Show More
@@ -1,573 +1,601 b'' | |||||
1 | .. _setup: |
|
1 | .. _setup: | |
2 |
|
2 | |||
3 | Setup |
|
3 | Setup | |
4 | ===== |
|
4 | ===== | |
5 |
|
5 | |||
6 |
|
6 | |||
7 | Setting up RhodeCode |
|
7 | Setting up RhodeCode | |
8 | -------------------- |
|
8 | -------------------- | |
9 |
|
9 | |||
10 | First, you will need to create a RhodeCode configuration file. Run the |
|
10 | First, you will need to create a RhodeCode configuration file. Run the | |
11 | following command to do this:: |
|
11 | following command to do this:: | |
12 |
|
12 | |||
13 | paster make-config RhodeCode production.ini |
|
13 | paster make-config RhodeCode production.ini | |
14 |
|
14 | |||
15 | - This will create the file `production.ini` in the current directory. This |
|
15 | - This will create the file `production.ini` in the current directory. This | |
16 | configuration file contains the various settings for RhodeCode, e.g proxy |
|
16 | configuration file contains the various settings for RhodeCode, e.g proxy | |
17 | port, email settings, usage of static files, cache, celery settings and |
|
17 | port, email settings, usage of static files, cache, celery settings and | |
18 | logging. |
|
18 | logging. | |
19 |
|
19 | |||
20 |
|
20 | |||
21 | Next, you need to create the databases used by RhodeCode. I recommend that you |
|
21 | Next, you need to create the databases used by RhodeCode. I recommend that you | |
22 | use sqlite (default) or postgresql. If you choose a database other than the |
|
22 | use sqlite (default) or postgresql. If you choose a database other than the | |
23 | default ensure you properly adjust the db url in your production.ini |
|
23 | default ensure you properly adjust the db url in your production.ini | |
24 | configuration file to use this other database. Create the databases by running |
|
24 | configuration file to use this other database. Create the databases by running | |
25 | the following command:: |
|
25 | the following command:: | |
26 |
|
26 | |||
27 | paster setup-app production.ini |
|
27 | paster setup-app production.ini | |
28 |
|
28 | |||
29 | This will prompt you for a "root" path. This "root" path is the location where |
|
29 | This will prompt you for a "root" path. This "root" path is the location where | |
30 | RhodeCode will store all of its repositories on the current machine. After |
|
30 | RhodeCode will store all of its repositories on the current machine. After | |
31 | entering this "root" path ``setup-app`` will also prompt you for a username |
|
31 | entering this "root" path ``setup-app`` will also prompt you for a username | |
32 | and password for the initial admin account which ``setup-app`` sets up for you. |
|
32 | and password for the initial admin account which ``setup-app`` sets up for you. | |
33 |
|
33 | |||
34 | - The ``setup-app`` command will create all of the needed tables and an admin |
|
34 | - The ``setup-app`` command will create all of the needed tables and an admin | |
35 | account. When choosing a root path you can either use a new empty location, |
|
35 | account. When choosing a root path you can either use a new empty location, | |
36 | or a location which already contains existing repositories. If you choose a |
|
36 | or a location which already contains existing repositories. If you choose a | |
37 | location which contains existing repositories RhodeCode will simply add all |
|
37 | location which contains existing repositories RhodeCode will simply add all | |
38 | of the repositories at the chosen location to it's database. (Note: make |
|
38 | of the repositories at the chosen location to it's database. (Note: make | |
39 | sure you specify the correct path to the root). |
|
39 | sure you specify the correct path to the root). | |
40 | - Note: the given path for mercurial_ repositories **must** be write accessible |
|
40 | - Note: the given path for mercurial_ repositories **must** be write accessible | |
41 | for the application. It's very important since the RhodeCode web interface |
|
41 | for the application. It's very important since the RhodeCode web interface | |
42 | will work without write access, but when trying to do a push it will |
|
42 | will work without write access, but when trying to do a push it will | |
43 | eventually fail with permission denied errors unless it has write access. |
|
43 | eventually fail with permission denied errors unless it has write access. | |
44 |
|
44 | |||
45 | You are now ready to use RhodeCode, to run it simply execute:: |
|
45 | You are now ready to use RhodeCode, to run it simply execute:: | |
46 |
|
46 | |||
47 | paster serve production.ini |
|
47 | paster serve production.ini | |
48 |
|
48 | |||
49 | - This command runs the RhodeCode server. The web app should be available at the |
|
49 | - This command runs the RhodeCode server. The web app should be available at the | |
50 | 127.0.0.1:5000. This ip and port is configurable via the production.ini |
|
50 | 127.0.0.1:5000. This ip and port is configurable via the production.ini | |
51 | file created in previous step |
|
51 | file created in previous step | |
52 | - Use the admin account you created above when running ``setup-app`` to login |
|
52 | - Use the admin account you created above when running ``setup-app`` to login | |
53 | to the web app. |
|
53 | to the web app. | |
54 | - The default permissions on each repository is read, and the owner is admin. |
|
54 | - The default permissions on each repository is read, and the owner is admin. | |
55 | Remember to update these if needed. |
|
55 | Remember to update these if needed. | |
56 | - In the admin panel you can toggle ldap, anonymous, permissions settings. As |
|
56 | - In the admin panel you can toggle ldap, anonymous, permissions settings. As | |
57 | well as edit more advanced options on users and repositories |
|
57 | well as edit more advanced options on users and repositories | |
58 |
|
58 | |||
59 | Try copying your own mercurial repository into the "root" directory you are |
|
59 | Try copying your own mercurial repository into the "root" directory you are | |
60 | using, then from within the RhodeCode web application choose Admin > |
|
60 | using, then from within the RhodeCode web application choose Admin > | |
61 | repositories. Then choose Add New Repository. Add the repository you copied |
|
61 | repositories. Then choose Add New Repository. Add the repository you copied | |
62 | into the root. Test that you can browse your repository from within RhodeCode |
|
62 | into the root. Test that you can browse your repository from within RhodeCode | |
63 | and then try cloning your repository from RhodeCode with:: |
|
63 | and then try cloning your repository from RhodeCode with:: | |
64 |
|
64 | |||
65 | hg clone http://127.0.0.1:5000/<repository name> |
|
65 | hg clone http://127.0.0.1:5000/<repository name> | |
66 |
|
66 | |||
67 | where *repository name* is replaced by the name of your repository. |
|
67 | where *repository name* is replaced by the name of your repository. | |
68 |
|
68 | |||
69 | Using RhodeCode with SSH |
|
69 | Using RhodeCode with SSH | |
70 | ------------------------ |
|
70 | ------------------------ | |
71 |
|
71 | |||
72 | RhodeCode currently only hosts repositories using http and https. (The addition |
|
72 | RhodeCode currently only hosts repositories using http and https. (The addition | |
73 | of ssh hosting is a planned future feature.) However you can easily use ssh in |
|
73 | of ssh hosting is a planned future feature.) However you can easily use ssh in | |
74 | parallel with RhodeCode. (Repository access via ssh is a standard "out of |
|
74 | parallel with RhodeCode. (Repository access via ssh is a standard "out of | |
75 | the box" feature of mercurial_ and you can use this to access any of the |
|
75 | the box" feature of mercurial_ and you can use this to access any of the | |
76 | repositories that RhodeCode is hosting. See PublishingRepositories_) |
|
76 | repositories that RhodeCode is hosting. See PublishingRepositories_) | |
77 |
|
77 | |||
78 | RhodeCode repository structures are kept in directories with the same name |
|
78 | RhodeCode repository structures are kept in directories with the same name | |
79 | as the project. When using repository groups, each group is a subdirectory. |
|
79 | as the project. When using repository groups, each group is a subdirectory. | |
80 | This allows you to easily use ssh for accessing repositories. |
|
80 | This allows you to easily use ssh for accessing repositories. | |
81 |
|
81 | |||
82 | In order to use ssh you need to make sure that your web-server and the users |
|
82 | In order to use ssh you need to make sure that your web-server and the users | |
83 | login accounts have the correct permissions set on the appropriate directories. |
|
83 | login accounts have the correct permissions set on the appropriate directories. | |
84 | (Note that these permissions are independent of any permissions you have set up |
|
84 | (Note that these permissions are independent of any permissions you have set up | |
85 | using the RhodeCode web interface.) |
|
85 | using the RhodeCode web interface.) | |
86 |
|
86 | |||
87 | If your main directory (the same as set in RhodeCode settings) is for example |
|
87 | If your main directory (the same as set in RhodeCode settings) is for example | |
88 | set to **/home/hg** and the repository you are using is named `rhodecode`, then |
|
88 | set to **/home/hg** and the repository you are using is named `rhodecode`, then | |
89 | to clone via ssh you should run:: |
|
89 | to clone via ssh you should run:: | |
90 |
|
90 | |||
91 | hg clone ssh://user@server.com/home/hg/rhodecode |
|
91 | hg clone ssh://user@server.com/home/hg/rhodecode | |
92 |
|
92 | |||
93 | Using other external tools such as mercurial-server_ or using ssh key based |
|
93 | Using other external tools such as mercurial-server_ or using ssh key based | |
94 | authentication is fully supported. |
|
94 | authentication is fully supported. | |
95 |
|
95 | |||
96 | Note: In an advanced setup, in order for your ssh access to use the same |
|
96 | Note: In an advanced setup, in order for your ssh access to use the same | |
97 | permissions as set up via the RhodeCode web interface, you can create an |
|
97 | permissions as set up via the RhodeCode web interface, you can create an | |
98 | authentication hook to connect to the rhodecode db and runs check functions for |
|
98 | authentication hook to connect to the rhodecode db and runs check functions for | |
99 | permissions against that. |
|
99 | permissions against that. | |
100 |
|
100 | |||
101 | Setting up Whoosh full text search |
|
101 | Setting up Whoosh full text search | |
102 | ---------------------------------- |
|
102 | ---------------------------------- | |
103 |
|
103 | |||
104 | Starting from version 1.1 the whoosh index can be build by using the paster |
|
104 | Starting from version 1.1 the whoosh index can be build by using the paster | |
105 | command ``make-index``. To use ``make-index`` you must specify the configuration |
|
105 | command ``make-index``. To use ``make-index`` you must specify the configuration | |
106 | file that stores the location of the index. You may specify the location of the |
|
106 | file that stores the location of the index. You may specify the location of the | |
107 | repositories (`--repo-location`). If not specified, this value is retrieved |
|
107 | repositories (`--repo-location`). If not specified, this value is retrieved | |
108 | from the RhodeCode database. This was required prior to 1.2. Starting from |
|
108 | from the RhodeCode database. This was required prior to 1.2. Starting from | |
109 | version 1.2 it is also possible to specify a comma separated list of |
|
109 | version 1.2 it is also possible to specify a comma separated list of | |
110 | repositories (`--index-only`) to build index only on chooses repositories |
|
110 | repositories (`--index-only`) to build index only on chooses repositories | |
111 | skipping any other found in repos location |
|
111 | skipping any other found in repos location | |
112 |
|
112 | |||
113 | You may optionally pass the option `-f` to enable a full index rebuild. Without |
|
113 | You may optionally pass the option `-f` to enable a full index rebuild. Without | |
114 | the `-f` option, indexing will run always in "incremental" mode. |
|
114 | the `-f` option, indexing will run always in "incremental" mode. | |
115 |
|
115 | |||
116 | For an incremental index build use:: |
|
116 | For an incremental index build use:: | |
117 |
|
117 | |||
118 | paster make-index production.ini |
|
118 | paster make-index production.ini | |
119 |
|
119 | |||
120 | For a full index rebuild use:: |
|
120 | For a full index rebuild use:: | |
121 |
|
121 | |||
122 | paster make-index production.ini -f |
|
122 | paster make-index production.ini -f | |
123 |
|
123 | |||
124 |
|
124 | |||
125 | building index just for chosen repositories is possible with such command:: |
|
125 | building index just for chosen repositories is possible with such command:: | |
126 |
|
126 | |||
127 | paster make-index production.ini --index-only=vcs,rhodecode |
|
127 | paster make-index production.ini --index-only=vcs,rhodecode | |
128 |
|
128 | |||
129 |
|
129 | |||
130 | In order to do periodical index builds and keep your index always up to date. |
|
130 | In order to do periodical index builds and keep your index always up to date. | |
131 | It's recommended to do a crontab entry for incremental indexing. |
|
131 | It's recommended to do a crontab entry for incremental indexing. | |
132 | An example entry might look like this:: |
|
132 | An example entry might look like this:: | |
133 |
|
133 | |||
134 | /path/to/python/bin/paster make-index /path/to/rhodecode/production.ini |
|
134 | /path/to/python/bin/paster make-index /path/to/rhodecode/production.ini | |
135 |
|
135 | |||
136 | When using incremental mode (the default) whoosh will check the last |
|
136 | When using incremental mode (the default) whoosh will check the last | |
137 | modification date of each file and add it to be reindexed if a newer file is |
|
137 | modification date of each file and add it to be reindexed if a newer file is | |
138 | available. The indexing daemon checks for any removed files and removes them |
|
138 | available. The indexing daemon checks for any removed files and removes them | |
139 | from index. |
|
139 | from index. | |
140 |
|
140 | |||
141 | If you want to rebuild index from scratch, you can use the `-f` flag as above, |
|
141 | If you want to rebuild index from scratch, you can use the `-f` flag as above, | |
142 | or in the admin panel you can check `build from scratch` flag. |
|
142 | or in the admin panel you can check `build from scratch` flag. | |
143 |
|
143 | |||
144 |
|
144 | |||
145 | Setting up LDAP support |
|
145 | Setting up LDAP support | |
146 | ----------------------- |
|
146 | ----------------------- | |
147 |
|
147 | |||
148 | RhodeCode starting from version 1.1 supports ldap authentication. In order |
|
148 | RhodeCode starting from version 1.1 supports ldap authentication. In order | |
149 | to use LDAP, you have to install the python-ldap_ package. This package is |
|
149 | to use LDAP, you have to install the python-ldap_ package. This package is | |
150 | available via pypi, so you can install it by running |
|
150 | available via pypi, so you can install it by running | |
151 |
|
151 | |||
152 | using easy_install:: |
|
152 | using easy_install:: | |
153 |
|
153 | |||
154 | easy_install python-ldap |
|
154 | easy_install python-ldap | |
155 |
|
155 | |||
156 | using pip:: |
|
156 | using pip:: | |
157 |
|
157 | |||
158 | pip install python-ldap |
|
158 | pip install python-ldap | |
159 |
|
159 | |||
160 | .. note:: |
|
160 | .. note:: | |
161 | python-ldap requires some certain libs on your system, so before installing |
|
161 | python-ldap requires some certain libs on your system, so before installing | |
162 | it check that you have at least `openldap`, and `sasl` libraries. |
|
162 | it check that you have at least `openldap`, and `sasl` libraries. | |
163 |
|
163 | |||
164 | LDAP settings are located in admin->ldap section, |
|
164 | LDAP settings are located in admin->ldap section, | |
165 |
|
165 | |||
166 | Here's a typical ldap setup:: |
|
166 | Here's a typical ldap setup:: | |
167 |
|
167 | |||
168 | Connection settings |
|
168 | Connection settings | |
169 | Enable LDAP = checked |
|
169 | Enable LDAP = checked | |
170 | Host = host.example.org |
|
170 | Host = host.example.org | |
171 | Port = 389 |
|
171 | Port = 389 | |
172 | Account = <account> |
|
172 | Account = <account> | |
173 | Password = <password> |
|
173 | Password = <password> | |
174 | Connection Security = LDAPS connection |
|
174 | Connection Security = LDAPS connection | |
175 | Certificate Checks = DEMAND |
|
175 | Certificate Checks = DEMAND | |
176 |
|
176 | |||
177 | Search settings |
|
177 | Search settings | |
178 | Base DN = CN=users,DC=host,DC=example,DC=org |
|
178 | Base DN = CN=users,DC=host,DC=example,DC=org | |
179 | LDAP Filter = (&(objectClass=user)(!(objectClass=computer))) |
|
179 | LDAP Filter = (&(objectClass=user)(!(objectClass=computer))) | |
180 | LDAP Search Scope = SUBTREE |
|
180 | LDAP Search Scope = SUBTREE | |
181 |
|
181 | |||
182 | Attribute mappings |
|
182 | Attribute mappings | |
183 | Login Attribute = uid |
|
183 | Login Attribute = uid | |
184 | First Name Attribute = firstName |
|
184 | First Name Attribute = firstName | |
185 | Last Name Attribute = lastName |
|
185 | Last Name Attribute = lastName | |
186 | E-mail Attribute = mail |
|
186 | E-mail Attribute = mail | |
187 |
|
187 | |||
188 | .. _enable_ldap: |
|
188 | .. _enable_ldap: | |
189 |
|
189 | |||
190 | Enable LDAP : required |
|
190 | Enable LDAP : required | |
191 | Whether to use LDAP for authenticating users. |
|
191 | Whether to use LDAP for authenticating users. | |
192 |
|
192 | |||
193 | .. _ldap_host: |
|
193 | .. _ldap_host: | |
194 |
|
194 | |||
195 | Host : required |
|
195 | Host : required | |
196 | LDAP server hostname or IP address. |
|
196 | LDAP server hostname or IP address. | |
197 |
|
197 | |||
198 | .. _Port: |
|
198 | .. _Port: | |
199 |
|
199 | |||
200 | Port : required |
|
200 | Port : required | |
201 | 389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP. |
|
201 | 389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP. | |
202 |
|
202 | |||
203 | .. _ldap_account: |
|
203 | .. _ldap_account: | |
204 |
|
204 | |||
205 | Account : optional |
|
205 | Account : optional | |
206 | Only required if the LDAP server does not allow anonymous browsing of |
|
206 | Only required if the LDAP server does not allow anonymous browsing of | |
207 | records. This should be a special account for record browsing. This |
|
207 | records. This should be a special account for record browsing. This | |
208 | will require `LDAP Password`_ below. |
|
208 | will require `LDAP Password`_ below. | |
209 |
|
209 | |||
210 | .. _LDAP Password: |
|
210 | .. _LDAP Password: | |
211 |
|
211 | |||
212 | Password : optional |
|
212 | Password : optional | |
213 | Only required if the LDAP server does not allow anonymous browsing of |
|
213 | Only required if the LDAP server does not allow anonymous browsing of | |
214 | records. |
|
214 | records. | |
215 |
|
215 | |||
216 | .. _Enable LDAPS: |
|
216 | .. _Enable LDAPS: | |
217 |
|
217 | |||
218 | Connection Security : required |
|
218 | Connection Security : required | |
219 | Defines the connection to LDAP server |
|
219 | Defines the connection to LDAP server | |
220 |
|
220 | |||
221 | No encryption |
|
221 | No encryption | |
222 | Plain non encrypted connection |
|
222 | Plain non encrypted connection | |
223 |
|
223 | |||
224 | LDAPS connection |
|
224 | LDAPS connection | |
225 | Enable ldaps connection. It will likely require `Port`_ to be set to |
|
225 | Enable ldaps connection. It will likely require `Port`_ to be set to | |
226 | a different value (standard LDAPS port is 636). When LDAPS is enabled |
|
226 | a different value (standard LDAPS port is 636). When LDAPS is enabled | |
227 | then `Certificate Checks`_ is required. |
|
227 | then `Certificate Checks`_ is required. | |
228 |
|
228 | |||
229 | START_TLS on LDAP connection |
|
229 | START_TLS on LDAP connection | |
230 | START TLS connection |
|
230 | START TLS connection | |
231 |
|
231 | |||
232 | .. _Certificate Checks: |
|
232 | .. _Certificate Checks: | |
233 |
|
233 | |||
234 | Certificate Checks : optional |
|
234 | Certificate Checks : optional | |
235 | How SSL certificates verification is handled - this is only useful when |
|
235 | How SSL certificates verification is handled - this is only useful when | |
236 | `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security |
|
236 | `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security | |
237 | while the other options are susceptible to man-in-the-middle attacks. SSL |
|
237 | while the other options are susceptible to man-in-the-middle attacks. SSL | |
238 | certificates can be installed to /etc/openldap/cacerts so that the |
|
238 | certificates can be installed to /etc/openldap/cacerts so that the | |
239 | DEMAND or HARD options can be used with self-signed certificates or |
|
239 | DEMAND or HARD options can be used with self-signed certificates or | |
240 | certificates that do not have traceable certificates of authority. |
|
240 | certificates that do not have traceable certificates of authority. | |
241 |
|
241 | |||
242 | NEVER |
|
242 | NEVER | |
243 | A serve certificate will never be requested or checked. |
|
243 | A serve certificate will never be requested or checked. | |
244 |
|
244 | |||
245 | ALLOW |
|
245 | ALLOW | |
246 | A server certificate is requested. Failure to provide a |
|
246 | A server certificate is requested. Failure to provide a | |
247 | certificate or providing a bad certificate will not terminate the |
|
247 | certificate or providing a bad certificate will not terminate the | |
248 | session. |
|
248 | session. | |
249 |
|
249 | |||
250 | TRY |
|
250 | TRY | |
251 | A server certificate is requested. Failure to provide a |
|
251 | A server certificate is requested. Failure to provide a | |
252 | certificate does not halt the session; providing a bad certificate |
|
252 | certificate does not halt the session; providing a bad certificate | |
253 | halts the session. |
|
253 | halts the session. | |
254 |
|
254 | |||
255 | DEMAND |
|
255 | DEMAND | |
256 | A server certificate is requested and must be provided and |
|
256 | A server certificate is requested and must be provided and | |
257 | authenticated for the session to proceed. |
|
257 | authenticated for the session to proceed. | |
258 |
|
258 | |||
259 | HARD |
|
259 | HARD | |
260 | The same as DEMAND. |
|
260 | The same as DEMAND. | |
261 |
|
261 | |||
262 | .. _Base DN: |
|
262 | .. _Base DN: | |
263 |
|
263 | |||
264 | Base DN : required |
|
264 | Base DN : required | |
265 | The Distinguished Name (DN) where searches for users will be performed. |
|
265 | The Distinguished Name (DN) where searches for users will be performed. | |
266 | Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_. |
|
266 | Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_. | |
267 |
|
267 | |||
268 | .. _LDAP Filter: |
|
268 | .. _LDAP Filter: | |
269 |
|
269 | |||
270 | LDAP Filter : optional |
|
270 | LDAP Filter : optional | |
271 | A LDAP filter defined by RFC 2254. This is more useful when `LDAP |
|
271 | A LDAP filter defined by RFC 2254. This is more useful when `LDAP | |
272 | Search Scope`_ is set to SUBTREE. The filter is useful for limiting |
|
272 | Search Scope`_ is set to SUBTREE. The filter is useful for limiting | |
273 | which LDAP objects are identified as representing Users for |
|
273 | which LDAP objects are identified as representing Users for | |
274 | authentication. The filter is augmented by `Login Attribute`_ below. |
|
274 | authentication. The filter is augmented by `Login Attribute`_ below. | |
275 | This can commonly be left blank. |
|
275 | This can commonly be left blank. | |
276 |
|
276 | |||
277 | .. _LDAP Search Scope: |
|
277 | .. _LDAP Search Scope: | |
278 |
|
278 | |||
279 | LDAP Search Scope : required |
|
279 | LDAP Search Scope : required | |
280 | This limits how far LDAP will search for a matching object. |
|
280 | This limits how far LDAP will search for a matching object. | |
281 |
|
281 | |||
282 | BASE |
|
282 | BASE | |
283 | Only allows searching of `Base DN`_ and is usually not what you |
|
283 | Only allows searching of `Base DN`_ and is usually not what you | |
284 | want. |
|
284 | want. | |
285 |
|
285 | |||
286 | ONELEVEL |
|
286 | ONELEVEL | |
287 | Searches all entries under `Base DN`_, but not Base DN itself. |
|
287 | Searches all entries under `Base DN`_, but not Base DN itself. | |
288 |
|
288 | |||
289 | SUBTREE |
|
289 | SUBTREE | |
290 | Searches all entries below `Base DN`_, but not Base DN itself. |
|
290 | Searches all entries below `Base DN`_, but not Base DN itself. | |
291 | When using SUBTREE `LDAP Filter`_ is useful to limit object |
|
291 | When using SUBTREE `LDAP Filter`_ is useful to limit object | |
292 | location. |
|
292 | location. | |
293 |
|
293 | |||
294 | .. _Login Attribute: |
|
294 | .. _Login Attribute: | |
295 |
|
295 | |||
296 | Login Attribute : required |
|
296 | Login Attribute : required | |
297 | The LDAP record attribute that will be matched as the USERNAME or |
|
297 | The LDAP record attribute that will be matched as the USERNAME or | |
298 | ACCOUNT used to connect to RhodeCode. This will be added to `LDAP |
|
298 | ACCOUNT used to connect to RhodeCode. This will be added to `LDAP | |
299 | Filter`_ for locating the User object. If `LDAP Filter`_ is specified as |
|
299 | Filter`_ for locating the User object. If `LDAP Filter`_ is specified as | |
300 | "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has |
|
300 | "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has | |
301 | connected as "jsmith" then the `LDAP Filter`_ will be augmented as below |
|
301 | connected as "jsmith" then the `LDAP Filter`_ will be augmented as below | |
302 | :: |
|
302 | :: | |
303 |
|
303 | |||
304 | (&(LDAPFILTER)(uid=jsmith)) |
|
304 | (&(LDAPFILTER)(uid=jsmith)) | |
305 |
|
305 | |||
306 | .. _ldap_attr_firstname: |
|
306 | .. _ldap_attr_firstname: | |
307 |
|
307 | |||
308 | First Name Attribute : required |
|
308 | First Name Attribute : required | |
309 | The LDAP record attribute which represents the user's first name. |
|
309 | The LDAP record attribute which represents the user's first name. | |
310 |
|
310 | |||
311 | .. _ldap_attr_lastname: |
|
311 | .. _ldap_attr_lastname: | |
312 |
|
312 | |||
313 | Last Name Attribute : required |
|
313 | Last Name Attribute : required | |
314 | The LDAP record attribute which represents the user's last name. |
|
314 | The LDAP record attribute which represents the user's last name. | |
315 |
|
315 | |||
316 | .. _ldap_attr_email: |
|
316 | .. _ldap_attr_email: | |
317 |
|
317 | |||
318 | Email Attribute : required |
|
318 | Email Attribute : required | |
319 | The LDAP record attribute which represents the user's email address. |
|
319 | The LDAP record attribute which represents the user's email address. | |
320 |
|
320 | |||
321 | If all data are entered correctly, and python-ldap_ is properly installed |
|
321 | If all data are entered correctly, and python-ldap_ is properly installed | |
322 | users should be granted access to RhodeCode with ldap accounts. At this |
|
322 | users should be granted access to RhodeCode with ldap accounts. At this | |
323 | time user information is copied from LDAP into the RhodeCode user database. |
|
323 | time user information is copied from LDAP into the RhodeCode user database. | |
324 | This means that updates of an LDAP user object may not be reflected as a |
|
324 | This means that updates of an LDAP user object may not be reflected as a | |
325 | user update in RhodeCode. |
|
325 | user update in RhodeCode. | |
326 |
|
326 | |||
327 | If You have problems with LDAP access and believe You entered correct |
|
327 | If You have problems with LDAP access and believe You entered correct | |
328 | information check out the RhodeCode logs, any error messages sent from LDAP |
|
328 | information check out the RhodeCode logs, any error messages sent from LDAP | |
329 | will be saved there. |
|
329 | will be saved there. | |
330 |
|
330 | |||
331 | Active Directory |
|
331 | Active Directory | |
332 | '''''''''''''''' |
|
332 | '''''''''''''''' | |
333 |
|
333 | |||
334 | RhodeCode can use Microsoft Active Directory for user authentication. This |
|
334 | RhodeCode can use Microsoft Active Directory for user authentication. This | |
335 | is done through an LDAP or LDAPS connection to Active Directory. The |
|
335 | is done through an LDAP or LDAPS connection to Active Directory. The | |
336 | following LDAP configuration settings are typical for using Active |
|
336 | following LDAP configuration settings are typical for using Active | |
337 | Directory :: |
|
337 | Directory :: | |
338 |
|
338 | |||
339 | Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local |
|
339 | Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local | |
340 | Login Attribute = sAMAccountName |
|
340 | Login Attribute = sAMAccountName | |
341 | First Name Attribute = givenName |
|
341 | First Name Attribute = givenName | |
342 | Last Name Attribute = sn |
|
342 | Last Name Attribute = sn | |
343 | E-mail Attribute = mail |
|
343 | E-mail Attribute = mail | |
344 |
|
344 | |||
345 | All other LDAP settings will likely be site-specific and should be |
|
345 | All other LDAP settings will likely be site-specific and should be | |
346 | appropriately configured. |
|
346 | appropriately configured. | |
347 |
|
347 | |||
348 |
|
348 | |||
349 |
|
349 | |||
350 | Hook management |
|
350 | Hook management | |
351 | --------------- |
|
351 | --------------- | |
352 |
|
352 | |||
353 | Hooks can be managed in similar way to this used in .hgrc files. |
|
353 | Hooks can be managed in similar way to this used in .hgrc files. | |
354 | To access hooks setting click `advanced setup` on Hooks section of Mercurial |
|
354 | To access hooks setting click `advanced setup` on Hooks section of Mercurial | |
355 | Settings in Admin. |
|
355 | Settings in Admin. | |
356 |
|
356 | |||
357 | There are 4 built in hooks that cannot be changed (only enable/disable by |
|
357 | There are 4 built in hooks that cannot be changed (only enable/disable by | |
358 | checkboxes on previos section). |
|
358 | checkboxes on previos section). | |
359 | To add another custom hook simply fill in first section with |
|
359 | To add another custom hook simply fill in first section with | |
360 | <name>.<hook_type> and the second one with hook path. Example hooks |
|
360 | <name>.<hook_type> and the second one with hook path. Example hooks | |
361 | can be found at *rhodecode.lib.hooks*. |
|
361 | can be found at *rhodecode.lib.hooks*. | |
362 |
|
362 | |||
363 |
|
363 | |||
364 | Setting Up Celery |
|
364 | Setting Up Celery | |
365 | ----------------- |
|
365 | ----------------- | |
366 |
|
366 | |||
367 | Since version 1.1 celery is configured by the rhodecode ini configuration files. |
|
367 | Since version 1.1 celery is configured by the rhodecode ini configuration files. | |
368 | Simply set use_celery=true in the ini file then add / change the configuration |
|
368 | Simply set use_celery=true in the ini file then add / change the configuration | |
369 | variables inside the ini file. |
|
369 | variables inside the ini file. | |
370 |
|
370 | |||
371 | Remember that the ini files use the format with '.' not with '_' like celery. |
|
371 | Remember that the ini files use the format with '.' not with '_' like celery. | |
372 | So for example setting `BROKER_HOST` in celery means setting `broker.host` in |
|
372 | So for example setting `BROKER_HOST` in celery means setting `broker.host` in | |
373 | the config file. |
|
373 | the config file. | |
374 |
|
374 | |||
375 | In order to start using celery run:: |
|
375 | In order to start using celery run:: | |
376 |
|
376 | |||
377 | paster celeryd <configfile.ini> |
|
377 | paster celeryd <configfile.ini> | |
378 |
|
378 | |||
379 |
|
379 | |||
380 | .. note:: |
|
380 | .. note:: | |
381 | Make sure you run this command from the same virtualenv, and with the same |
|
381 | Make sure you run this command from the same virtualenv, and with the same | |
382 | user that rhodecode runs. |
|
382 | user that rhodecode runs. | |
383 |
|
383 | |||
384 | HTTPS support |
|
384 | HTTPS support | |
385 | ------------- |
|
385 | ------------- | |
386 |
|
386 | |||
387 | There are two ways to enable https: |
|
387 | There are two ways to enable https: | |
388 |
|
388 | |||
389 | - Set HTTP_X_URL_SCHEME in your http server headers, than rhodecode will |
|
389 | - Set HTTP_X_URL_SCHEME in your http server headers, than rhodecode will | |
390 | recognize this headers and make proper https redirections |
|
390 | recognize this headers and make proper https redirections | |
391 | - Alternatively, change the `force_https = true` flag in the ini configuration |
|
391 | - Alternatively, change the `force_https = true` flag in the ini configuration | |
392 | to force using https, no headers are needed than to enable https |
|
392 | to force using https, no headers are needed than to enable https | |
393 |
|
393 | |||
394 |
|
394 | |||
395 | Nginx virtual host example |
|
395 | Nginx virtual host example | |
396 | -------------------------- |
|
396 | -------------------------- | |
397 |
|
397 | |||
398 | Sample config for nginx using proxy:: |
|
398 | Sample config for nginx using proxy:: | |
399 |
|
399 | |||
400 | server { |
|
400 | server { | |
401 | listen 80; |
|
401 | listen 80; | |
402 | server_name hg.myserver.com; |
|
402 | server_name hg.myserver.com; | |
403 | access_log /var/log/nginx/rhodecode.access.log; |
|
403 | access_log /var/log/nginx/rhodecode.access.log; | |
404 | error_log /var/log/nginx/rhodecode.error.log; |
|
404 | error_log /var/log/nginx/rhodecode.error.log; | |
405 | location / { |
|
405 | location / { | |
406 | root /var/www/rhodecode/rhodecode/public/; |
|
406 | root /var/www/rhodecode/rhodecode/public/; | |
407 | if (!-f $request_filename){ |
|
407 | if (!-f $request_filename){ | |
408 | proxy_pass http://127.0.0.1:5000; |
|
408 | proxy_pass http://127.0.0.1:5000; | |
409 | } |
|
409 | } | |
410 | #this is important if you want to use https !!! |
|
410 | #this is important if you want to use https !!! | |
411 | proxy_set_header X-Url-Scheme $scheme; |
|
411 | proxy_set_header X-Url-Scheme $scheme; | |
412 | include /etc/nginx/proxy.conf; |
|
412 | include /etc/nginx/proxy.conf; | |
413 | } |
|
413 | } | |
414 | } |
|
414 | } | |
415 |
|
415 | |||
416 | Here's the proxy.conf. It's tuned so it will not timeout on long |
|
416 | Here's the proxy.conf. It's tuned so it will not timeout on long | |
417 | pushes or large pushes:: |
|
417 | pushes or large pushes:: | |
418 |
|
418 | |||
419 | proxy_redirect off; |
|
419 | proxy_redirect off; | |
420 | proxy_set_header Host $host; |
|
420 | proxy_set_header Host $host; | |
421 | proxy_set_header X-Host $http_host; |
|
421 | proxy_set_header X-Host $http_host; | |
422 | proxy_set_header X-Real-IP $remote_addr; |
|
422 | proxy_set_header X-Real-IP $remote_addr; | |
423 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
|
423 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
424 | proxy_set_header Proxy-host $proxy_host; |
|
424 | proxy_set_header Proxy-host $proxy_host; | |
425 | client_max_body_size 400m; |
|
425 | client_max_body_size 400m; | |
426 | client_body_buffer_size 128k; |
|
426 | client_body_buffer_size 128k; | |
427 | proxy_buffering off; |
|
427 | proxy_buffering off; | |
428 | proxy_connect_timeout 7200; |
|
428 | proxy_connect_timeout 7200; | |
429 | proxy_send_timeout 7200; |
|
429 | proxy_send_timeout 7200; | |
430 | proxy_read_timeout 7200; |
|
430 | proxy_read_timeout 7200; | |
431 | proxy_buffers 8 32k; |
|
431 | proxy_buffers 8 32k; | |
432 |
|
432 | |||
433 | Also, when using root path with nginx you might set the static files to false |
|
433 | Also, when using root path with nginx you might set the static files to false | |
434 | in the production.ini file:: |
|
434 | in the production.ini file:: | |
435 |
|
435 | |||
436 | [app:main] |
|
436 | [app:main] | |
437 | use = egg:rhodecode |
|
437 | use = egg:rhodecode | |
438 | full_stack = true |
|
438 | full_stack = true | |
439 | static_files = false |
|
439 | static_files = false | |
440 | lang=en |
|
440 | lang=en | |
441 | cache_dir = %(here)s/data |
|
441 | cache_dir = %(here)s/data | |
442 |
|
442 | |||
443 | In order to not have the statics served by the application. This improves speed. |
|
443 | In order to not have the statics served by the application. This improves speed. | |
444 |
|
444 | |||
445 |
|
445 | |||
446 | Apache virtual host example |
|
446 | Apache virtual host reverse proxy example | |
447 | --------------------------- |
|
447 | ----------------------------------------- | |
448 |
|
448 | |||
449 | Here is a sample configuration file for apache using proxy:: |
|
449 | Here is a sample configuration file for apache using proxy:: | |
450 |
|
450 | |||
451 | <VirtualHost *:80> |
|
451 | <VirtualHost *:80> | |
452 | ServerName hg.myserver.com |
|
452 | ServerName hg.myserver.com | |
453 | ServerAlias hg.myserver.com |
|
453 | ServerAlias hg.myserver.com | |
454 |
|
454 | |||
455 | <Proxy *> |
|
455 | <Proxy *> | |
456 | Order allow,deny |
|
456 | Order allow,deny | |
457 | Allow from all |
|
457 | Allow from all | |
458 | </Proxy> |
|
458 | </Proxy> | |
459 |
|
459 | |||
460 | #important ! |
|
460 | #important ! | |
461 | #Directive to properly generate url (clone url) for pylons |
|
461 | #Directive to properly generate url (clone url) for pylons | |
462 | ProxyPreserveHost On |
|
462 | ProxyPreserveHost On | |
463 |
|
463 | |||
464 | #rhodecode instance |
|
464 | #rhodecode instance | |
465 | ProxyPass / http://127.0.0.1:5000/ |
|
465 | ProxyPass / http://127.0.0.1:5000/ | |
466 | ProxyPassReverse / http://127.0.0.1:5000/ |
|
466 | ProxyPassReverse / http://127.0.0.1:5000/ | |
467 |
|
467 | |||
468 | #to enable https use line below |
|
468 | #to enable https use line below | |
469 | #SetEnvIf X-Url-Scheme https HTTPS=1 |
|
469 | #SetEnvIf X-Url-Scheme https HTTPS=1 | |
470 |
|
470 | |||
471 | </VirtualHost> |
|
471 | </VirtualHost> | |
472 |
|
472 | |||
473 |
|
473 | |||
474 | Additional tutorial |
|
474 | Additional tutorial | |
475 | http://wiki.pylonshq.com/display/pylonscookbook/Apache+as+a+reverse+proxy+for+Pylons |
|
475 | http://wiki.pylonshq.com/display/pylonscookbook/Apache+as+a+reverse+proxy+for+Pylons | |
476 |
|
476 | |||
477 |
|
477 | |||
478 | Apache as subdirectory |
|
478 | Apache as subdirectory | |
479 | ---------------------- |
|
479 | ---------------------- | |
480 |
|
480 | |||
481 | Apache subdirectory part:: |
|
481 | Apache subdirectory part:: | |
482 |
|
482 | |||
483 | <Location /<someprefix> > |
|
483 | <Location /<someprefix> > | |
484 | ProxyPass http://127.0.0.1:5000/<someprefix> |
|
484 | ProxyPass http://127.0.0.1:5000/<someprefix> | |
485 | ProxyPassReverse http://127.0.0.1:5000/<someprefix> |
|
485 | ProxyPassReverse http://127.0.0.1:5000/<someprefix> | |
486 | SetEnvIf X-Url-Scheme https HTTPS=1 |
|
486 | SetEnvIf X-Url-Scheme https HTTPS=1 | |
487 | </Location> |
|
487 | </Location> | |
488 |
|
488 | |||
489 | Besides the regular apache setup you will need to add the following line |
|
489 | Besides the regular apache setup you will need to add the following line | |
490 | into [app:main] section of your .ini file:: |
|
490 | into [app:main] section of your .ini file:: | |
491 |
|
491 | |||
492 | filter-with = proxy-prefix |
|
492 | filter-with = proxy-prefix | |
493 |
|
493 | |||
494 | Add the following at the end of the .ini file:: |
|
494 | Add the following at the end of the .ini file:: | |
495 |
|
495 | |||
496 | [filter:proxy-prefix] |
|
496 | [filter:proxy-prefix] | |
497 | use = egg:PasteDeploy#prefix |
|
497 | use = egg:PasteDeploy#prefix | |
498 | prefix = /<someprefix> |
|
498 | prefix = /<someprefix> | |
499 |
|
499 | |||
500 |
|
500 | |||
501 | then change <someprefix> into your choosen prefix |
|
501 | then change <someprefix> into your choosen prefix | |
502 |
|
502 | |||
503 | Apache's WSGI config |
|
503 | Apache's WSGI config | |
504 | -------------------- |
|
504 | -------------------- | |
505 |
|
505 | |||
|
506 | Alternatively, RhodeCode can be set up with Apache under mod_wsgi. For | |||
|
507 | that, you'll need to: | |||
|
508 | ||||
|
509 | - Install mod_wsgi. If using a Debian-based distro, you can install | |||
|
510 | the package libapache2-mod-wsgi:: | |||
|
511 | aptitude install libapache2-mod-wsgi | |||
|
512 | - Enable mod_wsgi:: | |||
|
513 | a2enmod wsgi | |||
|
514 | - Create a wsgi dispatch script, like the one below. Make sure you | |||
|
515 | check the paths correctly point to where you installed RhodeCode | |||
|
516 | and its Python Virtual Environment. | |||
|
517 | - Enable the WSGIScriptAlias directive for the wsgi dispatch script, | |||
|
518 | as in the following example. Once again, check the paths are | |||
|
519 | correctly specified. | |||
|
520 | ||||
|
521 | Here is a sample excerpt from an Apache Virtual Host configuration file:: | |||
|
522 | ||||
|
523 | WSGIDaemonProcess pylons user=www-data group=www-data processes=1 \ | |||
|
524 | threads=4 \ | |||
|
525 | python-path=/home/web/rhodecode/pyenv/lib/python2.6/site-packages | |||
|
526 | WSGIScriptAlias / /home/web/rhodecode/dispatch.wsgi | |||
506 |
|
|
527 | ||
507 | Example wsgi dispatch script:: |
|
528 | Example wsgi dispatch script:: | |
508 |
|
529 | |||
509 | import os |
|
530 | import os | |
510 | os.environ["HGENCODING"] = "UTF-8" |
|
531 | os.environ["HGENCODING"] = "UTF-8" | |
511 | os.environ['PYTHON_EGG_CACHE'] = '/home/web/rhodecode/.egg-cache' |
|
532 | os.environ['PYTHON_EGG_CACHE'] = '/home/web/rhodecode/.egg-cache' | |
512 |
|
533 | |||
513 | # sometimes it's needed to set the curent dir |
|
534 | # sometimes it's needed to set the curent dir | |
514 | os.chdir('/home/web/rhodecode/') |
|
535 | os.chdir('/home/web/rhodecode/') | |
515 |
|
536 | |||
|
537 | import site | |||
|
538 | site.addsitedir("/home/web/rhodecode/pyenv/lib/python2.6/site-packages") | |||
|
539 | ||||
516 | from paste.deploy import loadapp |
|
540 | from paste.deploy import loadapp | |
517 | from paste.script.util.logging_config import fileConfig |
|
541 | from paste.script.util.logging_config import fileConfig | |
518 |
|
542 | |||
519 | fileConfig('/home/web/rhodecode/production.ini') |
|
543 | fileConfig('/home/web/rhodecode/production.ini') | |
520 | application = loadapp('config:/home/web/rhodecode/production.ini') |
|
544 | application = loadapp('config:/home/web/rhodecode/production.ini') | |
521 |
|
545 | |||
|
546 | Note: when using mod_wsgi you'll need to install the same version of | |||
|
547 | Mercurial that's inside RhodeCode's virtualenv also on the system's Python | |||
|
548 | environment. | |||
|
549 | ||||
522 |
|
550 | |||
523 | Other configuration files |
|
551 | Other configuration files | |
524 | ------------------------- |
|
552 | ------------------------- | |
525 |
|
553 | |||
526 | Some example init.d scripts can be found here, for debian and gentoo: |
|
554 | Some example init.d scripts can be found here, for debian and gentoo: | |
527 |
|
555 | |||
528 | https://rhodecode.org/rhodecode/files/tip/init.d |
|
556 | https://rhodecode.org/rhodecode/files/tip/init.d | |
529 |
|
557 | |||
530 |
|
558 | |||
531 | Troubleshooting |
|
559 | Troubleshooting | |
532 | --------------- |
|
560 | --------------- | |
533 |
|
561 | |||
534 | :Q: **Missing static files?** |
|
562 | :Q: **Missing static files?** | |
535 | :A: Make sure either to set the `static_files = true` in the .ini file or |
|
563 | :A: Make sure either to set the `static_files = true` in the .ini file or | |
536 | double check the root path for your http setup. It should point to |
|
564 | double check the root path for your http setup. It should point to | |
537 | for example: |
|
565 | for example: | |
538 | /home/my-virtual-python/lib/python2.6/site-packages/rhodecode/public |
|
566 | /home/my-virtual-python/lib/python2.6/site-packages/rhodecode/public | |
539 |
|
567 | |||
540 | | |
|
568 | | | |
541 |
|
569 | |||
542 | :Q: **Can't install celery/rabbitmq** |
|
570 | :Q: **Can't install celery/rabbitmq** | |
543 | :A: Don't worry RhodeCode works without them too. No extra setup is required. |
|
571 | :A: Don't worry RhodeCode works without them too. No extra setup is required. | |
544 |
|
572 | |||
545 | | |
|
573 | | | |
546 |
|
574 | |||
547 | :Q: **Long lasting push timeouts?** |
|
575 | :Q: **Long lasting push timeouts?** | |
548 | :A: Make sure you set a longer timeouts in your proxy/fcgi settings, timeouts |
|
576 | :A: Make sure you set a longer timeouts in your proxy/fcgi settings, timeouts | |
549 | are caused by https server and not RhodeCode. |
|
577 | are caused by https server and not RhodeCode. | |
550 |
|
578 | |||
551 | | |
|
579 | | | |
552 |
|
580 | |||
553 | :Q: **Large pushes timeouts?** |
|
581 | :Q: **Large pushes timeouts?** | |
554 | :A: Make sure you set a proper max_body_size for the http server. |
|
582 | :A: Make sure you set a proper max_body_size for the http server. | |
555 |
|
583 | |||
556 | | |
|
584 | | | |
557 |
|
585 | |||
558 | :Q: **Apache doesn't pass basicAuth on pull/push?** |
|
586 | :Q: **Apache doesn't pass basicAuth on pull/push?** | |
559 | :A: Make sure you added `WSGIPassAuthorization true`. |
|
587 | :A: Make sure you added `WSGIPassAuthorization true`. | |
560 |
|
588 | |||
561 | For further questions search the `Issues tracker`_, or post a message in the |
|
589 | For further questions search the `Issues tracker`_, or post a message in the | |
562 | `google group rhodecode`_ |
|
590 | `google group rhodecode`_ | |
563 |
|
591 | |||
564 | .. _virtualenv: http://pypi.python.org/pypi/virtualenv |
|
592 | .. _virtualenv: http://pypi.python.org/pypi/virtualenv | |
565 | .. _python: http://www.python.org/ |
|
593 | .. _python: http://www.python.org/ | |
566 | .. _mercurial: http://mercurial.selenic.com/ |
|
594 | .. _mercurial: http://mercurial.selenic.com/ | |
567 | .. _celery: http://celeryproject.org/ |
|
595 | .. _celery: http://celeryproject.org/ | |
568 | .. _rabbitmq: http://www.rabbitmq.com/ |
|
596 | .. _rabbitmq: http://www.rabbitmq.com/ | |
569 | .. _python-ldap: http://www.python-ldap.org/ |
|
597 | .. _python-ldap: http://www.python-ldap.org/ | |
570 | .. _mercurial-server: http://www.lshift.net/mercurial-server.html |
|
598 | .. _mercurial-server: http://www.lshift.net/mercurial-server.html | |
571 | .. _PublishingRepositories: http://mercurial.selenic.com/wiki/PublishingRepositories |
|
599 | .. _PublishingRepositories: http://mercurial.selenic.com/wiki/PublishingRepositories | |
572 | .. _Issues tracker: https://bitbucket.org/marcinkuzminski/rhodecode/issues |
|
600 | .. _Issues tracker: https://bitbucket.org/marcinkuzminski/rhodecode/issues | |
573 | .. _google group rhodecode: http://groups.google.com/group/rhodecode |
|
601 | .. _google group rhodecode: http://groups.google.com/group/rhodecode |
General Comments 0
You need to be logged in to leave comments.
Login now