upstream/kallithea Commit - r992:c03d1678

127

-----------------------

127

-----------------------

128

129

RhodeCode starting from version 1.1 supports ldap authentication. In order

129

RhodeCode starting from version 1.1 supports ldap authentication. In order

130

to use ~~ldap~~, You have to install python-ldap package. This package is available

130

to use LDAP, You have to install python-ldap_ package. This package is available

131

via pypi, so You can install it by running

131

via pypi, so You can install it by running

132

133

::

133

::

142

python-ldap requires some certain libs on Your system, so before installing

142

python-ldap requires some certain libs on Your system, so before installing

143

it check that You have at least `openldap`, and `sasl` libraries.

143

it check that You have at least `openldap`, and `sasl` libraries.

144

145

~~ldap~~ settings are located in admin->ldap section,

145

LDAP settings are located in admin->ldap section,

146

147

This is a typical LDAP setup::

148

149

Connection settings

150

Enable LDAP = checked

151

Host = host.example.org

152

Port = 389

153

Account = <account>

154

Password = <password>

155

Enable LDAPS = checked

156

Certificate Checks = DEMAND

157

158

Search settings

159

Base DN = CN=users,DC=host,DC=example,DC=org

160

LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))

161

LDAP Search Scope = SUBTREE

146

162

147

Here's a typical ldap setup::

163

Attribute mappings

164

Login Attribute = uid

165

First Name Attribute = firstName

166

Last Name Attribute = lastName

167

E-mail Attribute = mail

168

169

.. _enable_ldap:

170

171

Enable LDAP : required

172

Whether to use LDAP for authenticating users.

173

174

.. _ldap_host:

175

176

Host : required

177

LDAP server hostname or IP address.

178

179

.. _Port:

180

181

Port : required

182

389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.

183

184

.. _ldap_account:

148

185

149

Enable ldap = checked #controls if ldap access is enabled

186

Account : optional

150

Host = host.domain.org #actual ldap server to connect

187

Only required if the LDAP server does not allow anonymous browsing of

151

Port = 389 or 689 for ldaps #ldap server ports

188

records. This should be a special account for record browsing. This

152

Enable LDAPS = unchecked #enable disable ldaps

189

will require `LDAP Password`_ below.

153

Account = <account> #access for ldap server(if required)

190

154

Password = <password> #password for ldap server(if required)

191

.. _LDAP Password:

155

Base DN = uid=%(user)s,CN=users,DC=host,DC=domain,DC=org

192

156

193

Password : optional

194

Only required if the LDAP server does not allow anonymous browsing of

195

records.

196

197

.. _Enable LDAPS:

198

199

Enable LDAPS : optional

200

Check this if SSL encryption is necessary for communication with the

201

LDAP server - it will likely require `Port`_ to be set to a different

202

value (standard LDAPS port is 636). When LDAPS is enabled then

203

`Certificate Checks`_ is required.

204

205

.. _Certificate Checks:

157

206

158

`Account` and `Password` are optional, and used for two-phase ldap

207

Certificate Checks : optional

159

authentication so those are credentials to access Your ldap, if it doesn't

208

How SSL certificates verification is handled - this is only useful when

160

support anonymous search/user lookups.

209

`Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security while

210

the other options are susceptible to man-in-the-middle attacks. SSL

211

certificates can be installed to /etc/openldap/cacerts so that the

212

DEMAND or HARD options can be used with self-signed certificates or

213

certificates that do not have traceable certificates of authority.

214

215

NEVER

216

A serve certificate will never be requested or checked.

217

218

ALLOW

219

A server certificate is requested. Failure to provide a

220

certificate or providing a bad certificate will not terminate the

221

session.

222

223

TRY

224

A server certificate is requested. Failure to provide a

225

certificate does not halt the session; providing a bad certificate

226

halts the session.

227

228

DEMAND

229

A server certificate is requested and must be provided and

230

authenticated for the session to proceed.

161

231

162

Base DN must have %(user)s template inside, it's a placer where Your uid used

232

HARD

163

to login would go, it allows admins to specify not standard schema for uid

233

The same as DEMAND.

164

variable

234

235

.. _Base DN:

236

237

Base DN : required

238

The Distinguished Name (DN) where searches for users will be performed.

239

Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.

240

241

.. _LDAP Filter:

242

243

LDAP Filter : optional

244

A LDAP filter defined by RFC 2254. This is more useful when `LDAP

245

Search Scope`_ is set to SUBTREE. The filter is useful for limiting

246

which LDAP objects are identified as representing Users for

247

authentication. The filter is augmented by `Login Attribute`_ below.

248

This can commonly be left blank.

249

250

.. _LDAP Search Scope:

251

252

LDAP Search Scope : required

253

This limits how far LDAP will search for a matching object.

254

255

BASE

256

Only allows searching of `Base DN`_ and is usually not what you

257

want.

258

259

ONELEVEL

260

Searches all entries under `Base DN`_, but not Base DN itself.

261

262

SUBTREE

263

Searches all entries below `Base DN`_, but not Base DN itself.

264

When using SUBTREE `LDAP Filter`_ is useful to limit object

265

location.

266

267

.. _Login Attribute:

165

268

166

If all data are entered correctly, and `python-ldap` is properly installed

269

Login Attribute : required

167

Users should be granted to access RhodeCode wit ldap accounts. When

270

The LDAP record attribute that will be matched as the USERNAME or

168

logging at the first time an special ldap account is created inside RhodeCode,

271

ACCOUNT used to connect to RhodeCode. This will be added to `LDAP

169

so You can control over permissions even on ldap users. If such user exists

272

Filter`_ for locating the User object. If `LDAP Filter`_ is specified as

170

already in RhodeCode database ldap user with the same username would be not

273

"LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has

171

able to access RhodeCode.

274

connected as "jsmith" then the `LDAP Filter`_ will be augmented as below

275

::

276

277

(&(LDAPFILTER)(uid=jsmith))

278

279

.. _ldap_attr_firstname:

280

281

First Name Attribute : required

282

The LDAP record attribute which represents the user's first name.

283

284

.. _ldap_attr_lastname:

285

286

Last Name Attribute : required

287

The LDAP record attribute which represents the user's last name.

288

289

.. _ldap_attr_email:

290

291

Email Attribute : required

292

The LDAP record attribute which represents the user's email address.

172

293

173

If You have problems with ldap access and believe You entered correct

294

If all data are entered correctly, and python-ldap_ is properly installed

174

information check out the RhodeCode logs,any error messages sent from

295

users should be granted access to RhodeCode with ldap accounts. At this

175

ldap will be saved there.

296

time user information is copied from LDAP into the RhodeCode user database.

297

This means that updates of an LDAP user object may not be reflected as a

298

user update in RhodeCode.

299

300

If You have problems with LDAP access and believe You entered correct

301

information check out the RhodeCode logs, any error messages sent from LDAP

302

will be saved there.

303

304

Active Directory

305

''''''''''''''''

176

306

307

RhodeCode can use Microsoft Active Directory for user authentication. This

308

is done through an LDAP or LDAPS connection to Active Directory. The

309

following LDAP configuration settings are typical for using Active

310

Directory ::

177

311

312

Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local

313

Login Attribute = sAMAccountName

314

First Name Attribute = givenName

315

Last Name Attribute = sn

316

E-mail Attribute = mail

317

318

All other LDAP settings will likely be site-specific and should be

319

appropriately configured.

178

320

179

Setting Up Celery

321

Setting Up Celery

180

-----------------

322

-----------------

326

.. _python: http://www.python.org/

468

.. _python: http://www.python.org/

327

.. _mercurial: http://mercurial.selenic.com/

469

.. _mercurial: http://mercurial.selenic.com/

328

.. _celery: http://celeryproject.org/

470

.. _celery: http://celeryproject.org/

329

.. _rabbitmq: http://www.rabbitmq.com/ No newline at end of file

471

.. _rabbitmq: http://www.rabbitmq.com/

472

.. _python-ldap: http://www.python-ldap.org/

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

@@ -127,7 +127,7 b' Setting up LDAP support'
127	-----------------------	127	-----------------------
128		128
129	RhodeCode starting from version 1.1 supports ldap authentication. In order	129	RhodeCode starting from version 1.1 supports ldap authentication. In order
130	to use ~~ldap~~, You have to install python-ldap package. This package is available	130	to use LDAP, You have to install python-ldap_ package. This package is available
131	via pypi, so You can install it by running	131	via pypi, so You can install it by running
132		132
133	::	133	::
@@ -142,39 +142,181 b' via pypi, so You can install it by runni'
142	python-ldap requires some certain libs on Your system, so before installing	142	python-ldap requires some certain libs on Your system, so before installing
143	it check that You have at least `openldap`, and `sasl` libraries.	143	it check that You have at least `openldap`, and `sasl` libraries.
144		144
145	~~ldap~~ settings are located in admin->ldap section,	145	LDAP settings are located in admin->ldap section,
		146
		147	This is a typical LDAP setup::
		148
		149	Connection settings
		150	Enable LDAP = checked
		151	Host = host.example.org
		152	Port = 389
		153	Account = <account>
		154	Password = <password>
		155	Enable LDAPS = checked
		156	Certificate Checks = DEMAND
		157
		158	Search settings
		159	Base DN = CN=users,DC=host,DC=example,DC=org
		160	LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
		161	LDAP Search Scope = SUBTREE
146		162
147	Here's a typical ldap setup::	163	Attribute mappings
		164	Login Attribute = uid
		165	First Name Attribute = firstName
		166	Last Name Attribute = lastName
		167	E-mail Attribute = mail
		168
		169	.. _enable_ldap:
		170
		171	Enable LDAP : required
		172	Whether to use LDAP for authenticating users.
		173
		174	.. _ldap_host:
		175
		176	Host : required
		177	LDAP server hostname or IP address.
		178
		179	.. _Port:
		180
		181	Port : required
		182	389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.
		183
		184	.. _ldap_account:
148		185
149	Enable ldap = checked #controls if ldap access is enabled	186	Account : optional
150	Host = host.domain.org #actual ldap server to connect	187	Only required if the LDAP server does not allow anonymous browsing of
151	Port = 389 or 689 for ldaps #ldap server ports	188	records. This should be a special account for record browsing. This
152	Enable LDAPS = unchecked #enable disable ldaps	189	will require `LDAP Password`_ below.
153	Account = <account> #access for ldap server(if required)	190
154	Password = <password> #password for ldap server(if required)	191	.. _LDAP Password:
155	Base DN = uid=%(user)s,CN=users,DC=host,DC=domain,DC=org	192
156		193	Password : optional
		194	Only required if the LDAP server does not allow anonymous browsing of
		195	records.
		196
		197	.. _Enable LDAPS:
		198
		199	Enable LDAPS : optional
		200	Check this if SSL encryption is necessary for communication with the
		201	LDAP server - it will likely require `Port`_ to be set to a different
		202	value (standard LDAPS port is 636). When LDAPS is enabled then
		203	`Certificate Checks`_ is required.
		204
		205	.. _Certificate Checks:
157		206
158	`Account` and `Password` are optional, and used for two-phase ldap	207	Certificate Checks : optional
159	authentication so those are credentials to access Your ldap, if it doesn't	208	How SSL certificates verification is handled - this is only useful when
160	support anonymous search/user lookups.	209	`Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security while
		210	the other options are susceptible to man-in-the-middle attacks. SSL
		211	certificates can be installed to /etc/openldap/cacerts so that the
		212	DEMAND or HARD options can be used with self-signed certificates or
		213	certificates that do not have traceable certificates of authority.
		214
		215	NEVER
		216	A serve certificate will never be requested or checked.
		217
		218	ALLOW
		219	A server certificate is requested. Failure to provide a
		220	certificate or providing a bad certificate will not terminate the
		221	session.
		222
		223	TRY
		224	A server certificate is requested. Failure to provide a
		225	certificate does not halt the session; providing a bad certificate
		226	halts the session.
		227
		228	DEMAND
		229	A server certificate is requested and must be provided and
		230	authenticated for the session to proceed.
161		231
162	Base DN must have %(user)s template inside, it's a placer where Your uid used	232	HARD
163	to login would go, it allows admins to specify not standard schema for uid	233	The same as DEMAND.
164	variable	234
		235	.. _Base DN:
		236
		237	Base DN : required
		238	The Distinguished Name (DN) where searches for users will be performed.
		239	Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
		240
		241	.. _LDAP Filter:
		242
		243	LDAP Filter : optional
		244	A LDAP filter defined by RFC 2254. This is more useful when `LDAP
		245	Search Scope`_ is set to SUBTREE. The filter is useful for limiting
		246	which LDAP objects are identified as representing Users for
		247	authentication. The filter is augmented by `Login Attribute`_ below.
		248	This can commonly be left blank.
		249
		250	.. _LDAP Search Scope:
		251
		252	LDAP Search Scope : required
		253	This limits how far LDAP will search for a matching object.
		254
		255	BASE
		256	Only allows searching of `Base DN`_ and is usually not what you
		257	want.
		258
		259	ONELEVEL
		260	Searches all entries under `Base DN`_, but not Base DN itself.
		261
		262	SUBTREE
		263	Searches all entries below `Base DN`_, but not Base DN itself.
		264	When using SUBTREE `LDAP Filter`_ is useful to limit object
		265	location.
		266
		267	.. _Login Attribute:
165		268
166	If all data are entered correctly, and `python-ldap` is properly installed	269	Login Attribute : required
167	Users should be granted to access RhodeCode wit ldap accounts. When	270	The LDAP record attribute that will be matched as the USERNAME or
168	logging at the first time an special ldap account is created inside RhodeCode,	271	ACCOUNT used to connect to RhodeCode. This will be added to `LDAP
169	so You can control over permissions even on ldap users. If such user exists	272	Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
170	already in RhodeCode database ldap user with the same username would be not	273	"LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
171	able to access RhodeCode.	274	connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
		275	::
		276
		277	(&(LDAPFILTER)(uid=jsmith))
		278
		279	.. _ldap_attr_firstname:
		280
		281	First Name Attribute : required
		282	The LDAP record attribute which represents the user's first name.
		283
		284	.. _ldap_attr_lastname:
		285
		286	Last Name Attribute : required
		287	The LDAP record attribute which represents the user's last name.
		288
		289	.. _ldap_attr_email:
		290
		291	Email Attribute : required
		292	The LDAP record attribute which represents the user's email address.
172		293
173	If You have problems with ldap access and believe You entered correct	294	If all data are entered correctly, and python-ldap_ is properly installed
174	information check out the RhodeCode logs,any error messages sent from	295	users should be granted access to RhodeCode with ldap accounts. At this
175	ldap will be saved there.	296	time user information is copied from LDAP into the RhodeCode user database.
		297	This means that updates of an LDAP user object may not be reflected as a
		298	user update in RhodeCode.
		299
		300	If You have problems with LDAP access and believe You entered correct
		301	information check out the RhodeCode logs, any error messages sent from LDAP
		302	will be saved there.
		303
		304	Active Directory
		305	''''''''''''''''
176		306
		307	RhodeCode can use Microsoft Active Directory for user authentication. This
		308	is done through an LDAP or LDAPS connection to Active Directory. The
		309	following LDAP configuration settings are typical for using Active
		310	Directory ::
177		311
		312	Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
		313	Login Attribute = sAMAccountName
		314	First Name Attribute = givenName
		315	Last Name Attribute = sn
		316	E-mail Attribute = mail
		317
		318	All other LDAP settings will likely be site-specific and should be
		319	appropriately configured.
178		320
179	Setting Up Celery	321	Setting Up Celery
180	-----------------	322	-----------------
@@ -326,4 +468,5 b' Troubleshooting'
326	.. _python: http://www.python.org/	468	.. _python: http://www.python.org/
327	.. _mercurial: http://mercurial.selenic.com/	469	.. _mercurial: http://mercurial.selenic.com/
328	.. _celery: http://celeryproject.org/	470	.. _celery: http://celeryproject.org/
329	.. _rabbitmq: http://www.rabbitmq.com/ No newline at end of file	471	.. _rabbitmq: http://www.rabbitmq.com/
		472	.. _python-ldap: http://www.python-ldap.org/