##// END OF EJS Templates
Update documentation for LDAP settings (and add Active Directory information).
Thayne Harbaugh -
r992:c03d1678 issue-108
parent child Browse files
Show More
@@ -127,7 +127,7 b' Setting up LDAP support'
127 127 -----------------------
128 128
129 129 RhodeCode starting from version 1.1 supports ldap authentication. In order
130 to use ldap, You have to install python-ldap package. This package is available
130 to use LDAP, You have to install python-ldap_ package. This package is available
131 131 via pypi, so You can install it by running
132 132
133 133 ::
@@ -142,39 +142,181 b' via pypi, so You can install it by runni'
142 142 python-ldap requires some certain libs on Your system, so before installing
143 143 it check that You have at least `openldap`, and `sasl` libraries.
144 144
145 ldap settings are located in admin->ldap section,
145 LDAP settings are located in admin->ldap section,
146
147 This is a typical LDAP setup::
148
149 Connection settings
150 Enable LDAP = checked
151 Host = host.example.org
152 Port = 389
153 Account = <account>
154 Password = <password>
155 Enable LDAPS = checked
156 Certificate Checks = DEMAND
157
158 Search settings
159 Base DN = CN=users,DC=host,DC=example,DC=org
160 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
161 LDAP Search Scope = SUBTREE
146 162
147 Here's a typical ldap setup::
163 Attribute mappings
164 Login Attribute = uid
165 First Name Attribute = firstName
166 Last Name Attribute = lastName
167 E-mail Attribute = mail
168
169 .. _enable_ldap:
170
171 Enable LDAP : required
172 Whether to use LDAP for authenticating users.
173
174 .. _ldap_host:
175
176 Host : required
177 LDAP server hostname or IP address.
178
179 .. _Port:
180
181 Port : required
182 389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.
183
184 .. _ldap_account:
148 185
149 Enable ldap = checked #controls if ldap access is enabled
150 Host = host.domain.org #actual ldap server to connect
151 Port = 389 or 689 for ldaps #ldap server ports
152 Enable LDAPS = unchecked #enable disable ldaps
153 Account = <account> #access for ldap server(if required)
154 Password = <password> #password for ldap server(if required)
155 Base DN = uid=%(user)s,CN=users,DC=host,DC=domain,DC=org
156
186 Account : optional
187 Only required if the LDAP server does not allow anonymous browsing of
188 records. This should be a special account for record browsing. This
189 will require `LDAP Password`_ below.
190
191 .. _LDAP Password:
192
193 Password : optional
194 Only required if the LDAP server does not allow anonymous browsing of
195 records.
196
197 .. _Enable LDAPS:
198
199 Enable LDAPS : optional
200 Check this if SSL encryption is necessary for communication with the
201 LDAP server - it will likely require `Port`_ to be set to a different
202 value (standard LDAPS port is 636). When LDAPS is enabled then
203 `Certificate Checks`_ is required.
204
205 .. _Certificate Checks:
157 206
158 `Account` and `Password` are optional, and used for two-phase ldap
159 authentication so those are credentials to access Your ldap, if it doesn't
160 support anonymous search/user lookups.
207 Certificate Checks : optional
208 How SSL certificates verification is handled - this is only useful when
209 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security while
210 the other options are susceptible to man-in-the-middle attacks. SSL
211 certificates can be installed to /etc/openldap/cacerts so that the
212 DEMAND or HARD options can be used with self-signed certificates or
213 certificates that do not have traceable certificates of authority.
214
215 NEVER
216 A serve certificate will never be requested or checked.
217
218 ALLOW
219 A server certificate is requested. Failure to provide a
220 certificate or providing a bad certificate will not terminate the
221 session.
222
223 TRY
224 A server certificate is requested. Failure to provide a
225 certificate does not halt the session; providing a bad certificate
226 halts the session.
227
228 DEMAND
229 A server certificate is requested and must be provided and
230 authenticated for the session to proceed.
161 231
162 Base DN must have %(user)s template inside, it's a placer where Your uid used
163 to login would go, it allows admins to specify not standard schema for uid
164 variable
232 HARD
233 The same as DEMAND.
234
235 .. _Base DN:
236
237 Base DN : required
238 The Distinguished Name (DN) where searches for users will be performed.
239 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
240
241 .. _LDAP Filter:
242
243 LDAP Filter : optional
244 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
245 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
246 which LDAP objects are identified as representing Users for
247 authentication. The filter is augmented by `Login Attribute`_ below.
248 This can commonly be left blank.
249
250 .. _LDAP Search Scope:
251
252 LDAP Search Scope : required
253 This limits how far LDAP will search for a matching object.
254
255 BASE
256 Only allows searching of `Base DN`_ and is usually not what you
257 want.
258
259 ONELEVEL
260 Searches all entries under `Base DN`_, but not Base DN itself.
261
262 SUBTREE
263 Searches all entries below `Base DN`_, but not Base DN itself.
264 When using SUBTREE `LDAP Filter`_ is useful to limit object
265 location.
266
267 .. _Login Attribute:
165 268
166 If all data are entered correctly, and `python-ldap` is properly installed
167 Users should be granted to access RhodeCode wit ldap accounts. When
168 logging at the first time an special ldap account is created inside RhodeCode,
169 so You can control over permissions even on ldap users. If such user exists
170 already in RhodeCode database ldap user with the same username would be not
171 able to access RhodeCode.
269 Login Attribute : required
270 The LDAP record attribute that will be matched as the USERNAME or
271 ACCOUNT used to connect to RhodeCode. This will be added to `LDAP
272 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
273 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
274 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
275 ::
276
277 (&(LDAPFILTER)(uid=jsmith))
278
279 .. _ldap_attr_firstname:
280
281 First Name Attribute : required
282 The LDAP record attribute which represents the user's first name.
283
284 .. _ldap_attr_lastname:
285
286 Last Name Attribute : required
287 The LDAP record attribute which represents the user's last name.
288
289 .. _ldap_attr_email:
290
291 Email Attribute : required
292 The LDAP record attribute which represents the user's email address.
172 293
173 If You have problems with ldap access and believe You entered correct
174 information check out the RhodeCode logs,any error messages sent from
175 ldap will be saved there.
294 If all data are entered correctly, and python-ldap_ is properly installed
295 users should be granted access to RhodeCode with ldap accounts. At this
296 time user information is copied from LDAP into the RhodeCode user database.
297 This means that updates of an LDAP user object may not be reflected as a
298 user update in RhodeCode.
299
300 If You have problems with LDAP access and believe You entered correct
301 information check out the RhodeCode logs, any error messages sent from LDAP
302 will be saved there.
303
304 Active Directory
305 ''''''''''''''''
176 306
307 RhodeCode can use Microsoft Active Directory for user authentication. This
308 is done through an LDAP or LDAPS connection to Active Directory. The
309 following LDAP configuration settings are typical for using Active
310 Directory ::
177 311
312 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
313 Login Attribute = sAMAccountName
314 First Name Attribute = givenName
315 Last Name Attribute = sn
316 E-mail Attribute = mail
317
318 All other LDAP settings will likely be site-specific and should be
319 appropriately configured.
178 320
179 321 Setting Up Celery
180 322 -----------------
@@ -326,4 +468,5 b' Troubleshooting'
326 468 .. _python: http://www.python.org/
327 469 .. _mercurial: http://mercurial.selenic.com/
328 470 .. _celery: http://celeryproject.org/
329 .. _rabbitmq: http://www.rabbitmq.com/ No newline at end of file
471 .. _rabbitmq: http://www.rabbitmq.com/
472 .. _python-ldap: http://www.python-ldap.org/
General Comments 0
You need to be logged in to leave comments. Login now