Show More
@@ -127,7 +127,7 b' Setting up LDAP support' | |||
|
127 | 127 | ----------------------- |
|
128 | 128 | |
|
129 | 129 | RhodeCode starting from version 1.1 supports ldap authentication. In order |
|
130 |
to use |
|
|
130 | to use LDAP, You have to install python-ldap_ package. This package is available | |
|
131 | 131 | via pypi, so You can install it by running |
|
132 | 132 | |
|
133 | 133 | :: |
@@ -142,39 +142,181 b' via pypi, so You can install it by runni' | |||
|
142 | 142 | python-ldap requires some certain libs on Your system, so before installing |
|
143 | 143 | it check that You have at least `openldap`, and `sasl` libraries. |
|
144 | 144 | |
|
145 |
|
|
|
145 | LDAP settings are located in admin->ldap section, | |
|
146 | ||
|
147 | This is a typical LDAP setup:: | |
|
148 | ||
|
149 | Connection settings | |
|
150 | Enable LDAP = checked | |
|
151 | Host = host.example.org | |
|
152 | Port = 389 | |
|
153 | Account = <account> | |
|
154 | Password = <password> | |
|
155 | Enable LDAPS = checked | |
|
156 | Certificate Checks = DEMAND | |
|
157 | ||
|
158 | Search settings | |
|
159 | Base DN = CN=users,DC=host,DC=example,DC=org | |
|
160 | LDAP Filter = (&(objectClass=user)(!(objectClass=computer))) | |
|
161 | LDAP Search Scope = SUBTREE | |
|
146 | 162 |
|
|
147 | Here's a typical ldap setup:: | |
|
163 | Attribute mappings | |
|
164 | Login Attribute = uid | |
|
165 | First Name Attribute = firstName | |
|
166 | Last Name Attribute = lastName | |
|
167 | E-mail Attribute = mail | |
|
168 | ||
|
169 | .. _enable_ldap: | |
|
170 | ||
|
171 | Enable LDAP : required | |
|
172 | Whether to use LDAP for authenticating users. | |
|
173 | ||
|
174 | .. _ldap_host: | |
|
175 | ||
|
176 | Host : required | |
|
177 | LDAP server hostname or IP address. | |
|
178 | ||
|
179 | .. _Port: | |
|
180 | ||
|
181 | Port : required | |
|
182 | 389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP. | |
|
183 | ||
|
184 | .. _ldap_account: | |
|
148 | 185 | |
|
149 | Enable ldap = checked #controls if ldap access is enabled | |
|
150 | Host = host.domain.org #actual ldap server to connect | |
|
151 | Port = 389 or 689 for ldaps #ldap server ports | |
|
152 | Enable LDAPS = unchecked #enable disable ldaps | |
|
153 | Account = <account> #access for ldap server(if required) | |
|
154 | Password = <password> #password for ldap server(if required) | |
|
155 | Base DN = uid=%(user)s,CN=users,DC=host,DC=domain,DC=org | |
|
156 | ||
|
186 | Account : optional | |
|
187 | Only required if the LDAP server does not allow anonymous browsing of | |
|
188 | records. This should be a special account for record browsing. This | |
|
189 | will require `LDAP Password`_ below. | |
|
190 | ||
|
191 | .. _LDAP Password: | |
|
192 | ||
|
193 | Password : optional | |
|
194 | Only required if the LDAP server does not allow anonymous browsing of | |
|
195 | records. | |
|
196 | ||
|
197 | .. _Enable LDAPS: | |
|
198 | ||
|
199 | Enable LDAPS : optional | |
|
200 | Check this if SSL encryption is necessary for communication with the | |
|
201 | LDAP server - it will likely require `Port`_ to be set to a different | |
|
202 | value (standard LDAPS port is 636). When LDAPS is enabled then | |
|
203 | `Certificate Checks`_ is required. | |
|
204 | ||
|
205 | .. _Certificate Checks: | |
|
157 | 206 | |
|
158 | `Account` and `Password` are optional, and used for two-phase ldap | |
|
159 | authentication so those are credentials to access Your ldap, if it doesn't | |
|
160 | support anonymous search/user lookups. | |
|
207 | Certificate Checks : optional | |
|
208 | How SSL certificates verification is handled - this is only useful when | |
|
209 | `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security while | |
|
210 | the other options are susceptible to man-in-the-middle attacks. SSL | |
|
211 | certificates can be installed to /etc/openldap/cacerts so that the | |
|
212 | DEMAND or HARD options can be used with self-signed certificates or | |
|
213 | certificates that do not have traceable certificates of authority. | |
|
214 | ||
|
215 | NEVER | |
|
216 | A serve certificate will never be requested or checked. | |
|
217 | ||
|
218 | ALLOW | |
|
219 | A server certificate is requested. Failure to provide a | |
|
220 | certificate or providing a bad certificate will not terminate the | |
|
221 | session. | |
|
222 | ||
|
223 | TRY | |
|
224 | A server certificate is requested. Failure to provide a | |
|
225 | certificate does not halt the session; providing a bad certificate | |
|
226 | halts the session. | |
|
227 | ||
|
228 | DEMAND | |
|
229 | A server certificate is requested and must be provided and | |
|
230 | authenticated for the session to proceed. | |
|
161 | 231 | |
|
162 | Base DN must have %(user)s template inside, it's a placer where Your uid used | |
|
163 | to login would go, it allows admins to specify not standard schema for uid | |
|
164 | variable | |
|
232 | HARD | |
|
233 | The same as DEMAND. | |
|
234 | ||
|
235 | .. _Base DN: | |
|
236 | ||
|
237 | Base DN : required | |
|
238 | The Distinguished Name (DN) where searches for users will be performed. | |
|
239 | Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_. | |
|
240 | ||
|
241 | .. _LDAP Filter: | |
|
242 | ||
|
243 | LDAP Filter : optional | |
|
244 | A LDAP filter defined by RFC 2254. This is more useful when `LDAP | |
|
245 | Search Scope`_ is set to SUBTREE. The filter is useful for limiting | |
|
246 | which LDAP objects are identified as representing Users for | |
|
247 | authentication. The filter is augmented by `Login Attribute`_ below. | |
|
248 | This can commonly be left blank. | |
|
249 | ||
|
250 | .. _LDAP Search Scope: | |
|
251 | ||
|
252 | LDAP Search Scope : required | |
|
253 | This limits how far LDAP will search for a matching object. | |
|
254 | ||
|
255 | BASE | |
|
256 | Only allows searching of `Base DN`_ and is usually not what you | |
|
257 | want. | |
|
258 | ||
|
259 | ONELEVEL | |
|
260 | Searches all entries under `Base DN`_, but not Base DN itself. | |
|
261 | ||
|
262 | SUBTREE | |
|
263 | Searches all entries below `Base DN`_, but not Base DN itself. | |
|
264 | When using SUBTREE `LDAP Filter`_ is useful to limit object | |
|
265 | location. | |
|
266 | ||
|
267 | .. _Login Attribute: | |
|
165 | 268 | |
|
166 | If all data are entered correctly, and `python-ldap` is properly installed | |
|
167 | Users should be granted to access RhodeCode wit ldap accounts. When | |
|
168 | logging at the first time an special ldap account is created inside RhodeCode, | |
|
169 | so You can control over permissions even on ldap users. If such user exists | |
|
170 | already in RhodeCode database ldap user with the same username would be not | |
|
171 | able to access RhodeCode. | |
|
269 | Login Attribute : required | |
|
270 | The LDAP record attribute that will be matched as the USERNAME or | |
|
271 | ACCOUNT used to connect to RhodeCode. This will be added to `LDAP | |
|
272 | Filter`_ for locating the User object. If `LDAP Filter`_ is specified as | |
|
273 | "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has | |
|
274 | connected as "jsmith" then the `LDAP Filter`_ will be augmented as below | |
|
275 | :: | |
|
276 | ||
|
277 | (&(LDAPFILTER)(uid=jsmith)) | |
|
278 | ||
|
279 | .. _ldap_attr_firstname: | |
|
280 | ||
|
281 | First Name Attribute : required | |
|
282 | The LDAP record attribute which represents the user's first name. | |
|
283 | ||
|
284 | .. _ldap_attr_lastname: | |
|
285 | ||
|
286 | Last Name Attribute : required | |
|
287 | The LDAP record attribute which represents the user's last name. | |
|
288 | ||
|
289 | .. _ldap_attr_email: | |
|
290 | ||
|
291 | Email Attribute : required | |
|
292 | The LDAP record attribute which represents the user's email address. | |
|
172 | 293 | |
|
173 | If You have problems with ldap access and believe You entered correct | |
|
174 | information check out the RhodeCode logs,any error messages sent from | |
|
175 | ldap will be saved there. | |
|
294 | If all data are entered correctly, and python-ldap_ is properly installed | |
|
295 | users should be granted access to RhodeCode with ldap accounts. At this | |
|
296 | time user information is copied from LDAP into the RhodeCode user database. | |
|
297 | This means that updates of an LDAP user object may not be reflected as a | |
|
298 | user update in RhodeCode. | |
|
299 | ||
|
300 | If You have problems with LDAP access and believe You entered correct | |
|
301 | information check out the RhodeCode logs, any error messages sent from LDAP | |
|
302 | will be saved there. | |
|
303 | ||
|
304 | Active Directory | |
|
305 | '''''''''''''''' | |
|
176 | 306 | |
|
307 | RhodeCode can use Microsoft Active Directory for user authentication. This | |
|
308 | is done through an LDAP or LDAPS connection to Active Directory. The | |
|
309 | following LDAP configuration settings are typical for using Active | |
|
310 | Directory :: | |
|
177 | 311 |
|
|
312 | Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local | |
|
313 | Login Attribute = sAMAccountName | |
|
314 | First Name Attribute = givenName | |
|
315 | Last Name Attribute = sn | |
|
316 | E-mail Attribute = mail | |
|
317 | ||
|
318 | All other LDAP settings will likely be site-specific and should be | |
|
319 | appropriately configured. | |
|
178 | 320 | |
|
179 | 321 | Setting Up Celery |
|
180 | 322 | ----------------- |
@@ -326,4 +468,5 b' Troubleshooting' | |||
|
326 | 468 | .. _python: http://www.python.org/ |
|
327 | 469 | .. _mercurial: http://mercurial.selenic.com/ |
|
328 | 470 | .. _celery: http://celeryproject.org/ |
|
329 | .. _rabbitmq: http://www.rabbitmq.com/ No newline at end of file | |
|
471 | .. _rabbitmq: http://www.rabbitmq.com/ | |
|
472 | .. _python-ldap: http://www.python-ldap.org/ |
General Comments 0
You need to be logged in to leave comments.
Login now