##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

Update documentation for LDAP settings (and add Active Directory information).
Thayne Harbaugh -
r992:c03d1678 issue-108
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,329 +1,472 b''
1 1 .. _setup:
2 2
3 3 Setup
4 4 =====
5 5
6 6
7 7 Setting up the application
8 8 --------------------------
9 9
10 10 First You'll ned to create RhodeCode config file. Run the following command
11 11 to do this
12 12
13 13 ::
14 14
15 15 paster make-config RhodeCode production.ini
16 16
17 17 - This will create `production.ini` config inside the directory
18 18 this config contains various settings for RhodeCode, e.g proxy port,
19 19 email settings, usage of static files, cache, celery settings and logging.
20 20
21 21
22 22
23 23 Next we need to create the database.
24 24
25 25 ::
26 26
27 27 paster setup-app production.ini
28 28
29 29 - This command will create all needed tables and an admin account.
30 30 When asked for a path You can either use a new location of one with already
31 31 existing ones. RhodeCode will simply add all new found repositories to
32 32 it's database. Also make sure You specify correct path to repositories.
33 33 - Remember that the given path for mercurial_ repositories must be write
34 34 accessible for the application. It's very important since RhodeCode web
35 35 interface will work even without such an access but, when trying to do a
36 36 push it'll eventually fail with permission denied errors.
37 37
38 38 You are ready to use rhodecode, to run it simply execute
39 39
40 40 ::
41 41
42 42 paster serve production.ini
43 43
44 44 - This command runs the RhodeCode server the app should be available at the
45 45 127.0.0.1:5000. This ip and port is configurable via the production.ini
46 46 file created in previous step
47 47 - Use admin account you created to login.
48 48 - Default permissions on each repository is read, and owner is admin. So
49 49 remember to update these if needed. In the admin panel You can toggle ldap,
50 50 anonymous, permissions settings. As well as edit more advanced options on
51 51 users and repositories
52 52
53 53 Using RhodeCode with SSH
54 54 ------------------------
55 55
56 56 RhodeCode repository structures are kept in directories with the same name
57 57 as the project, when using repository groups, each group is a a subdirectory.
58 58 This will allow You to use ssh for accessing repositories quite easy. There
59 59 are some exceptions when using ssh for accessing repositories.
60 60
61 61 You have to make sure that the webserver as well as the ssh users have unix
62 62 permission for directories. Secondly when using ssh rhodecode will not
63 63 authenticate those requests and permissions set by the web interface will not
64 64 work on the repositories accessed via ssh. There is a solution to this to use
65 65 auth hooks, that connects to rhodecode db, and runs check functions for
66 66 permissions.
67 67
68 68 TODO: post more info on this !
69 69
70 70 if Your main directory (the same as set in RhodeCode settings) is set to
71 71 for example `\home\hg` and repository You are using is `rhodecode`
72 72
73 73 The command runned should look like this::
74 74 hg clone ssh://user@server.com/home/hg/rhodecode
75 75
76 76 Using external tools such as mercurial server or using ssh key based auth is
77 77 fully supported.
78 78
79 79 Setting up Whoosh full text search
80 80 ----------------------------------
81 81
82 82 Starting from version 1.1 whoosh index can be build using paster command.
83 83 You have to specify the config file that stores location of index, and
84 84 location of repositories (`--repo-location`). Starting from version 1.2 it is
85 85 also possible to specify a comma separated list of repositories (`--index-only`)
86 86 to build index only on chooses repositories skipping any other found in repos
87 87 location
88 88
89 89 There is possible also to pass `-f` to the options
90 90 to enable full index rebuild. Without that indexing will run always in in
91 91 incremental mode.
92 92
93 93 incremental mode::
94 94
95 95 paster make-index production.ini --repo-location=<location for repos>
96 96
97 97
98 98
99 99 for full index rebuild You can use::
100 100
101 101 paster make-index production.ini -f --repo-location=<location for repos>
102 102
103 103
104 104 building index just for chosen repositories is possible with such command::
105 105
106 106 paster make-index production.ini --repo-location=<location for repos> --index-only=vcs,rhodecode
107 107
108 108
109 109 In order to do periodical index builds and keep Your index always up to date.
110 110 It's recommended to do a crontab entry for incremental indexing.
111 111 An example entry might look like this
112 112
113 113 ::
114 114
115 115 /path/to/python/bin/paster /path/to/rhodecode/production.ini --repo-location=<location for repos>
116 116
117 117 When using incremental (default) mode whoosh will check last modification date
118 118 of each file and add it to reindex if newer file is available. Also indexing
119 119 daemon checks for removed files and removes them from index.
120 120
121 121 Sometime You might want to rebuild index from scratch. You can do that using
122 122 the `-f` flag passed to paster command or, in admin panel You can check
123 123 `build from scratch` flag.
124 124
125 125
126 126 Setting up LDAP support
127 127 -----------------------
128 128
129 129 RhodeCode starting from version 1.1 supports ldap authentication. In order
130 to use ldap, You have to install python-ldap package. This package is available
130 to use LDAP, You have to install python-ldap_ package. This package is available
131 131 via pypi, so You can install it by running
132 132
133 133 ::
134 134
135 135 easy_install python-ldap
136 136
137 137 ::
138 138
139 139 pip install python-ldap
140 140
141 141 .. note::
142 142 python-ldap requires some certain libs on Your system, so before installing
143 143 it check that You have at least `openldap`, and `sasl` libraries.
144 144
145 ldap settings are located in admin->ldap section,
145 LDAP settings are located in admin->ldap section,
146
147 This is a typical LDAP setup::
148
149 Connection settings
150 Enable LDAP = checked
151 Host = host.example.org
152 Port = 389
153 Account = <account>
154 Password = <password>
155 Enable LDAPS = checked
156 Certificate Checks = DEMAND
157
158 Search settings
159 Base DN = CN=users,DC=host,DC=example,DC=org
160 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
161 LDAP Search Scope = SUBTREE
146 162
147 Here's a typical ldap setup::
163 Attribute mappings
164 Login Attribute = uid
165 First Name Attribute = firstName
166 Last Name Attribute = lastName
167 E-mail Attribute = mail
168
169 .. _enable_ldap:
170
171 Enable LDAP : required
172 Whether to use LDAP for authenticating users.
173
174 .. _ldap_host:
175
176 Host : required
177 LDAP server hostname or IP address.
178
179 .. _Port:
180
181 Port : required
182 389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.
183
184 .. _ldap_account:
148 185
149 Enable ldap = checked #controls if ldap access is enabled
150 Host = host.domain.org #actual ldap server to connect
151 Port = 389 or 689 for ldaps #ldap server ports
152 Enable LDAPS = unchecked #enable disable ldaps
153 Account = <account> #access for ldap server(if required)
154 Password = <password> #password for ldap server(if required)
155 Base DN = uid=%(user)s,CN=users,DC=host,DC=domain,DC=org
156
186 Account : optional
187 Only required if the LDAP server does not allow anonymous browsing of
188 records. This should be a special account for record browsing. This
189 will require `LDAP Password`_ below.
190
191 .. _LDAP Password:
192
193 Password : optional
194 Only required if the LDAP server does not allow anonymous browsing of
195 records.
196
197 .. _Enable LDAPS:
198
199 Enable LDAPS : optional
200 Check this if SSL encryption is necessary for communication with the
201 LDAP server - it will likely require `Port`_ to be set to a different
202 value (standard LDAPS port is 636). When LDAPS is enabled then
203 `Certificate Checks`_ is required.
204
205 .. _Certificate Checks:
157 206
158 `Account` and `Password` are optional, and used for two-phase ldap
159 authentication so those are credentials to access Your ldap, if it doesn't
160 support anonymous search/user lookups.
207 Certificate Checks : optional
208 How SSL certificates verification is handled - this is only useful when
209 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security while
210 the other options are susceptible to man-in-the-middle attacks. SSL
211 certificates can be installed to /etc/openldap/cacerts so that the
212 DEMAND or HARD options can be used with self-signed certificates or
213 certificates that do not have traceable certificates of authority.
214
215 NEVER
216 A serve certificate will never be requested or checked.
217
218 ALLOW
219 A server certificate is requested. Failure to provide a
220 certificate or providing a bad certificate will not terminate the
221 session.
222
223 TRY
224 A server certificate is requested. Failure to provide a
225 certificate does not halt the session; providing a bad certificate
226 halts the session.
227
228 DEMAND
229 A server certificate is requested and must be provided and
230 authenticated for the session to proceed.
161 231
162 Base DN must have %(user)s template inside, it's a placer where Your uid used
163 to login would go, it allows admins to specify not standard schema for uid
164 variable
232 HARD
233 The same as DEMAND.
234
235 .. _Base DN:
236
237 Base DN : required
238 The Distinguished Name (DN) where searches for users will be performed.
239 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
240
241 .. _LDAP Filter:
242
243 LDAP Filter : optional
244 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
245 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
246 which LDAP objects are identified as representing Users for
247 authentication. The filter is augmented by `Login Attribute`_ below.
248 This can commonly be left blank.
249
250 .. _LDAP Search Scope:
251
252 LDAP Search Scope : required
253 This limits how far LDAP will search for a matching object.
254
255 BASE
256 Only allows searching of `Base DN`_ and is usually not what you
257 want.
258
259 ONELEVEL
260 Searches all entries under `Base DN`_, but not Base DN itself.
261
262 SUBTREE
263 Searches all entries below `Base DN`_, but not Base DN itself.
264 When using SUBTREE `LDAP Filter`_ is useful to limit object
265 location.
266
267 .. _Login Attribute:
165 268
166 If all data are entered correctly, and `python-ldap` is properly installed
167 Users should be granted to access RhodeCode wit ldap accounts. When
168 logging at the first time an special ldap account is created inside RhodeCode,
169 so You can control over permissions even on ldap users. If such user exists
170 already in RhodeCode database ldap user with the same username would be not
171 able to access RhodeCode.
269 Login Attribute : required
270 The LDAP record attribute that will be matched as the USERNAME or
271 ACCOUNT used to connect to RhodeCode. This will be added to `LDAP
272 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
273 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
274 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
275 ::
276
277 (&(LDAPFILTER)(uid=jsmith))
278
279 .. _ldap_attr_firstname:
280
281 First Name Attribute : required
282 The LDAP record attribute which represents the user's first name.
283
284 .. _ldap_attr_lastname:
285
286 Last Name Attribute : required
287 The LDAP record attribute which represents the user's last name.
288
289 .. _ldap_attr_email:
290
291 Email Attribute : required
292 The LDAP record attribute which represents the user's email address.
172 293
173 If You have problems with ldap access and believe You entered correct
174 information check out the RhodeCode logs,any error messages sent from
175 ldap will be saved there.
294 If all data are entered correctly, and python-ldap_ is properly installed
295 users should be granted access to RhodeCode with ldap accounts. At this
296 time user information is copied from LDAP into the RhodeCode user database.
297 This means that updates of an LDAP user object may not be reflected as a
298 user update in RhodeCode.
299
300 If You have problems with LDAP access and believe You entered correct
301 information check out the RhodeCode logs, any error messages sent from LDAP
302 will be saved there.
303
304 Active Directory
305 ''''''''''''''''
176 306
307 RhodeCode can use Microsoft Active Directory for user authentication. This
308 is done through an LDAP or LDAPS connection to Active Directory. The
309 following LDAP configuration settings are typical for using Active
310 Directory ::
177 311
312 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
313 Login Attribute = sAMAccountName
314 First Name Attribute = givenName
315 Last Name Attribute = sn
316 E-mail Attribute = mail
317
318 All other LDAP settings will likely be site-specific and should be
319 appropriately configured.
178 320
179 321 Setting Up Celery
180 322 -----------------
181 323
182 324 Since version 1.1 celery is configured by the rhodecode ini configuration files
183 325 simply set use_celery=true in the ini file then add / change the configuration
184 326 variables inside the ini file.
185 327
186 328 Remember that the ini files uses format with '.' not with '_' like celery
187 329 so for example setting `BROKER_HOST` in celery means setting `broker.host` in
188 330 the config file.
189 331
190 332 In order to make start using celery run::
191 333
192 334 paster celeryd <configfile.ini>
193 335
194 336
195 337
196 338 .. note::
197 339 Make sure You run this command from same virtualenv, and with the same user
198 340 that rhodecode runs.
199 341
200 342
201 343 Nginx virtual host example
202 344 --------------------------
203 345
204 346 Sample config for nginx using proxy::
205 347
206 348 server {
207 349 listen 80;
208 350 server_name hg.myserver.com;
209 351 access_log /var/log/nginx/rhodecode.access.log;
210 352 error_log /var/log/nginx/rhodecode.error.log;
211 353 location / {
212 354 root /var/www/rhodecode/rhodecode/public/;
213 355 if (!-f $request_filename){
214 356 proxy_pass http://127.0.0.1:5000;
215 357 }
216 358 #this is important if You want to use https !!!
217 359 proxy_set_header X-Url-Scheme $scheme;
218 360 include /etc/nginx/proxy.conf;
219 361 }
220 362 }
221 363
222 364 Here's the proxy.conf. It's tuned so it'll not timeout on long
223 365 pushes and also on large pushes::
224 366
225 367 proxy_redirect off;
226 368 proxy_set_header Host $host;
227 369 proxy_set_header X-Host $http_host;
228 370 proxy_set_header X-Real-IP $remote_addr;
229 371 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
230 372 proxy_set_header Proxy-host $proxy_host;
231 373 client_max_body_size 400m;
232 374 client_body_buffer_size 128k;
233 375 proxy_buffering off;
234 376 proxy_connect_timeout 3600;
235 377 proxy_send_timeout 3600;
236 378 proxy_read_timeout 3600;
237 379 proxy_buffer_size 16k;
238 380 proxy_buffers 4 16k;
239 381 proxy_busy_buffers_size 64k;
240 382 proxy_temp_file_write_size 64k;
241 383
242 384 Also when using root path with nginx You might set the static files to false
243 385 in production.ini file::
244 386
245 387 [app:main]
246 388 use = egg:rhodecode
247 389 full_stack = true
248 390 static_files = false
249 391 lang=en
250 392 cache_dir = %(here)s/data
251 393
252 394 To not have the statics served by the application. And improve speed.
253 395
254 396
255 397 Apache virtual host example
256 398 ---------------------------
257 399
258 400 Sample config for apache using proxy::
259 401
260 402 <VirtualHost *:80>
261 403 ServerName hg.myserver.com
262 404 ServerAlias hg.myserver.com
263 405
264 406 <Proxy *>
265 407 Order allow,deny
266 408 Allow from all
267 409 </Proxy>
268 410
269 411 #important !
270 412 #Directive to properly generate url (clone url) for pylons
271 413 ProxyPreserveHost On
272 414
273 415 #rhodecode instance
274 416 ProxyPass / http://127.0.0.1:5000/
275 417 ProxyPassReverse / http://127.0.0.1:5000/
276 418
277 419 #to enable https use line below
278 420 #SetEnvIf X-Url-Scheme https HTTPS=1
279 421
280 422 </VirtualHost>
281 423
282 424
283 425 Additional tutorial
284 426 http://wiki.pylonshq.com/display/pylonscookbook/Apache+as+a+reverse+proxy+for+Pylons
285 427
286 428
287 429 Apache's example FCGI config
288 430 ----------------------------
289 431
290 432 TODO !
291 433
292 434 Other configuration files
293 435 -------------------------
294 436
295 437 Some example init.d script can be found here, for debian and gentoo:
296 438
297 439 https://rhodeocode.org/rhodecode/files/tip/init.d
298 440
299 441
300 442 Troubleshooting
301 443 ---------------
302 444
303 445 - missing static files ?
304 446
305 447 - make sure either to set the `static_files = true` in the .ini file or
306 448 double check the root path for Your http setup. It should point to
307 449 for example:
308 450 /home/my-virtual-python/lib/python2.6/site-packages/rhodecode/public
309 451
310 452 - can't install celery/rabbitmq
311 453
312 454 - don't worry RhodeCode works without them too. No extra setup required
313 455
314 456 - long lasting push timeouts ?
315 457
316 458 - make sure You set a longer timeouts in Your proxy/fcgi settings, timeouts
317 459 are caused by https server and not RhodeCode
318 460
319 461 - large pushes timeouts ?
320 462
321 463 - make sure You set a proper max_body_size for the http server
322 464
323 465
324 466
325 467 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
326 468 .. _python: http://www.python.org/
327 469 .. _mercurial: http://mercurial.selenic.com/
328 470 .. _celery: http://celeryproject.org/
329 .. _rabbitmq: http://www.rabbitmq.com/ No newline at end of file
471 .. _rabbitmq: http://www.rabbitmq.com/
472 .. _python-ldap: http://www.python-ldap.org/
General Comments 0
You need to be logged in to leave comments. Login now