##// END OF EJS Templates
Update documentation for LDAP settings (and add Active Directory information).
Thayne Harbaugh -
r992:c03d1678 issue-108
parent child Browse files
Show More
@@ -1,329 +1,472 b''
1 .. _setup:
1 .. _setup:
2
2
3 Setup
3 Setup
4 =====
4 =====
5
5
6
6
7 Setting up the application
7 Setting up the application
8 --------------------------
8 --------------------------
9
9
10 First You'll ned to create RhodeCode config file. Run the following command
10 First You'll ned to create RhodeCode config file. Run the following command
11 to do this
11 to do this
12
12
13 ::
13 ::
14
14
15 paster make-config RhodeCode production.ini
15 paster make-config RhodeCode production.ini
16
16
17 - This will create `production.ini` config inside the directory
17 - This will create `production.ini` config inside the directory
18 this config contains various settings for RhodeCode, e.g proxy port,
18 this config contains various settings for RhodeCode, e.g proxy port,
19 email settings, usage of static files, cache, celery settings and logging.
19 email settings, usage of static files, cache, celery settings and logging.
20
20
21
21
22
22
23 Next we need to create the database.
23 Next we need to create the database.
24
24
25 ::
25 ::
26
26
27 paster setup-app production.ini
27 paster setup-app production.ini
28
28
29 - This command will create all needed tables and an admin account.
29 - This command will create all needed tables and an admin account.
30 When asked for a path You can either use a new location of one with already
30 When asked for a path You can either use a new location of one with already
31 existing ones. RhodeCode will simply add all new found repositories to
31 existing ones. RhodeCode will simply add all new found repositories to
32 it's database. Also make sure You specify correct path to repositories.
32 it's database. Also make sure You specify correct path to repositories.
33 - Remember that the given path for mercurial_ repositories must be write
33 - Remember that the given path for mercurial_ repositories must be write
34 accessible for the application. It's very important since RhodeCode web
34 accessible for the application. It's very important since RhodeCode web
35 interface will work even without such an access but, when trying to do a
35 interface will work even without such an access but, when trying to do a
36 push it'll eventually fail with permission denied errors.
36 push it'll eventually fail with permission denied errors.
37
37
38 You are ready to use rhodecode, to run it simply execute
38 You are ready to use rhodecode, to run it simply execute
39
39
40 ::
40 ::
41
41
42 paster serve production.ini
42 paster serve production.ini
43
43
44 - This command runs the RhodeCode server the app should be available at the
44 - This command runs the RhodeCode server the app should be available at the
45 127.0.0.1:5000. This ip and port is configurable via the production.ini
45 127.0.0.1:5000. This ip and port is configurable via the production.ini
46 file created in previous step
46 file created in previous step
47 - Use admin account you created to login.
47 - Use admin account you created to login.
48 - Default permissions on each repository is read, and owner is admin. So
48 - Default permissions on each repository is read, and owner is admin. So
49 remember to update these if needed. In the admin panel You can toggle ldap,
49 remember to update these if needed. In the admin panel You can toggle ldap,
50 anonymous, permissions settings. As well as edit more advanced options on
50 anonymous, permissions settings. As well as edit more advanced options on
51 users and repositories
51 users and repositories
52
52
53 Using RhodeCode with SSH
53 Using RhodeCode with SSH
54 ------------------------
54 ------------------------
55
55
56 RhodeCode repository structures are kept in directories with the same name
56 RhodeCode repository structures are kept in directories with the same name
57 as the project, when using repository groups, each group is a a subdirectory.
57 as the project, when using repository groups, each group is a a subdirectory.
58 This will allow You to use ssh for accessing repositories quite easy. There
58 This will allow You to use ssh for accessing repositories quite easy. There
59 are some exceptions when using ssh for accessing repositories.
59 are some exceptions when using ssh for accessing repositories.
60
60
61 You have to make sure that the webserver as well as the ssh users have unix
61 You have to make sure that the webserver as well as the ssh users have unix
62 permission for directories. Secondly when using ssh rhodecode will not
62 permission for directories. Secondly when using ssh rhodecode will not
63 authenticate those requests and permissions set by the web interface will not
63 authenticate those requests and permissions set by the web interface will not
64 work on the repositories accessed via ssh. There is a solution to this to use
64 work on the repositories accessed via ssh. There is a solution to this to use
65 auth hooks, that connects to rhodecode db, and runs check functions for
65 auth hooks, that connects to rhodecode db, and runs check functions for
66 permissions.
66 permissions.
67
67
68 TODO: post more info on this !
68 TODO: post more info on this !
69
69
70 if Your main directory (the same as set in RhodeCode settings) is set to
70 if Your main directory (the same as set in RhodeCode settings) is set to
71 for example `\home\hg` and repository You are using is `rhodecode`
71 for example `\home\hg` and repository You are using is `rhodecode`
72
72
73 The command runned should look like this::
73 The command runned should look like this::
74 hg clone ssh://user@server.com/home/hg/rhodecode
74 hg clone ssh://user@server.com/home/hg/rhodecode
75
75
76 Using external tools such as mercurial server or using ssh key based auth is
76 Using external tools such as mercurial server or using ssh key based auth is
77 fully supported.
77 fully supported.
78
78
79 Setting up Whoosh full text search
79 Setting up Whoosh full text search
80 ----------------------------------
80 ----------------------------------
81
81
82 Starting from version 1.1 whoosh index can be build using paster command.
82 Starting from version 1.1 whoosh index can be build using paster command.
83 You have to specify the config file that stores location of index, and
83 You have to specify the config file that stores location of index, and
84 location of repositories (`--repo-location`). Starting from version 1.2 it is
84 location of repositories (`--repo-location`). Starting from version 1.2 it is
85 also possible to specify a comma separated list of repositories (`--index-only`)
85 also possible to specify a comma separated list of repositories (`--index-only`)
86 to build index only on chooses repositories skipping any other found in repos
86 to build index only on chooses repositories skipping any other found in repos
87 location
87 location
88
88
89 There is possible also to pass `-f` to the options
89 There is possible also to pass `-f` to the options
90 to enable full index rebuild. Without that indexing will run always in in
90 to enable full index rebuild. Without that indexing will run always in in
91 incremental mode.
91 incremental mode.
92
92
93 incremental mode::
93 incremental mode::
94
94
95 paster make-index production.ini --repo-location=<location for repos>
95 paster make-index production.ini --repo-location=<location for repos>
96
96
97
97
98
98
99 for full index rebuild You can use::
99 for full index rebuild You can use::
100
100
101 paster make-index production.ini -f --repo-location=<location for repos>
101 paster make-index production.ini -f --repo-location=<location for repos>
102
102
103
103
104 building index just for chosen repositories is possible with such command::
104 building index just for chosen repositories is possible with such command::
105
105
106 paster make-index production.ini --repo-location=<location for repos> --index-only=vcs,rhodecode
106 paster make-index production.ini --repo-location=<location for repos> --index-only=vcs,rhodecode
107
107
108
108
109 In order to do periodical index builds and keep Your index always up to date.
109 In order to do periodical index builds and keep Your index always up to date.
110 It's recommended to do a crontab entry for incremental indexing.
110 It's recommended to do a crontab entry for incremental indexing.
111 An example entry might look like this
111 An example entry might look like this
112
112
113 ::
113 ::
114
114
115 /path/to/python/bin/paster /path/to/rhodecode/production.ini --repo-location=<location for repos>
115 /path/to/python/bin/paster /path/to/rhodecode/production.ini --repo-location=<location for repos>
116
116
117 When using incremental (default) mode whoosh will check last modification date
117 When using incremental (default) mode whoosh will check last modification date
118 of each file and add it to reindex if newer file is available. Also indexing
118 of each file and add it to reindex if newer file is available. Also indexing
119 daemon checks for removed files and removes them from index.
119 daemon checks for removed files and removes them from index.
120
120
121 Sometime You might want to rebuild index from scratch. You can do that using
121 Sometime You might want to rebuild index from scratch. You can do that using
122 the `-f` flag passed to paster command or, in admin panel You can check
122 the `-f` flag passed to paster command or, in admin panel You can check
123 `build from scratch` flag.
123 `build from scratch` flag.
124
124
125
125
126 Setting up LDAP support
126 Setting up LDAP support
127 -----------------------
127 -----------------------
128
128
129 RhodeCode starting from version 1.1 supports ldap authentication. In order
129 RhodeCode starting from version 1.1 supports ldap authentication. In order
130 to use ldap, You have to install python-ldap package. This package is available
130 to use LDAP, You have to install python-ldap_ package. This package is available
131 via pypi, so You can install it by running
131 via pypi, so You can install it by running
132
132
133 ::
133 ::
134
134
135 easy_install python-ldap
135 easy_install python-ldap
136
136
137 ::
137 ::
138
138
139 pip install python-ldap
139 pip install python-ldap
140
140
141 .. note::
141 .. note::
142 python-ldap requires some certain libs on Your system, so before installing
142 python-ldap requires some certain libs on Your system, so before installing
143 it check that You have at least `openldap`, and `sasl` libraries.
143 it check that You have at least `openldap`, and `sasl` libraries.
144
144
145 ldap settings are located in admin->ldap section,
145 LDAP settings are located in admin->ldap section,
146
147 This is a typical LDAP setup::
148
149 Connection settings
150 Enable LDAP = checked
151 Host = host.example.org
152 Port = 389
153 Account = <account>
154 Password = <password>
155 Enable LDAPS = checked
156 Certificate Checks = DEMAND
157
158 Search settings
159 Base DN = CN=users,DC=host,DC=example,DC=org
160 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
161 LDAP Search Scope = SUBTREE
146
162
147 Here's a typical ldap setup::
163 Attribute mappings
164 Login Attribute = uid
165 First Name Attribute = firstName
166 Last Name Attribute = lastName
167 E-mail Attribute = mail
168
169 .. _enable_ldap:
170
171 Enable LDAP : required
172 Whether to use LDAP for authenticating users.
173
174 .. _ldap_host:
175
176 Host : required
177 LDAP server hostname or IP address.
178
179 .. _Port:
180
181 Port : required
182 389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.
183
184 .. _ldap_account:
148
185
149 Enable ldap = checked #controls if ldap access is enabled
186 Account : optional
150 Host = host.domain.org #actual ldap server to connect
187 Only required if the LDAP server does not allow anonymous browsing of
151 Port = 389 or 689 for ldaps #ldap server ports
188 records. This should be a special account for record browsing. This
152 Enable LDAPS = unchecked #enable disable ldaps
189 will require `LDAP Password`_ below.
153 Account = <account> #access for ldap server(if required)
190
154 Password = <password> #password for ldap server(if required)
191 .. _LDAP Password:
155 Base DN = uid=%(user)s,CN=users,DC=host,DC=domain,DC=org
192
156
193 Password : optional
194 Only required if the LDAP server does not allow anonymous browsing of
195 records.
196
197 .. _Enable LDAPS:
198
199 Enable LDAPS : optional
200 Check this if SSL encryption is necessary for communication with the
201 LDAP server - it will likely require `Port`_ to be set to a different
202 value (standard LDAPS port is 636). When LDAPS is enabled then
203 `Certificate Checks`_ is required.
204
205 .. _Certificate Checks:
157
206
158 `Account` and `Password` are optional, and used for two-phase ldap
207 Certificate Checks : optional
159 authentication so those are credentials to access Your ldap, if it doesn't
208 How SSL certificates verification is handled - this is only useful when
160 support anonymous search/user lookups.
209 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security while
210 the other options are susceptible to man-in-the-middle attacks. SSL
211 certificates can be installed to /etc/openldap/cacerts so that the
212 DEMAND or HARD options can be used with self-signed certificates or
213 certificates that do not have traceable certificates of authority.
214
215 NEVER
216 A serve certificate will never be requested or checked.
217
218 ALLOW
219 A server certificate is requested. Failure to provide a
220 certificate or providing a bad certificate will not terminate the
221 session.
222
223 TRY
224 A server certificate is requested. Failure to provide a
225 certificate does not halt the session; providing a bad certificate
226 halts the session.
227
228 DEMAND
229 A server certificate is requested and must be provided and
230 authenticated for the session to proceed.
161
231
162 Base DN must have %(user)s template inside, it's a placer where Your uid used
232 HARD
163 to login would go, it allows admins to specify not standard schema for uid
233 The same as DEMAND.
164 variable
234
235 .. _Base DN:
236
237 Base DN : required
238 The Distinguished Name (DN) where searches for users will be performed.
239 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
240
241 .. _LDAP Filter:
242
243 LDAP Filter : optional
244 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
245 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
246 which LDAP objects are identified as representing Users for
247 authentication. The filter is augmented by `Login Attribute`_ below.
248 This can commonly be left blank.
249
250 .. _LDAP Search Scope:
251
252 LDAP Search Scope : required
253 This limits how far LDAP will search for a matching object.
254
255 BASE
256 Only allows searching of `Base DN`_ and is usually not what you
257 want.
258
259 ONELEVEL
260 Searches all entries under `Base DN`_, but not Base DN itself.
261
262 SUBTREE
263 Searches all entries below `Base DN`_, but not Base DN itself.
264 When using SUBTREE `LDAP Filter`_ is useful to limit object
265 location.
266
267 .. _Login Attribute:
165
268
166 If all data are entered correctly, and `python-ldap` is properly installed
269 Login Attribute : required
167 Users should be granted to access RhodeCode wit ldap accounts. When
270 The LDAP record attribute that will be matched as the USERNAME or
168 logging at the first time an special ldap account is created inside RhodeCode,
271 ACCOUNT used to connect to RhodeCode. This will be added to `LDAP
169 so You can control over permissions even on ldap users. If such user exists
272 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
170 already in RhodeCode database ldap user with the same username would be not
273 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
171 able to access RhodeCode.
274 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
275 ::
276
277 (&(LDAPFILTER)(uid=jsmith))
278
279 .. _ldap_attr_firstname:
280
281 First Name Attribute : required
282 The LDAP record attribute which represents the user's first name.
283
284 .. _ldap_attr_lastname:
285
286 Last Name Attribute : required
287 The LDAP record attribute which represents the user's last name.
288
289 .. _ldap_attr_email:
290
291 Email Attribute : required
292 The LDAP record attribute which represents the user's email address.
172
293
173 If You have problems with ldap access and believe You entered correct
294 If all data are entered correctly, and python-ldap_ is properly installed
174 information check out the RhodeCode logs,any error messages sent from
295 users should be granted access to RhodeCode with ldap accounts. At this
175 ldap will be saved there.
296 time user information is copied from LDAP into the RhodeCode user database.
297 This means that updates of an LDAP user object may not be reflected as a
298 user update in RhodeCode.
299
300 If You have problems with LDAP access and believe You entered correct
301 information check out the RhodeCode logs, any error messages sent from LDAP
302 will be saved there.
303
304 Active Directory
305 ''''''''''''''''
176
306
307 RhodeCode can use Microsoft Active Directory for user authentication. This
308 is done through an LDAP or LDAPS connection to Active Directory. The
309 following LDAP configuration settings are typical for using Active
310 Directory ::
177
311
312 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
313 Login Attribute = sAMAccountName
314 First Name Attribute = givenName
315 Last Name Attribute = sn
316 E-mail Attribute = mail
317
318 All other LDAP settings will likely be site-specific and should be
319 appropriately configured.
178
320
179 Setting Up Celery
321 Setting Up Celery
180 -----------------
322 -----------------
181
323
182 Since version 1.1 celery is configured by the rhodecode ini configuration files
324 Since version 1.1 celery is configured by the rhodecode ini configuration files
183 simply set use_celery=true in the ini file then add / change the configuration
325 simply set use_celery=true in the ini file then add / change the configuration
184 variables inside the ini file.
326 variables inside the ini file.
185
327
186 Remember that the ini files uses format with '.' not with '_' like celery
328 Remember that the ini files uses format with '.' not with '_' like celery
187 so for example setting `BROKER_HOST` in celery means setting `broker.host` in
329 so for example setting `BROKER_HOST` in celery means setting `broker.host` in
188 the config file.
330 the config file.
189
331
190 In order to make start using celery run::
332 In order to make start using celery run::
191
333
192 paster celeryd <configfile.ini>
334 paster celeryd <configfile.ini>
193
335
194
336
195
337
196 .. note::
338 .. note::
197 Make sure You run this command from same virtualenv, and with the same user
339 Make sure You run this command from same virtualenv, and with the same user
198 that rhodecode runs.
340 that rhodecode runs.
199
341
200
342
201 Nginx virtual host example
343 Nginx virtual host example
202 --------------------------
344 --------------------------
203
345
204 Sample config for nginx using proxy::
346 Sample config for nginx using proxy::
205
347
206 server {
348 server {
207 listen 80;
349 listen 80;
208 server_name hg.myserver.com;
350 server_name hg.myserver.com;
209 access_log /var/log/nginx/rhodecode.access.log;
351 access_log /var/log/nginx/rhodecode.access.log;
210 error_log /var/log/nginx/rhodecode.error.log;
352 error_log /var/log/nginx/rhodecode.error.log;
211 location / {
353 location / {
212 root /var/www/rhodecode/rhodecode/public/;
354 root /var/www/rhodecode/rhodecode/public/;
213 if (!-f $request_filename){
355 if (!-f $request_filename){
214 proxy_pass http://127.0.0.1:5000;
356 proxy_pass http://127.0.0.1:5000;
215 }
357 }
216 #this is important if You want to use https !!!
358 #this is important if You want to use https !!!
217 proxy_set_header X-Url-Scheme $scheme;
359 proxy_set_header X-Url-Scheme $scheme;
218 include /etc/nginx/proxy.conf;
360 include /etc/nginx/proxy.conf;
219 }
361 }
220 }
362 }
221
363
222 Here's the proxy.conf. It's tuned so it'll not timeout on long
364 Here's the proxy.conf. It's tuned so it'll not timeout on long
223 pushes and also on large pushes::
365 pushes and also on large pushes::
224
366
225 proxy_redirect off;
367 proxy_redirect off;
226 proxy_set_header Host $host;
368 proxy_set_header Host $host;
227 proxy_set_header X-Host $http_host;
369 proxy_set_header X-Host $http_host;
228 proxy_set_header X-Real-IP $remote_addr;
370 proxy_set_header X-Real-IP $remote_addr;
229 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
371 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
230 proxy_set_header Proxy-host $proxy_host;
372 proxy_set_header Proxy-host $proxy_host;
231 client_max_body_size 400m;
373 client_max_body_size 400m;
232 client_body_buffer_size 128k;
374 client_body_buffer_size 128k;
233 proxy_buffering off;
375 proxy_buffering off;
234 proxy_connect_timeout 3600;
376 proxy_connect_timeout 3600;
235 proxy_send_timeout 3600;
377 proxy_send_timeout 3600;
236 proxy_read_timeout 3600;
378 proxy_read_timeout 3600;
237 proxy_buffer_size 16k;
379 proxy_buffer_size 16k;
238 proxy_buffers 4 16k;
380 proxy_buffers 4 16k;
239 proxy_busy_buffers_size 64k;
381 proxy_busy_buffers_size 64k;
240 proxy_temp_file_write_size 64k;
382 proxy_temp_file_write_size 64k;
241
383
242 Also when using root path with nginx You might set the static files to false
384 Also when using root path with nginx You might set the static files to false
243 in production.ini file::
385 in production.ini file::
244
386
245 [app:main]
387 [app:main]
246 use = egg:rhodecode
388 use = egg:rhodecode
247 full_stack = true
389 full_stack = true
248 static_files = false
390 static_files = false
249 lang=en
391 lang=en
250 cache_dir = %(here)s/data
392 cache_dir = %(here)s/data
251
393
252 To not have the statics served by the application. And improve speed.
394 To not have the statics served by the application. And improve speed.
253
395
254
396
255 Apache virtual host example
397 Apache virtual host example
256 ---------------------------
398 ---------------------------
257
399
258 Sample config for apache using proxy::
400 Sample config for apache using proxy::
259
401
260 <VirtualHost *:80>
402 <VirtualHost *:80>
261 ServerName hg.myserver.com
403 ServerName hg.myserver.com
262 ServerAlias hg.myserver.com
404 ServerAlias hg.myserver.com
263
405
264 <Proxy *>
406 <Proxy *>
265 Order allow,deny
407 Order allow,deny
266 Allow from all
408 Allow from all
267 </Proxy>
409 </Proxy>
268
410
269 #important !
411 #important !
270 #Directive to properly generate url (clone url) for pylons
412 #Directive to properly generate url (clone url) for pylons
271 ProxyPreserveHost On
413 ProxyPreserveHost On
272
414
273 #rhodecode instance
415 #rhodecode instance
274 ProxyPass / http://127.0.0.1:5000/
416 ProxyPass / http://127.0.0.1:5000/
275 ProxyPassReverse / http://127.0.0.1:5000/
417 ProxyPassReverse / http://127.0.0.1:5000/
276
418
277 #to enable https use line below
419 #to enable https use line below
278 #SetEnvIf X-Url-Scheme https HTTPS=1
420 #SetEnvIf X-Url-Scheme https HTTPS=1
279
421
280 </VirtualHost>
422 </VirtualHost>
281
423
282
424
283 Additional tutorial
425 Additional tutorial
284 http://wiki.pylonshq.com/display/pylonscookbook/Apache+as+a+reverse+proxy+for+Pylons
426 http://wiki.pylonshq.com/display/pylonscookbook/Apache+as+a+reverse+proxy+for+Pylons
285
427
286
428
287 Apache's example FCGI config
429 Apache's example FCGI config
288 ----------------------------
430 ----------------------------
289
431
290 TODO !
432 TODO !
291
433
292 Other configuration files
434 Other configuration files
293 -------------------------
435 -------------------------
294
436
295 Some example init.d script can be found here, for debian and gentoo:
437 Some example init.d script can be found here, for debian and gentoo:
296
438
297 https://rhodeocode.org/rhodecode/files/tip/init.d
439 https://rhodeocode.org/rhodecode/files/tip/init.d
298
440
299
441
300 Troubleshooting
442 Troubleshooting
301 ---------------
443 ---------------
302
444
303 - missing static files ?
445 - missing static files ?
304
446
305 - make sure either to set the `static_files = true` in the .ini file or
447 - make sure either to set the `static_files = true` in the .ini file or
306 double check the root path for Your http setup. It should point to
448 double check the root path for Your http setup. It should point to
307 for example:
449 for example:
308 /home/my-virtual-python/lib/python2.6/site-packages/rhodecode/public
450 /home/my-virtual-python/lib/python2.6/site-packages/rhodecode/public
309
451
310 - can't install celery/rabbitmq
452 - can't install celery/rabbitmq
311
453
312 - don't worry RhodeCode works without them too. No extra setup required
454 - don't worry RhodeCode works without them too. No extra setup required
313
455
314 - long lasting push timeouts ?
456 - long lasting push timeouts ?
315
457
316 - make sure You set a longer timeouts in Your proxy/fcgi settings, timeouts
458 - make sure You set a longer timeouts in Your proxy/fcgi settings, timeouts
317 are caused by https server and not RhodeCode
459 are caused by https server and not RhodeCode
318
460
319 - large pushes timeouts ?
461 - large pushes timeouts ?
320
462
321 - make sure You set a proper max_body_size for the http server
463 - make sure You set a proper max_body_size for the http server
322
464
323
465
324
466
325 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
467 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
326 .. _python: http://www.python.org/
468 .. _python: http://www.python.org/
327 .. _mercurial: http://mercurial.selenic.com/
469 .. _mercurial: http://mercurial.selenic.com/
328 .. _celery: http://celeryproject.org/
470 .. _celery: http://celeryproject.org/
329 .. _rabbitmq: http://www.rabbitmq.com/ No newline at end of file
471 .. _rabbitmq: http://www.rabbitmq.com/
472 .. _python-ldap: http://www.python-ldap.org/
General Comments 0
You need to be logged in to leave comments. Login now