##// END OF EJS Templates
Update documentation for LDAP settings (and add Active Directory information).
Thayne Harbaugh -
r992:c03d1678 issue-108
parent child Browse files
Show More
@@ -127,7 +127,7 b' Setting up LDAP support'
127 -----------------------
127 -----------------------
128
128
129 RhodeCode starting from version 1.1 supports ldap authentication. In order
129 RhodeCode starting from version 1.1 supports ldap authentication. In order
130 to use ldap, You have to install python-ldap package. This package is available
130 to use LDAP, You have to install python-ldap_ package. This package is available
131 via pypi, so You can install it by running
131 via pypi, so You can install it by running
132
132
133 ::
133 ::
@@ -142,39 +142,181 b' via pypi, so You can install it by runni'
142 python-ldap requires some certain libs on Your system, so before installing
142 python-ldap requires some certain libs on Your system, so before installing
143 it check that You have at least `openldap`, and `sasl` libraries.
143 it check that You have at least `openldap`, and `sasl` libraries.
144
144
145 ldap settings are located in admin->ldap section,
145 LDAP settings are located in admin->ldap section,
146
147 This is a typical LDAP setup::
148
149 Connection settings
150 Enable LDAP = checked
151 Host = host.example.org
152 Port = 389
153 Account = <account>
154 Password = <password>
155 Enable LDAPS = checked
156 Certificate Checks = DEMAND
157
158 Search settings
159 Base DN = CN=users,DC=host,DC=example,DC=org
160 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
161 LDAP Search Scope = SUBTREE
146
162
147 Here's a typical ldap setup::
163 Attribute mappings
164 Login Attribute = uid
165 First Name Attribute = firstName
166 Last Name Attribute = lastName
167 E-mail Attribute = mail
168
169 .. _enable_ldap:
170
171 Enable LDAP : required
172 Whether to use LDAP for authenticating users.
173
174 .. _ldap_host:
175
176 Host : required
177 LDAP server hostname or IP address.
178
179 .. _Port:
180
181 Port : required
182 389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.
183
184 .. _ldap_account:
148
185
149 Enable ldap = checked #controls if ldap access is enabled
186 Account : optional
150 Host = host.domain.org #actual ldap server to connect
187 Only required if the LDAP server does not allow anonymous browsing of
151 Port = 389 or 689 for ldaps #ldap server ports
188 records. This should be a special account for record browsing. This
152 Enable LDAPS = unchecked #enable disable ldaps
189 will require `LDAP Password`_ below.
153 Account = <account> #access for ldap server(if required)
190
154 Password = <password> #password for ldap server(if required)
191 .. _LDAP Password:
155 Base DN = uid=%(user)s,CN=users,DC=host,DC=domain,DC=org
192
193 Password : optional
194 Only required if the LDAP server does not allow anonymous browsing of
195 records.
196
197 .. _Enable LDAPS:
198
199 Enable LDAPS : optional
200 Check this if SSL encryption is necessary for communication with the
201 LDAP server - it will likely require `Port`_ to be set to a different
202 value (standard LDAPS port is 636). When LDAPS is enabled then
203 `Certificate Checks`_ is required.
204
205 .. _Certificate Checks:
156
206
207 Certificate Checks : optional
208 How SSL certificates verification is handled - this is only useful when
209 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security while
210 the other options are susceptible to man-in-the-middle attacks. SSL
211 certificates can be installed to /etc/openldap/cacerts so that the
212 DEMAND or HARD options can be used with self-signed certificates or
213 certificates that do not have traceable certificates of authority.
157
214
158 `Account` and `Password` are optional, and used for two-phase ldap
215 NEVER
159 authentication so those are credentials to access Your ldap, if it doesn't
216 A serve certificate will never be requested or checked.
160 support anonymous search/user lookups.
217
218 ALLOW
219 A server certificate is requested. Failure to provide a
220 certificate or providing a bad certificate will not terminate the
221 session.
222
223 TRY
224 A server certificate is requested. Failure to provide a
225 certificate does not halt the session; providing a bad certificate
226 halts the session.
227
228 DEMAND
229 A server certificate is requested and must be provided and
230 authenticated for the session to proceed.
161
231
162 Base DN must have %(user)s template inside, it's a placer where Your uid used
232 HARD
163 to login would go, it allows admins to specify not standard schema for uid
233 The same as DEMAND.
164 variable
234
235 .. _Base DN:
236
237 Base DN : required
238 The Distinguished Name (DN) where searches for users will be performed.
239 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
240
241 .. _LDAP Filter:
242
243 LDAP Filter : optional
244 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
245 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
246 which LDAP objects are identified as representing Users for
247 authentication. The filter is augmented by `Login Attribute`_ below.
248 This can commonly be left blank.
249
250 .. _LDAP Search Scope:
251
252 LDAP Search Scope : required
253 This limits how far LDAP will search for a matching object.
254
255 BASE
256 Only allows searching of `Base DN`_ and is usually not what you
257 want.
258
259 ONELEVEL
260 Searches all entries under `Base DN`_, but not Base DN itself.
261
262 SUBTREE
263 Searches all entries below `Base DN`_, but not Base DN itself.
264 When using SUBTREE `LDAP Filter`_ is useful to limit object
265 location.
266
267 .. _Login Attribute:
165
268
166 If all data are entered correctly, and `python-ldap` is properly installed
269 Login Attribute : required
167 Users should be granted to access RhodeCode wit ldap accounts. When
270 The LDAP record attribute that will be matched as the USERNAME or
168 logging at the first time an special ldap account is created inside RhodeCode,
271 ACCOUNT used to connect to RhodeCode. This will be added to `LDAP
169 so You can control over permissions even on ldap users. If such user exists
272 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
170 already in RhodeCode database ldap user with the same username would be not
273 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
171 able to access RhodeCode.
274 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
275 ::
276
277 (&(LDAPFILTER)(uid=jsmith))
278
279 .. _ldap_attr_firstname:
280
281 First Name Attribute : required
282 The LDAP record attribute which represents the user's first name.
283
284 .. _ldap_attr_lastname:
285
286 Last Name Attribute : required
287 The LDAP record attribute which represents the user's last name.
288
289 .. _ldap_attr_email:
290
291 Email Attribute : required
292 The LDAP record attribute which represents the user's email address.
172
293
173 If You have problems with ldap access and believe You entered correct
294 If all data are entered correctly, and python-ldap_ is properly installed
174 information check out the RhodeCode logs,any error messages sent from
295 users should be granted access to RhodeCode with ldap accounts. At this
175 ldap will be saved there.
296 time user information is copied from LDAP into the RhodeCode user database.
297 This means that updates of an LDAP user object may not be reflected as a
298 user update in RhodeCode.
299
300 If You have problems with LDAP access and believe You entered correct
301 information check out the RhodeCode logs, any error messages sent from LDAP
302 will be saved there.
303
304 Active Directory
305 ''''''''''''''''
176
306
307 RhodeCode can use Microsoft Active Directory for user authentication. This
308 is done through an LDAP or LDAPS connection to Active Directory. The
309 following LDAP configuration settings are typical for using Active
310 Directory ::
177
311
312 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
313 Login Attribute = sAMAccountName
314 First Name Attribute = givenName
315 Last Name Attribute = sn
316 E-mail Attribute = mail
317
318 All other LDAP settings will likely be site-specific and should be
319 appropriately configured.
178
320
179 Setting Up Celery
321 Setting Up Celery
180 -----------------
322 -----------------
@@ -326,4 +468,5 b' Troubleshooting'
326 .. _python: http://www.python.org/
468 .. _python: http://www.python.org/
327 .. _mercurial: http://mercurial.selenic.com/
469 .. _mercurial: http://mercurial.selenic.com/
328 .. _celery: http://celeryproject.org/
470 .. _celery: http://celeryproject.org/
329 .. _rabbitmq: http://www.rabbitmq.com/ No newline at end of file
471 .. _rabbitmq: http://www.rabbitmq.com/
472 .. _python-ldap: http://www.python-ldap.org/
General Comments 0
You need to be logged in to leave comments. Login now