.host` in the configuration file.
665
666 To start the Celery process, run::
667
668 gearbox celeryd -c <configfile.ini>
669
670 Extra options to the Celery worker can be passed after ``--`` - see ``-- -h``
671 for more info.
672
673 .. note::
674 Make sure you run this command from the same virtualenv, and with the same
675 user that Kallithea runs.
676
677
678 HTTPS support
679 -------------
680
681 Kallithea will by default generate URLs based on the WSGI environment.
682
683 Alternatively, you can use some special configuration settings to control
684 directly which scheme/protocol Kallithea will use when generating URLs:
685
686 - With ``https_fixup = true``, the scheme will be taken from the
687 ``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
688 (default ``http``).
689 - With ``force_https = true`` the default will be ``https``.
690 - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
691
692
693 Nginx virtual host example
694 --------------------------
695
696 Sample config for Nginx using proxy:
697
698 .. code-block:: nginx
699
700 upstream kallithea {
701 server 127.0.0.1:5000;
702 # add more instances for load balancing
703 #server 127.0.0.1:5001;
704 #server 127.0.0.1:5002;
705 }
706
707 ## gist alias
708 server {
709 listen 443;
710 server_name gist.example.com;
711 access_log /var/log/nginx/gist.access.log;
712 error_log /var/log/nginx/gist.error.log;
713
714 ssl on;
715 ssl_certificate gist.your.kallithea.server.crt;
716 ssl_certificate_key gist.your.kallithea.server.key;
717
718 ssl_session_timeout 5m;
719
720 ssl_protocols SSLv3 TLSv1;
721 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
722 ssl_prefer_server_ciphers on;
723
724 rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
725 rewrite (.*) https://kallithea.example.com/_admin/gists;
726 }
727
728 server {
729 listen 443;
730 server_name kallithea.example.com
731 access_log /var/log/nginx/kallithea.access.log;
732 error_log /var/log/nginx/kallithea.error.log;
733
734 ssl on;
735 ssl_certificate your.kallithea.server.crt;
736 ssl_certificate_key your.kallithea.server.key;
737
738 ssl_session_timeout 5m;
739
740 ssl_protocols SSLv3 TLSv1;
741 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
742 ssl_prefer_server_ciphers on;
743
744 ## uncomment root directive if you want to serve static files by nginx
745 ## requires static_files = false in .ini file
746 #root /srv/kallithea/kallithea/kallithea/public;
747 include /etc/nginx/proxy.conf;
748 location / {
749 try_files $uri @kallithea;
750 }
751
752 location @kallithea {
753 proxy_pass http://127.0.0.1:5000;
754 }
755
756 }
757
758 Here's the proxy.conf. It's tuned so it will not timeout on long
759 pushes or large pushes::
760
761 proxy_redirect off;
762 proxy_set_header Host $host;
763 ## needed for container auth
764 #proxy_set_header REMOTE_USER $remote_user;
765 #proxy_set_header X-Forwarded-User $remote_user;
766 proxy_set_header X-Url-Scheme $scheme;
767 proxy_set_header X-Host $http_host;
768 proxy_set_header X-Real-IP $remote_addr;
769 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
770 proxy_set_header Proxy-host $proxy_host;
771 proxy_buffering off;
772 proxy_connect_timeout 7200;
773 proxy_send_timeout 7200;
774 proxy_read_timeout 7200;
775 proxy_buffers 8 32k;
776 client_max_body_size 1024m;
777 client_body_buffer_size 128k;
778 large_client_header_buffers 8 64k;
779
780
781 Apache virtual host reverse proxy example
782 -----------------------------------------
783
784 Here is a sample configuration file for Apache using proxy:
785
786 .. code-block:: apache
787
788 <VirtualHost *:80>
789 ServerName kallithea.example.com
790
791 <Proxy *>
792 # For Apache 2.4 and later:
793 Require all granted
794
795 # For Apache 2.2 and earlier, instead use:
796 # Order allow,deny
797 # Allow from all
798 </Proxy>
799
800 #important !
801 #Directive to properly generate url (clone url) for Kallithea
802 ProxyPreserveHost On
803
804 #kallithea instance
805 ProxyPass / http://127.0.0.1:5000/
806 ProxyPassReverse / http://127.0.0.1:5000/
807
808 #to enable https use line below
809 #SetEnvIf X-Url-Scheme https HTTPS=1
810 </VirtualHost>
811
812 Additional tutorial
813 http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
814
815
816 Apache as subdirectory
817 ----------------------
818
819 Apache subdirectory part:
820
821 .. code-block:: apache
822
823 <Location /PREFIX >
824 ProxyPass http://127.0.0.1:5000/PREFIX
825 ProxyPassReverse http://127.0.0.1:5000/PREFIX
826 SetEnvIf X-Url-Scheme https HTTPS=1
827 </Location>
828
829 Besides the regular apache setup you will need to add the following line
830 into ``[app:main]`` section of your .ini file::
831
832 filter-with = proxy-prefix
833
834 Add the following at the end of the .ini file::
835
836 [filter:proxy-prefix]
837 use = egg:PasteDeploy#prefix
838 prefix = /PREFIX
839
840 then change ``PREFIX`` into your chosen prefix
841
842
843 Apache with mod_wsgi
844 --------------------
845
846 Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
847 that, you'll need to:
848
849 - Install mod_wsgi. If using a Debian-based distro, you can install
850 the package libapache2-mod-wsgi::
851
852 aptitude install libapache2-mod-wsgi
853
854 - Enable mod_wsgi::
855
856 a2enmod wsgi
857
858 - Add global Apache configuration to tell mod_wsgi that Python only will be
859 used in the WSGI processes and shouldn't be initialized in the Apache
860 processes::
861
862 WSGIRestrictEmbedded On
863
864 - Create a wsgi dispatch script, like the one below. Make sure you
865 check that the paths correctly point to where you installed Kallithea
866 and its Python Virtual Environment.
867 - Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,
868 as in the following example. Once again, check the paths are
869 correctly specified.
870
871 Here is a sample excerpt from an Apache Virtual Host configuration file:
872
873 .. code-block:: apache
874
875 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 \
876 python-home=/srv/kallithea/venv
877 WSGIProcessGroup kallithea
878 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
879 WSGIPassAuthorization On
880
881 Or if using a dispatcher WSGI script with proper virtualenv activation:
882
883 .. code-block:: apache
884
885 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100
886 WSGIProcessGroup kallithea
887 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
888 WSGIPassAuthorization On
889
890 Apache will by default run as a special Apache user, on Linux systems
891 usually ``www-data`` or ``apache``. If you need to have the repositories
892 directory owned by a different user, use the user and group options to
893 WSGIDaemonProcess to set the name of the user and group.
894
895 Example WSGI dispatch script:
896
897 .. code-block:: python
898
899 import os
900 os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
901
902 # sometimes it's needed to set the current dir
903 os.chdir('/srv/kallithea/')
904
905 import site
906 site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
907
908 ini = '/srv/kallithea/my.ini'
909 from paste.script.util.logging_config import fileConfig
910 fileConfig(ini)
911 from paste.deploy import loadapp
912 application = loadapp('config:' + ini)
913
914 Or using proper virtualenv activation:
915
916 .. code-block:: python
917
918 activate_this = '/srv/kallithea/venv/bin/activate_this.py'
919 execfile(activate_this, dict(__file__=activate_this))
920
921 import os
922 os.environ['HOME'] = '/srv/kallithea'
923
924 ini = '/srv/kallithea/kallithea.ini'
925 from paste.script.util.logging_config import fileConfig
926 fileConfig(ini)
927 from paste.deploy import loadapp
928 application = loadapp('config:' + ini)
929
930
931 Other configuration files
932 -------------------------
933
934 A number of `example init.d scripts`__ can be found in
935 the ``init.d`` directory of the Kallithea source.
936
937 .. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
938
939
940 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
941 .. _python: http://www.python.org/
942 .. _Python regular expression documentation: https://docs.python.org/2/library/re.html
943 .. _Mercurial: https://www.mercurial-scm.org/
944 .. _Celery: http://celeryproject.org/
945 .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
946 .. _RabbitMQ: http://www.rabbitmq.com/
947 .. _Redis: http://redis.io/
948 .. _python-ldap: http://www.python-ldap.org/
368 .. _python-ldap: http://www.python-ldap.org/
949 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
950 .. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories
Show file before | Show file after | Hide comments
@@ -39,6 +39,7 b' Administrator guide'
39 :maxdepth: 1
39 :maxdepth: 1
40
40
41 setup
41 setup
42 administrator_guide/auth
42 administrator_guide/vcs_setup
43 administrator_guide/vcs_setup
43 usage/email
44 usage/email
44 usage/customization
45 usage/customization
Show file before | Show file after | Hide comments
@@ -171,364 +171,6 b' from index.'
171 If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
171 If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
172 or in the admin panel you can check the "build from scratch" checkbox.
172 or in the admin panel you can check the "build from scratch" checkbox.
173
173
174 .. _ldap-setup:
175
176
177 Setting up LDAP support
178 -----------------------
179
180 Kallithea supports LDAP authentication. In order
181 to use LDAP, you have to install the python-ldap_ package. This package is
182 available via PyPI, so you can install it by running::
183
184 pip install python-ldap
185
186 .. note:: ``python-ldap`` requires some libraries to be installed on
187 your system, so before installing it check that you have at
188 least the ``openldap`` and ``sasl`` libraries.
189
190 Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
191 and then *Save*, to enable the LDAP plugin and configure its settings.
192
193 Here's a typical LDAP setup::
194
195 Connection settings
196 Enable LDAP = checked
197 Host = host.example.com
198 Account = <account>
199 Password = <password>
200 Connection Security = LDAPS
201 Certificate Checks = DEMAND
202
203 Search settings
204 Base DN = CN=users,DC=host,DC=example,DC=org
205 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
206 LDAP Search Scope = SUBTREE
207
208 Attribute mappings
209 Login Attribute = uid
210 First Name Attribute = firstName
211 Last Name Attribute = lastName
212 Email Attribute = mail
213
214 If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
215
216 Search settings
217 Base DN = DC=host,DC=example,DC=org
218 LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
219 LDAP Search Scope = SUBTREE
220
221 .. _enable_ldap:
222
223 Enable LDAP : required
224 Whether to use LDAP for authenticating users.
225
226 .. _ldap_host:
227
228 Host : required
229 LDAP server hostname or IP address. Can be also a comma separated
230 list of servers to support LDAP fail-over.
231
232 .. _Port:
233
234 Port : optional
235 Defaults to 389 for PLAIN un-encrypted LDAP and START_TLS.
236 Defaults to 636 for LDAPS.
237
238 .. _ldap_account:
239
240 Account : optional
241 Only required if the LDAP server does not allow anonymous browsing of
242 records. This should be a special account for record browsing. This
243 will require `LDAP Password`_ below.
244
245 .. _LDAP Password:
246
247 Password : optional
248 Only required if the LDAP server does not allow anonymous browsing of
249 records.
250
251 .. _Enable LDAPS:
252
253 Connection Security : required
254 Defines the connection to LDAP server
255
256 PLAIN
257 Plain unencrypted LDAP connection.
258 This will by default use `Port`_ 389.
259
260 LDAPS
261 Use secure LDAPS connections according to `Certificate
262 Checks`_ configuration.
263 This will by default use `Port`_ 636.
264
265 START_TLS
266 Use START TLS according to `Certificate Checks`_ configuration on an
267 apparently "plain" LDAP connection.
268 This will by default use `Port`_ 389.
269
270 .. _Certificate Checks:
271
272 Certificate Checks : optional
273 How SSL certificates verification is handled -- this is only useful when
274 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
275 with mandatory certificate validation, while the other options are
276 susceptible to man-in-the-middle attacks.
277
278 NEVER
279 A serve certificate will never be requested or checked.
280
281 ALLOW
282 A server certificate is requested. Failure to provide a
283 certificate or providing a bad certificate will not terminate the
284 session.
285
286 TRY
287 A server certificate is requested. Failure to provide a
288 certificate does not halt the session; providing a bad certificate
289 halts the session.
290
291 DEMAND
292 A server certificate is requested and must be provided and
293 authenticated for the session to proceed.
294
295 HARD
296 The same as DEMAND.
297
298 .. _Custom CA Certificates:
299
300 Custom CA Certificates : optional
301 Directory used by OpenSSL to find CAs for validating the LDAP server certificate.
302 Python 2.7.10 and later default to using the system certificate store, and
303 this should thus not be necessary when using certificates signed by a CA
304 trusted by the system.
305 It can be set to something like `/etc/openldap/cacerts` on older systems or
306 if using self-signed certificates.
307
308 .. _Base DN:
309
310 Base DN : required
311 The Distinguished Name (DN) where searches for users will be performed.
312 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
313
314 .. _LDAP Filter:
315
316 LDAP Filter : optional
317 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
318 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
319 which LDAP objects are identified as representing Users for
320 authentication. The filter is augmented by `Login Attribute`_ below.
321 This can commonly be left blank.
322
323 .. _LDAP Search Scope:
324
325 LDAP Search Scope : required
326 This limits how far LDAP will search for a matching object.
327
328 BASE
329 Only allows searching of `Base DN`_ and is usually not what you
330 want.
331
332 ONELEVEL
333 Searches all entries under `Base DN`_, but not Base DN itself.
334
335 SUBTREE
336 Searches all entries below `Base DN`_, but not Base DN itself.
337 When using SUBTREE `LDAP Filter`_ is useful to limit object
338 location.
339
340 .. _Login Attribute:
341
342 Login Attribute : required
343 The LDAP record attribute that will be matched as the USERNAME or
344 ACCOUNT used to connect to Kallithea. This will be added to `LDAP
345 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
346 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
347 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
348 ::
349
350 (&(LDAPFILTER)(uid=jsmith))
351
352 .. _ldap_attr_firstname:
353
354 First Name Attribute : required
355 The LDAP record attribute which represents the user's first name.
356
357 .. _ldap_attr_lastname:
358
359 Last Name Attribute : required
360 The LDAP record attribute which represents the user's last name.
361
362 .. _ldap_attr_email:
363
364 Email Attribute : required
365 The LDAP record attribute which represents the user's email address.
366
367 If all data are entered correctly, and python-ldap_ is properly installed
368 users should be granted access to Kallithea with LDAP accounts. At this
369 time user information is copied from LDAP into the Kallithea user database.
370 This means that updates of an LDAP user object may not be reflected as a
371 user update in Kallithea.
372
373 If You have problems with LDAP access and believe You entered correct
374 information check out the Kallithea logs, any error messages sent from LDAP
375 will be saved there.
376
377 Active Directory
378 ^^^^^^^^^^^^^^^^
379
380 Kallithea can use Microsoft Active Directory for user authentication. This
381 is done through an LDAP or LDAPS connection to Active Directory. The
382 following LDAP configuration settings are typical for using Active
383 Directory ::
384
385 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
386 Login Attribute = sAMAccountName
387 First Name Attribute = givenName
388 Last Name Attribute = sn
389 Email Attribute = mail
390
391 All other LDAP settings will likely be site-specific and should be
392 appropriately configured.
393
394
395 Authentication by container or reverse-proxy
396 --------------------------------------------
397
398 Kallithea supports delegating the authentication
399 of users to its WSGI container, or to a reverse-proxy server through which all
400 clients access the application.
401
402 When these authentication methods are enabled in Kallithea, it uses the
403 username that the container/proxy (Apache or Nginx, etc.) provides and doesn't
404 perform the authentication itself. The authorization, however, is still done by
405 Kallithea according to its settings.
406
407 When a user logs in for the first time using these authentication methods,
408 a matching user account is created in Kallithea with default permissions. An
409 administrator can then modify it using Kallithea's admin interface.
410
411 It's also possible for an administrator to create accounts and configure their
412 permissions before the user logs in for the first time, using the :ref:`create-user` API.
413
414 Container-based authentication
415 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
416
417 In a container-based authentication setup, Kallithea reads the user name from
418 the ``REMOTE_USER`` server variable provided by the WSGI container.
419
420 After setting up your container (see `Apache with mod_wsgi`_), you'll need
421 to configure it to require authentication on the location configured for
422 Kallithea.
423
424 Proxy pass-through authentication
425 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
426
427 In a proxy pass-through authentication setup, Kallithea reads the user name
428 from the ``X-Forwarded-User`` request header, which should be configured to be
429 sent by the reverse-proxy server.
430
431 After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
432 `Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to
433 configure the authentication and add the username in a request header named
434 ``X-Forwarded-User``.
435
436 For example, the following config section for Apache sets a subdirectory in a
437 reverse-proxy setup with basic auth:
438
439 .. code-block:: apache
440
441 <Location /someprefix>
442 ProxyPass http://127.0.0.1:5000/someprefix
443 ProxyPassReverse http://127.0.0.1:5000/someprefix
444 SetEnvIf X-Url-Scheme https HTTPS=1
445
446 AuthType Basic
447 AuthName "Kallithea authentication"
448 AuthUserFile /srv/kallithea/.htpasswd
449 Require valid-user
450
451 RequestHeader unset X-Forwarded-User
452
453 RewriteEngine On
454 RewriteCond %{LA-U:REMOTE_USER} (.+)
455 RewriteRule .* - [E=RU:%1]
456 RequestHeader set X-Forwarded-User %{RU}e
457 </Location>
458
459 Setting metadata in container/reverse-proxy
460 """""""""""""""""""""""""""""""""""""""""""
461 When a new user account is created on the first login, Kallithea has no information about
462 the user's email and full name. So you can set some additional request headers like in the
463 example below. In this example the user is authenticated via Kerberos and an Apache
464 mod_python fixup handler is used to get the user information from a LDAP server. But you
465 could set the request headers however you want.
466
467 .. code-block:: apache
468
469 <Location /someprefix>
470 ProxyPass http://127.0.0.1:5000/someprefix
471 ProxyPassReverse http://127.0.0.1:5000/someprefix
472 SetEnvIf X-Url-Scheme https HTTPS=1
473
474 AuthName "Kerberos Login"
475 AuthType Kerberos
476 Krb5Keytab /etc/apache2/http.keytab
477 KrbMethodK5Passwd off
478 KrbVerifyKDC on
479 Require valid-user
480
481 PythonFixupHandler ldapmetadata
482
483 RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e
484 RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e
485 RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e
486 RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e
487 </Location>
488
489 .. code-block:: python
490
491 from mod_python import apache
492 import ldap
493
494 LDAP_SERVER = "ldaps://server.mydomain.com:636"
495 LDAP_USER = ""
496 LDAP_PASS = ""
497 LDAP_ROOT = "dc=mydomain,dc=com"
498 LDAP_FILTER = "sAMAccountName=%s"
499 LDAP_ATTR_LIST = ['sAMAccountName','givenname','sn','mail']
500
501 def fixuphandler(req):
502 if req.user is None:
503 # no user to search for
504 return apache.OK
505 else:
506 try:
507 if('\\' in req.user):
508 username = req.user.split('\\')[1]
509 elif('@' in req.user):
510 username = req.user.split('@')[0]
511 else:
512 username = req.user
513 l = ldap.initialize(LDAP_SERVER)
514 l.simple_bind_s(LDAP_USER, LDAP_PASS)
515 r = l.search_s(LDAP_ROOT, ldap.SCOPE_SUBTREE, LDAP_FILTER % username, attrlist=LDAP_ATTR_LIST)
516
517 req.subprocess_env['X_REMOTE_USER'] = username
518 req.subprocess_env['X_REMOTE_EMAIL'] = r[0][1]['mail'][0].lower()
519 req.subprocess_env['X_REMOTE_FIRSTNAME'] = "%s" % r[0][1]['givenname'][0]
520 req.subprocess_env['X_REMOTE_LASTNAME'] = "%s" % r[0][1]['sn'][0]
521 except Exception, e:
522 apache.log_error("error getting data from ldap %s" % str(e), apache.APLOG_ERR)
523
524 return apache.OK
525
526 .. note::
527 If you enable proxy pass-through authentication, make sure your server is
528 only accessible through the proxy. Otherwise, any client would be able to
529 forge the authentication header and could effectively become authenticated
530 using any account of their liking.
531
532
174
533 Integration with issue trackers
175 Integration with issue trackers
534 -------------------------------
176 -------------------------------
@@ -689,6 +331,8 b' directly which scheme/protocol Kallithea'
689 - With ``force_https = true`` the default will be ``https``.
331 - With ``force_https = true`` the default will be ``https``.
690 - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
332 - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
691
333
334 .. _nginx_virtual_host:
335
692
336
693 Nginx virtual host example
337 Nginx virtual host example
694 --------------------------
338 --------------------------
@@ -777,6 +421,8 b' pushes or large pushes::'
777 client_body_buffer_size 128k;
421 client_body_buffer_size 128k;
778 large_client_header_buffers 8 64k;
422 large_client_header_buffers 8 64k;
779
423
424 .. _apache_virtual_host_reverse_proxy:
425
780
426
781 Apache virtual host reverse proxy example
427 Apache virtual host reverse proxy example
782 -----------------------------------------
428 -----------------------------------------
@@ -812,6 +458,8 b' Here is a sample configuration file for '
812 Additional tutorial
458 Additional tutorial
813 http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
459 http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
814
460
461 .. _apache_subdirectory:
462
815
463
816 Apache as subdirectory
464 Apache as subdirectory
817 ----------------------
465 ----------------------
@@ -839,6 +487,8 b' Add the following at the end of the .ini'
839
487
840 then change ``PREFIX`` into your chosen prefix
488 then change ``PREFIX`` into your chosen prefix
841
489
490 .. _apache_mod_wsgi:
491
842
492
843 Apache with mod_wsgi
493 Apache with mod_wsgi
844 --------------------
494 --------------------
@@ -945,6 +595,5 b' the ``init.d`` directory of the Kallithe'
945 .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
595 .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
946 .. _RabbitMQ: http://www.rabbitmq.com/
596 .. _RabbitMQ: http://www.rabbitmq.com/
947 .. _Redis: http://redis.io/
597 .. _Redis: http://redis.io/
948 .. _python-ldap: http://www.python-ldap.org/
949 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
598 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
950 .. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories
599 .. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories
General Comments 0
You need to be logged in to leave comments. Login now