##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

auth: change default LDAP to LDAPS on port 636 - insecure authentication is kind of pointless...
Mads Kiilerich -
r6417:d0f6bd61 default
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -1,874 +1,874 b''
1 .. _setup:
1 .. _setup:
2
2
3 =====
3 =====
4 Setup
4 Setup
5 =====
5 =====
6
6
7
7
8 Setting up Kallithea
8 Setting up Kallithea
9 --------------------
9 --------------------
10
10
11 First, you will need to create a Kallithea configuration file. Run the
11 First, you will need to create a Kallithea configuration file. Run the
12 following command to do so::
12 following command to do so::
13
13
14 paster make-config Kallithea my.ini
14 paster make-config Kallithea my.ini
15
15
16 This will create the file ``my.ini`` in the current directory. This
16 This will create the file ``my.ini`` in the current directory. This
17 configuration file contains the various settings for Kallithea, e.g.
17 configuration file contains the various settings for Kallithea, e.g.
18 proxy port, email settings, usage of static files, cache, Celery
18 proxy port, email settings, usage of static files, cache, Celery
19 settings, and logging.
19 settings, and logging.
20
20
21 Next, you need to create the databases used by Kallithea. It is recommended to
21 Next, you need to create the databases used by Kallithea. It is recommended to
22 use PostgreSQL or SQLite (default). If you choose a database other than the
22 use PostgreSQL or SQLite (default). If you choose a database other than the
23 default, ensure you properly adjust the database URL in your ``my.ini``
23 default, ensure you properly adjust the database URL in your ``my.ini``
24 configuration file to use this other database. Kallithea currently supports
24 configuration file to use this other database. Kallithea currently supports
25 PostgreSQL, SQLite and MySQL databases. Create the database by running
25 PostgreSQL, SQLite and MySQL databases. Create the database by running
26 the following command::
26 the following command::
27
27
28 paster setup-db my.ini
28 paster setup-db my.ini
29
29
30 This will prompt you for a "root" path. This "root" path is the location where
30 This will prompt you for a "root" path. This "root" path is the location where
31 Kallithea will store all of its repositories on the current machine. After
31 Kallithea will store all of its repositories on the current machine. After
32 entering this "root" path ``setup-db`` will also prompt you for a username
32 entering this "root" path ``setup-db`` will also prompt you for a username
33 and password for the initial admin account which ``setup-db`` sets
33 and password for the initial admin account which ``setup-db`` sets
34 up for you.
34 up for you.
35
35
36 The ``setup-db`` values can also be given on the command line.
36 The ``setup-db`` values can also be given on the command line.
37 Example::
37 Example::
38
38
39 paster setup-db my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
39 paster setup-db my.ini --user=nn --password=secret --email=nn@example.com --repos=/srv/repos
40
40
41 The ``setup-db`` command will create all needed tables and an
41 The ``setup-db`` command will create all needed tables and an
42 admin account. When choosing a root path you can either use a new
42 admin account. When choosing a root path you can either use a new
43 empty location, or a location which already contains existing
43 empty location, or a location which already contains existing
44 repositories. If you choose a location which contains existing
44 repositories. If you choose a location which contains existing
45 repositories Kallithea will add all of the repositories at the chosen
45 repositories Kallithea will add all of the repositories at the chosen
46 location to its database. (Note: make sure you specify the correct
46 location to its database. (Note: make sure you specify the correct
47 path to the root).
47 path to the root).
48
48
49 .. note:: the given path for Mercurial_ repositories **must** be write
49 .. note:: the given path for Mercurial_ repositories **must** be write
50 accessible for the application. It's very important since
50 accessible for the application. It's very important since
51 the Kallithea web interface will work without write access,
51 the Kallithea web interface will work without write access,
52 but when trying to do a push it will fail with permission
52 but when trying to do a push it will fail with permission
53 denied errors unless it has write access.
53 denied errors unless it has write access.
54
54
55 You are now ready to use Kallithea. To run it simply execute::
55 You are now ready to use Kallithea. To run it simply execute::
56
56
57 paster serve my.ini
57 paster serve my.ini
58
58
59 - This command runs the Kallithea server. The web app should be available at
59 - This command runs the Kallithea server. The web app should be available at
60 http://127.0.0.1:5000. The IP address and port is configurable via the
60 http://127.0.0.1:5000. The IP address and port is configurable via the
61 configuration file created in the previous step.
61 configuration file created in the previous step.
62 - Log in to Kallithea using the admin account created when running ``setup-db``.
62 - Log in to Kallithea using the admin account created when running ``setup-db``.
63 - The default permissions on each repository is read, and the owner is admin.
63 - The default permissions on each repository is read, and the owner is admin.
64 Remember to update these if needed.
64 Remember to update these if needed.
65 - In the admin panel you can toggle LDAP, anonymous, and permissions
65 - In the admin panel you can toggle LDAP, anonymous, and permissions
66 settings, as well as edit more advanced options on users and
66 settings, as well as edit more advanced options on users and
67 repositories.
67 repositories.
68
68
69
69
70 Using Kallithea with SSH
70 Using Kallithea with SSH
71 ------------------------
71 ------------------------
72
72
73 Kallithea currently only hosts repositories using http and https. (The addition
73 Kallithea currently only hosts repositories using http and https. (The addition
74 of ssh hosting is a planned future feature.) However you can easily use ssh in
74 of ssh hosting is a planned future feature.) However you can easily use ssh in
75 parallel with Kallithea. (Repository access via ssh is a standard "out of
75 parallel with Kallithea. (Repository access via ssh is a standard "out of
76 the box" feature of Mercurial_ and you can use this to access any of the
76 the box" feature of Mercurial_ and you can use this to access any of the
77 repositories that Kallithea is hosting. See PublishingRepositories_)
77 repositories that Kallithea is hosting. See PublishingRepositories_)
78
78
79 Kallithea repository structures are kept in directories with the same name
79 Kallithea repository structures are kept in directories with the same name
80 as the project. When using repository groups, each group is a subdirectory.
80 as the project. When using repository groups, each group is a subdirectory.
81 This allows you to easily use ssh for accessing repositories.
81 This allows you to easily use ssh for accessing repositories.
82
82
83 In order to use ssh you need to make sure that your web server and the users'
83 In order to use ssh you need to make sure that your web server and the users'
84 login accounts have the correct permissions set on the appropriate directories.
84 login accounts have the correct permissions set on the appropriate directories.
85
85
86 .. note:: These permissions are independent of any permissions you
86 .. note:: These permissions are independent of any permissions you
87 have set up using the Kallithea web interface.
87 have set up using the Kallithea web interface.
88
88
89 If your main directory (the same as set in Kallithea settings) is for
89 If your main directory (the same as set in Kallithea settings) is for
90 example set to ``/srv/repos`` and the repository you are using is
90 example set to ``/srv/repos`` and the repository you are using is
91 named ``kallithea``, then to clone via ssh you should run::
91 named ``kallithea``, then to clone via ssh you should run::
92
92
93 hg clone ssh://user@kallithea.example.com/srv/repos/kallithea
93 hg clone ssh://user@kallithea.example.com/srv/repos/kallithea
94
94
95 Using other external tools such as mercurial-server_ or using ssh key-based
95 Using other external tools such as mercurial-server_ or using ssh key-based
96 authentication is fully supported.
96 authentication is fully supported.
97
97
98 .. note:: In an advanced setup, in order for your ssh access to use
98 .. note:: In an advanced setup, in order for your ssh access to use
99 the same permissions as set up via the Kallithea web
99 the same permissions as set up via the Kallithea web
100 interface, you can create an authentication hook to connect
100 interface, you can create an authentication hook to connect
101 to the Kallithea db and run check functions for permissions
101 to the Kallithea db and run check functions for permissions
102 against that.
102 against that.
103
103
104
104
105 Setting up Whoosh full text search
105 Setting up Whoosh full text search
106 ----------------------------------
106 ----------------------------------
107
107
108 Kallithea provides full text search of repositories using `Whoosh`__.
108 Kallithea provides full text search of repositories using `Whoosh`__.
109
109
110 .. __: https://pythonhosted.org/Whoosh/
110 .. __: https://pythonhosted.org/Whoosh/
111
111
112 For an incremental index build, run::
112 For an incremental index build, run::
113
113
114 paster make-index my.ini
114 paster make-index my.ini
115
115
116 For a full index rebuild, run::
116 For a full index rebuild, run::
117
117
118 paster make-index my.ini -f
118 paster make-index my.ini -f
119
119
120 The ``--repo-location`` option allows the location of the repositories to be overridden;
120 The ``--repo-location`` option allows the location of the repositories to be overridden;
121 usually, the location is retrieved from the Kallithea database.
121 usually, the location is retrieved from the Kallithea database.
122
122
123 The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
123 The ``--index-only`` option can be used to limit the indexed repositories to a comma-separated list::
124
124
125 paster make-index my.ini --index-only=vcs,kallithea
125 paster make-index my.ini --index-only=vcs,kallithea
126
126
127 To keep your index up-to-date it is necessary to do periodic index builds;
127 To keep your index up-to-date it is necessary to do periodic index builds;
128 for this, it is recommended to use a crontab entry. Example::
128 for this, it is recommended to use a crontab entry. Example::
129
129
130 0 3 * * * /path/to/virtualenv/bin/paster make-index /path/to/kallithea/my.ini
130 0 3 * * * /path/to/virtualenv/bin/paster make-index /path/to/kallithea/my.ini
131
131
132 When using incremental mode (the default), Whoosh will check the last
132 When using incremental mode (the default), Whoosh will check the last
133 modification date of each file and add it to be reindexed if a newer file is
133 modification date of each file and add it to be reindexed if a newer file is
134 available. The indexing daemon checks for any removed files and removes them
134 available. The indexing daemon checks for any removed files and removes them
135 from index.
135 from index.
136
136
137 If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
137 If you want to rebuild the index from scratch, you can use the ``-f`` flag as above,
138 or in the admin panel you can check the "build from scratch" checkbox.
138 or in the admin panel you can check the "build from scratch" checkbox.
139
139
140 .. _ldap-setup:
140 .. _ldap-setup:
141
141
142
142
143 Setting up LDAP support
143 Setting up LDAP support
144 -----------------------
144 -----------------------
145
145
146 Kallithea supports LDAP authentication. In order
146 Kallithea supports LDAP authentication. In order
147 to use LDAP, you have to install the python-ldap_ package. This package is
147 to use LDAP, you have to install the python-ldap_ package. This package is
148 available via PyPI, so you can install it by running::
148 available via PyPI, so you can install it by running::
149
149
150 pip install python-ldap
150 pip install python-ldap
151
151
152 .. note:: ``python-ldap`` requires some libraries to be installed on
152 .. note:: ``python-ldap`` requires some libraries to be installed on
153 your system, so before installing it check that you have at
153 your system, so before installing it check that you have at
154 least the ``openldap`` and ``sasl`` libraries.
154 least the ``openldap`` and ``sasl`` libraries.
155
155
156 Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
156 Choose *Admin > Authentication*, click the ``kallithea.lib.auth_modules.auth_ldap`` button
157 and then *Save*, to enable the LDAP plugin and configure its settings.
157 and then *Save*, to enable the LDAP plugin and configure its settings.
158
158
159 Here's a typical LDAP setup::
159 Here's a typical LDAP setup::
160
160
161 Connection settings
161 Connection settings
162 Enable LDAP = checked
162 Enable LDAP = checked
163 Host = host.example.com
163 Host = host.example.com
164 Account = <account>
164 Account = <account>
165 Password = <password>
165 Password = <password>
166 Connection Security = LDAPS connection
166 Connection Security = LDAPS
167 Certificate Checks = DEMAND
167 Certificate Checks = DEMAND
168
168
169 Search settings
169 Search settings
170 Base DN = CN=users,DC=host,DC=example,DC=org
170 Base DN = CN=users,DC=host,DC=example,DC=org
171 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
171 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
172 LDAP Search Scope = SUBTREE
172 LDAP Search Scope = SUBTREE
173
173
174 Attribute mappings
174 Attribute mappings
175 Login Attribute = uid
175 Login Attribute = uid
176 First Name Attribute = firstName
176 First Name Attribute = firstName
177 Last Name Attribute = lastName
177 Last Name Attribute = lastName
178 Email Attribute = mail
178 Email Attribute = mail
179
179
180 If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
180 If your user groups are placed in an Organisation Unit (OU) structure, the Search Settings configuration differs::
181
181
182 Search settings
182 Search settings
183 Base DN = DC=host,DC=example,DC=org
183 Base DN = DC=host,DC=example,DC=org
184 LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
184 LDAP Filter = (&(memberOf=CN=your user group,OU=subunit,OU=unit,DC=host,DC=example,DC=org)(objectClass=user))
185 LDAP Search Scope = SUBTREE
185 LDAP Search Scope = SUBTREE
186
186
187 .. _enable_ldap:
187 .. _enable_ldap:
188
188
189 Enable LDAP : required
189 Enable LDAP : required
190 Whether to use LDAP for authenticating users.
190 Whether to use LDAP for authenticating users.
191
191
192 .. _ldap_host:
192 .. _ldap_host:
193
193
194 Host : required
194 Host : required
195 LDAP server hostname or IP address. Can be also a comma separated
195 LDAP server hostname or IP address. Can be also a comma separated
196 list of servers to support LDAP fail-over.
196 list of servers to support LDAP fail-over.
197
197
198 .. _Port:
198 .. _Port:
199
199
200 Port : optional
200 Port : optional
201 Defaults to 389 for PLAIN un-encrypted LDAP and START_TLS.
201 Defaults to 389 for PLAIN un-encrypted LDAP and START_TLS.
202 Defaults to 636 for LDAPS.
202 Defaults to 636 for LDAPS.
203
203
204 .. _ldap_account:
204 .. _ldap_account:
205
205
206 Account : optional
206 Account : optional
207 Only required if the LDAP server does not allow anonymous browsing of
207 Only required if the LDAP server does not allow anonymous browsing of
208 records. This should be a special account for record browsing. This
208 records. This should be a special account for record browsing. This
209 will require `LDAP Password`_ below.
209 will require `LDAP Password`_ below.
210
210
211 .. _LDAP Password:
211 .. _LDAP Password:
212
212
213 Password : optional
213 Password : optional
214 Only required if the LDAP server does not allow anonymous browsing of
214 Only required if the LDAP server does not allow anonymous browsing of
215 records.
215 records.
216
216
217 .. _Enable LDAPS:
217 .. _Enable LDAPS:
218
218
219 Connection Security : required
219 Connection Security : required
220 Defines the connection to LDAP server
220 Defines the connection to LDAP server
221
221
222 PLAIN
222 PLAIN
223 Plain unencrypted LDAP connection.
223 Plain unencrypted LDAP connection.
224 This will by default use `Port`_ 389.
224 This will by default use `Port`_ 389.
225
225
226 LDAPS
226 LDAPS
227 Use secure LDAPS connections according to `Certificate
227 Use secure LDAPS connections according to `Certificate
228 Checks`_ configuration.
228 Checks`_ configuration.
229 This will by default use `Port`_ 636.
229 This will by default use `Port`_ 636.
230
230
231 START_TLS
231 START_TLS
232 Use START TLS according to `Certificate Checks`_ configuration on an
232 Use START TLS according to `Certificate Checks`_ configuration on an
233 apparently "plain" LDAP connection.
233 apparently "plain" LDAP connection.
234 This will by default use `Port`_ 389.
234 This will by default use `Port`_ 389.
235
235
236 .. _Certificate Checks:
236 .. _Certificate Checks:
237
237
238 Certificate Checks : optional
238 Certificate Checks : optional
239 How SSL certificates verification is handled -- this is only useful when
239 How SSL certificates verification is handled -- this is only useful when
240 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
240 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security
241 with mandatory certificate validation, while the other options are
241 with mandatory certificate validation, while the other options are
242 susceptible to man-in-the-middle attacks.
242 susceptible to man-in-the-middle attacks.
243
243
244 NEVER
244 NEVER
245 A serve certificate will never be requested or checked.
245 A serve certificate will never be requested or checked.
246
246
247 ALLOW
247 ALLOW
248 A server certificate is requested. Failure to provide a
248 A server certificate is requested. Failure to provide a
249 certificate or providing a bad certificate will not terminate the
249 certificate or providing a bad certificate will not terminate the
250 session.
250 session.
251
251
252 TRY
252 TRY
253 A server certificate is requested. Failure to provide a
253 A server certificate is requested. Failure to provide a
254 certificate does not halt the session; providing a bad certificate
254 certificate does not halt the session; providing a bad certificate
255 halts the session.
255 halts the session.
256
256
257 DEMAND
257 DEMAND
258 A server certificate is requested and must be provided and
258 A server certificate is requested and must be provided and
259 authenticated for the session to proceed.
259 authenticated for the session to proceed.
260
260
261 HARD
261 HARD
262 The same as DEMAND.
262 The same as DEMAND.
263
263
264 .. _Custom CA Certificates:
264 .. _Custom CA Certificates:
265
265
266 Custom CA Certificates : optional
266 Custom CA Certificates : optional
267 Directory used by OpenSSL to find CAs for validating the LDAP server certificate.
267 Directory used by OpenSSL to find CAs for validating the LDAP server certificate.
268 Python 2.7.10 and later default to using the system certificate store, and
268 Python 2.7.10 and later default to using the system certificate store, and
269 this should thus not be necessary when using certificates signed by a CA
269 this should thus not be necessary when using certificates signed by a CA
270 trusted by the system.
270 trusted by the system.
271 It can be set to something like `/etc/openldap/cacerts` on older systems or
271 It can be set to something like `/etc/openldap/cacerts` on older systems or
272 if using self-signed certificates.
272 if using self-signed certificates.
273
273
274 .. _Base DN:
274 .. _Base DN:
275
275
276 Base DN : required
276 Base DN : required
277 The Distinguished Name (DN) where searches for users will be performed.
277 The Distinguished Name (DN) where searches for users will be performed.
278 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
278 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
279
279
280 .. _LDAP Filter:
280 .. _LDAP Filter:
281
281
282 LDAP Filter : optional
282 LDAP Filter : optional
283 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
283 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
284 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
284 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
285 which LDAP objects are identified as representing Users for
285 which LDAP objects are identified as representing Users for
286 authentication. The filter is augmented by `Login Attribute`_ below.
286 authentication. The filter is augmented by `Login Attribute`_ below.
287 This can commonly be left blank.
287 This can commonly be left blank.
288
288
289 .. _LDAP Search Scope:
289 .. _LDAP Search Scope:
290
290
291 LDAP Search Scope : required
291 LDAP Search Scope : required
292 This limits how far LDAP will search for a matching object.
292 This limits how far LDAP will search for a matching object.
293
293
294 BASE
294 BASE
295 Only allows searching of `Base DN`_ and is usually not what you
295 Only allows searching of `Base DN`_ and is usually not what you
296 want.
296 want.
297
297
298 ONELEVEL
298 ONELEVEL
299 Searches all entries under `Base DN`_, but not Base DN itself.
299 Searches all entries under `Base DN`_, but not Base DN itself.
300
300
301 SUBTREE
301 SUBTREE
302 Searches all entries below `Base DN`_, but not Base DN itself.
302 Searches all entries below `Base DN`_, but not Base DN itself.
303 When using SUBTREE `LDAP Filter`_ is useful to limit object
303 When using SUBTREE `LDAP Filter`_ is useful to limit object
304 location.
304 location.
305
305
306 .. _Login Attribute:
306 .. _Login Attribute:
307
307
308 Login Attribute : required
308 Login Attribute : required
309 The LDAP record attribute that will be matched as the USERNAME or
309 The LDAP record attribute that will be matched as the USERNAME or
310 ACCOUNT used to connect to Kallithea. This will be added to `LDAP
310 ACCOUNT used to connect to Kallithea. This will be added to `LDAP
311 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
311 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
312 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
312 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
313 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
313 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
314 ::
314 ::
315
315
316 (&(LDAPFILTER)(uid=jsmith))
316 (&(LDAPFILTER)(uid=jsmith))
317
317
318 .. _ldap_attr_firstname:
318 .. _ldap_attr_firstname:
319
319
320 First Name Attribute : required
320 First Name Attribute : required
321 The LDAP record attribute which represents the user's first name.
321 The LDAP record attribute which represents the user's first name.
322
322
323 .. _ldap_attr_lastname:
323 .. _ldap_attr_lastname:
324
324
325 Last Name Attribute : required
325 Last Name Attribute : required
326 The LDAP record attribute which represents the user's last name.
326 The LDAP record attribute which represents the user's last name.
327
327
328 .. _ldap_attr_email:
328 .. _ldap_attr_email:
329
329
330 Email Attribute : required
330 Email Attribute : required
331 The LDAP record attribute which represents the user's email address.
331 The LDAP record attribute which represents the user's email address.
332
332
333 If all data are entered correctly, and python-ldap_ is properly installed
333 If all data are entered correctly, and python-ldap_ is properly installed
334 users should be granted access to Kallithea with LDAP accounts. At this
334 users should be granted access to Kallithea with LDAP accounts. At this
335 time user information is copied from LDAP into the Kallithea user database.
335 time user information is copied from LDAP into the Kallithea user database.
336 This means that updates of an LDAP user object may not be reflected as a
336 This means that updates of an LDAP user object may not be reflected as a
337 user update in Kallithea.
337 user update in Kallithea.
338
338
339 If You have problems with LDAP access and believe You entered correct
339 If You have problems with LDAP access and believe You entered correct
340 information check out the Kallithea logs, any error messages sent from LDAP
340 information check out the Kallithea logs, any error messages sent from LDAP
341 will be saved there.
341 will be saved there.
342
342
343 Active Directory
343 Active Directory
344 ^^^^^^^^^^^^^^^^
344 ^^^^^^^^^^^^^^^^
345
345
346 Kallithea can use Microsoft Active Directory for user authentication. This
346 Kallithea can use Microsoft Active Directory for user authentication. This
347 is done through an LDAP or LDAPS connection to Active Directory. The
347 is done through an LDAP or LDAPS connection to Active Directory. The
348 following LDAP configuration settings are typical for using Active
348 following LDAP configuration settings are typical for using Active
349 Directory ::
349 Directory ::
350
350
351 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
351 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
352 Login Attribute = sAMAccountName
352 Login Attribute = sAMAccountName
353 First Name Attribute = givenName
353 First Name Attribute = givenName
354 Last Name Attribute = sn
354 Last Name Attribute = sn
355 Email Attribute = mail
355 Email Attribute = mail
356
356
357 All other LDAP settings will likely be site-specific and should be
357 All other LDAP settings will likely be site-specific and should be
358 appropriately configured.
358 appropriately configured.
359
359
360
360
361 Authentication by container or reverse-proxy
361 Authentication by container or reverse-proxy
362 --------------------------------------------
362 --------------------------------------------
363
363
364 Kallithea supports delegating the authentication
364 Kallithea supports delegating the authentication
365 of users to its WSGI container, or to a reverse-proxy server through which all
365 of users to its WSGI container, or to a reverse-proxy server through which all
366 clients access the application.
366 clients access the application.
367
367
368 When these authentication methods are enabled in Kallithea, it uses the
368 When these authentication methods are enabled in Kallithea, it uses the
369 username that the container/proxy (Apache or Nginx, etc.) provides and doesn't
369 username that the container/proxy (Apache or Nginx, etc.) provides and doesn't
370 perform the authentication itself. The authorization, however, is still done by
370 perform the authentication itself. The authorization, however, is still done by
371 Kallithea according to its settings.
371 Kallithea according to its settings.
372
372
373 When a user logs in for the first time using these authentication methods,
373 When a user logs in for the first time using these authentication methods,
374 a matching user account is created in Kallithea with default permissions. An
374 a matching user account is created in Kallithea with default permissions. An
375 administrator can then modify it using Kallithea's admin interface.
375 administrator can then modify it using Kallithea's admin interface.
376
376
377 It's also possible for an administrator to create accounts and configure their
377 It's also possible for an administrator to create accounts and configure their
378 permissions before the user logs in for the first time, using the :ref:`create-user` API.
378 permissions before the user logs in for the first time, using the :ref:`create-user` API.
379
379
380 Container-based authentication
380 Container-based authentication
381 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
381 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
382
382
383 In a container-based authentication setup, Kallithea reads the user name from
383 In a container-based authentication setup, Kallithea reads the user name from
384 the ``REMOTE_USER`` server variable provided by the WSGI container.
384 the ``REMOTE_USER`` server variable provided by the WSGI container.
385
385
386 After setting up your container (see `Apache with mod_wsgi`_), you'll need
386 After setting up your container (see `Apache with mod_wsgi`_), you'll need
387 to configure it to require authentication on the location configured for
387 to configure it to require authentication on the location configured for
388 Kallithea.
388 Kallithea.
389
389
390 Proxy pass-through authentication
390 Proxy pass-through authentication
391 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
391 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
392
392
393 In a proxy pass-through authentication setup, Kallithea reads the user name
393 In a proxy pass-through authentication setup, Kallithea reads the user name
394 from the ``X-Forwarded-User`` request header, which should be configured to be
394 from the ``X-Forwarded-User`` request header, which should be configured to be
395 sent by the reverse-proxy server.
395 sent by the reverse-proxy server.
396
396
397 After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
397 After setting up your proxy solution (see `Apache virtual host reverse proxy example`_,
398 `Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to
398 `Apache as subdirectory`_ or `Nginx virtual host example`_), you'll need to
399 configure the authentication and add the username in a request header named
399 configure the authentication and add the username in a request header named
400 ``X-Forwarded-User``.
400 ``X-Forwarded-User``.
401
401
402 For example, the following config section for Apache sets a subdirectory in a
402 For example, the following config section for Apache sets a subdirectory in a
403 reverse-proxy setup with basic auth:
403 reverse-proxy setup with basic auth:
404
404
405 .. code-block:: apache
405 .. code-block:: apache
406
406
407 <Location /someprefix>
407 <Location /someprefix>
408 ProxyPass http://127.0.0.1:5000/someprefix
408 ProxyPass http://127.0.0.1:5000/someprefix
409 ProxyPassReverse http://127.0.0.1:5000/someprefix
409 ProxyPassReverse http://127.0.0.1:5000/someprefix
410 SetEnvIf X-Url-Scheme https HTTPS=1
410 SetEnvIf X-Url-Scheme https HTTPS=1
411
411
412 AuthType Basic
412 AuthType Basic
413 AuthName "Kallithea authentication"
413 AuthName "Kallithea authentication"
414 AuthUserFile /srv/kallithea/.htpasswd
414 AuthUserFile /srv/kallithea/.htpasswd
415 Require valid-user
415 Require valid-user
416
416
417 RequestHeader unset X-Forwarded-User
417 RequestHeader unset X-Forwarded-User
418
418
419 RewriteEngine On
419 RewriteEngine On
420 RewriteCond %{LA-U:REMOTE_USER} (.+)
420 RewriteCond %{LA-U:REMOTE_USER} (.+)
421 RewriteRule .* - [E=RU:%1]
421 RewriteRule .* - [E=RU:%1]
422 RequestHeader set X-Forwarded-User %{RU}e
422 RequestHeader set X-Forwarded-User %{RU}e
423 </Location>
423 </Location>
424
424
425 Setting metadata in container/reverse-proxy
425 Setting metadata in container/reverse-proxy
426 """""""""""""""""""""""""""""""""""""""""""
426 """""""""""""""""""""""""""""""""""""""""""
427 When a new user account is created on the first login, Kallithea has no information about
427 When a new user account is created on the first login, Kallithea has no information about
428 the user's email and full name. So you can set some additional request headers like in the
428 the user's email and full name. So you can set some additional request headers like in the
429 example below. In this example the user is authenticated via Kerberos and an Apache
429 example below. In this example the user is authenticated via Kerberos and an Apache
430 mod_python fixup handler is used to get the user information from a LDAP server. But you
430 mod_python fixup handler is used to get the user information from a LDAP server. But you
431 could set the request headers however you want.
431 could set the request headers however you want.
432
432
433 .. code-block:: apache
433 .. code-block:: apache
434
434
435 <Location /someprefix>
435 <Location /someprefix>
436 ProxyPass http://127.0.0.1:5000/someprefix
436 ProxyPass http://127.0.0.1:5000/someprefix
437 ProxyPassReverse http://127.0.0.1:5000/someprefix
437 ProxyPassReverse http://127.0.0.1:5000/someprefix
438 SetEnvIf X-Url-Scheme https HTTPS=1
438 SetEnvIf X-Url-Scheme https HTTPS=1
439
439
440 AuthName "Kerberos Login"
440 AuthName "Kerberos Login"
441 AuthType Kerberos
441 AuthType Kerberos
442 Krb5Keytab /etc/apache2/http.keytab
442 Krb5Keytab /etc/apache2/http.keytab
443 KrbMethodK5Passwd off
443 KrbMethodK5Passwd off
444 KrbVerifyKDC on
444 KrbVerifyKDC on
445 Require valid-user
445 Require valid-user
446
446
447 PythonFixupHandler ldapmetadata
447 PythonFixupHandler ldapmetadata
448
448
449 RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e
449 RequestHeader set X_REMOTE_USER %{X_REMOTE_USER}e
450 RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e
450 RequestHeader set X_REMOTE_EMAIL %{X_REMOTE_EMAIL}e
451 RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e
451 RequestHeader set X_REMOTE_FIRSTNAME %{X_REMOTE_FIRSTNAME}e
452 RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e
452 RequestHeader set X_REMOTE_LASTNAME %{X_REMOTE_LASTNAME}e
453 </Location>
453 </Location>
454
454
455 .. code-block:: python
455 .. code-block:: python
456
456
457 from mod_python import apache
457 from mod_python import apache
458 import ldap
458 import ldap
459
459
460 LDAP_SERVER = "ldap://server.mydomain.com:389"
460 LDAP_SERVER = "ldaps://server.mydomain.com:636"
461 LDAP_USER = ""
461 LDAP_USER = ""
462 LDAP_PASS = ""
462 LDAP_PASS = ""
463 LDAP_ROOT = "dc=mydomain,dc=com"
463 LDAP_ROOT = "dc=mydomain,dc=com"
464 LDAP_FILTER = "sAMAccountName=%s"
464 LDAP_FILTER = "sAMAccountName=%s"
465 LDAP_ATTR_LIST = ['sAMAccountName','givenname','sn','mail']
465 LDAP_ATTR_LIST = ['sAMAccountName','givenname','sn','mail']
466
466
467 def fixuphandler(req):
467 def fixuphandler(req):
468 if req.user is None:
468 if req.user is None:
469 # no user to search for
469 # no user to search for
470 return apache.OK
470 return apache.OK
471 else:
471 else:
472 try:
472 try:
473 if('\\' in req.user):
473 if('\\' in req.user):
474 username = req.user.split('\\')[1]
474 username = req.user.split('\\')[1]
475 elif('@' in req.user):
475 elif('@' in req.user):
476 username = req.user.split('@')[0]
476 username = req.user.split('@')[0]
477 else:
477 else:
478 username = req.user
478 username = req.user
479 l = ldap.initialize(LDAP_SERVER)
479 l = ldap.initialize(LDAP_SERVER)
480 l.simple_bind_s(LDAP_USER, LDAP_PASS)
480 l.simple_bind_s(LDAP_USER, LDAP_PASS)
481 r = l.search_s(LDAP_ROOT, ldap.SCOPE_SUBTREE, LDAP_FILTER % username, attrlist=LDAP_ATTR_LIST)
481 r = l.search_s(LDAP_ROOT, ldap.SCOPE_SUBTREE, LDAP_FILTER % username, attrlist=LDAP_ATTR_LIST)
482
482
483 req.subprocess_env['X_REMOTE_USER'] = username
483 req.subprocess_env['X_REMOTE_USER'] = username
484 req.subprocess_env['X_REMOTE_EMAIL'] = r[0][1]['mail'][0].lower()
484 req.subprocess_env['X_REMOTE_EMAIL'] = r[0][1]['mail'][0].lower()
485 req.subprocess_env['X_REMOTE_FIRSTNAME'] = "%s" % r[0][1]['givenname'][0]
485 req.subprocess_env['X_REMOTE_FIRSTNAME'] = "%s" % r[0][1]['givenname'][0]
486 req.subprocess_env['X_REMOTE_LASTNAME'] = "%s" % r[0][1]['sn'][0]
486 req.subprocess_env['X_REMOTE_LASTNAME'] = "%s" % r[0][1]['sn'][0]
487 except Exception, e:
487 except Exception, e:
488 apache.log_error("error getting data from ldap %s" % str(e), apache.APLOG_ERR)
488 apache.log_error("error getting data from ldap %s" % str(e), apache.APLOG_ERR)
489
489
490 return apache.OK
490 return apache.OK
491
491
492 .. note::
492 .. note::
493 If you enable proxy pass-through authentication, make sure your server is
493 If you enable proxy pass-through authentication, make sure your server is
494 only accessible through the proxy. Otherwise, any client would be able to
494 only accessible through the proxy. Otherwise, any client would be able to
495 forge the authentication header and could effectively become authenticated
495 forge the authentication header and could effectively become authenticated
496 using any account of their liking.
496 using any account of their liking.
497
497
498
498
499 Integration with issue trackers
499 Integration with issue trackers
500 -------------------------------
500 -------------------------------
501
501
502 Kallithea provides a simple integration with issue trackers. It's possible
502 Kallithea provides a simple integration with issue trackers. It's possible
503 to define a regular expression that will match an issue ID in commit messages,
503 to define a regular expression that will match an issue ID in commit messages,
504 and have that replaced with a URL to the issue. To enable this simply
504 and have that replaced with a URL to the issue. To enable this simply
505 uncomment the following variables in the ini file::
505 uncomment the following variables in the ini file::
506
506
507 issue_pat = (?:^#|\s#)(\w+)
507 issue_pat = (?:^#|\s#)(\w+)
508 issue_server_link = https://issues.example.com/{repo}/issue/{id}
508 issue_server_link = https://issues.example.com/{repo}/issue/{id}
509 issue_prefix = #
509 issue_prefix = #
510
510
511 ``issue_pat`` is the regular expression describing which strings in
511 ``issue_pat`` is the regular expression describing which strings in
512 commit messages will be treated as issue references. A match group in
512 commit messages will be treated as issue references. A match group in
513 parentheses should be used to specify the actual issue id.
513 parentheses should be used to specify the actual issue id.
514
514
515 The default expression matches issues in the format ``#<number>``, e.g., ``#300``.
515 The default expression matches issues in the format ``#<number>``, e.g., ``#300``.
516
516
517 Matched issue references are replaced with the link specified in
517 Matched issue references are replaced with the link specified in
518 ``issue_server_link``. ``{id}`` is replaced with the issue ID, and
518 ``issue_server_link``. ``{id}`` is replaced with the issue ID, and
519 ``{repo}`` with the repository name. Since the # is stripped away,
519 ``{repo}`` with the repository name. Since the # is stripped away,
520 ``issue_prefix`` is prepended to the link text. ``issue_prefix`` doesn't
520 ``issue_prefix`` is prepended to the link text. ``issue_prefix`` doesn't
521 necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will
521 necessarily need to be ``#``: if you set issue prefix to ``ISSUE-`` this will
522 generate a URL in the format:
522 generate a URL in the format:
523
523
524 .. code-block:: html
524 .. code-block:: html
525
525
526 <a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a>
526 <a href="https://issues.example.com/example_repo/issue/300">ISSUE-300</a>
527
527
528 If needed, more than one pattern can be specified by appending a unique suffix to
528 If needed, more than one pattern can be specified by appending a unique suffix to
529 the variables. For example::
529 the variables. For example::
530
530
531 issue_pat_wiki = (?:wiki-)(.+)
531 issue_pat_wiki = (?:wiki-)(.+)
532 issue_server_link_wiki = https://wiki.example.com/{id}
532 issue_server_link_wiki = https://wiki.example.com/{id}
533 issue_prefix_wiki = WIKI-
533 issue_prefix_wiki = WIKI-
534
534
535 With these settings, wiki pages can be referenced as wiki-some-id, and every
535 With these settings, wiki pages can be referenced as wiki-some-id, and every
536 such reference will be transformed into:
536 such reference will be transformed into:
537
537
538 .. code-block:: html
538 .. code-block:: html
539
539
540 <a href="https://wiki.example.com/some-id">WIKI-some-id</a>
540 <a href="https://wiki.example.com/some-id">WIKI-some-id</a>
541
541
542
542
543 Hook management
543 Hook management
544 ---------------
544 ---------------
545
545
546 Hooks can be managed in similar way to that used in ``.hgrc`` files.
546 Hooks can be managed in similar way to that used in ``.hgrc`` files.
547 To manage hooks, choose *Admin > Settings > Hooks*.
547 To manage hooks, choose *Admin > Settings > Hooks*.
548
548
549 The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.
549 The built-in hooks cannot be modified, though they can be enabled or disabled in the *VCS* section.
550
550
551 To add another custom hook simply fill in the first textbox with
551 To add another custom hook simply fill in the first textbox with
552 ``<name>.<hook_type>`` and the second with the hook path. Example hooks
552 ``<name>.<hook_type>`` and the second with the hook path. Example hooks
553 can be found in ``kallithea.lib.hooks``.
553 can be found in ``kallithea.lib.hooks``.
554
554
555
555
556 Changing default encoding
556 Changing default encoding
557 -------------------------
557 -------------------------
558
558
559 By default, Kallithea uses UTF-8 encoding.
559 By default, Kallithea uses UTF-8 encoding.
560 This is configurable as ``default_encoding`` in the .ini file.
560 This is configurable as ``default_encoding`` in the .ini file.
561 This affects many parts in Kallithea including user names, filenames, and
561 This affects many parts in Kallithea including user names, filenames, and
562 encoding of commit messages. In addition Kallithea can detect if the ``chardet``
562 encoding of commit messages. In addition Kallithea can detect if the ``chardet``
563 library is installed. If ``chardet`` is detected Kallithea will fallback to it
563 library is installed. If ``chardet`` is detected Kallithea will fallback to it
564 when there are encode/decode errors.
564 when there are encode/decode errors.
565
565
566
566
567 Celery configuration
567 Celery configuration
568 --------------------
568 --------------------
569
569
570 Kallithea can use the distributed task queue system Celery_ to run tasks like
570 Kallithea can use the distributed task queue system Celery_ to run tasks like
571 cloning repositories or sending emails.
571 cloning repositories or sending emails.
572
572
573 Kallithea will in most setups work perfectly fine out of the box (without
573 Kallithea will in most setups work perfectly fine out of the box (without
574 Celery), executing all tasks in the web server process. Some tasks can however
574 Celery), executing all tasks in the web server process. Some tasks can however
575 take some time to run and it can be better to run such tasks asynchronously in
575 take some time to run and it can be better to run such tasks asynchronously in
576 a separate process so the web server can focus on serving web requests.
576 a separate process so the web server can focus on serving web requests.
577
577
578 For installation and configuration of Celery, see the `Celery documentation`_.
578 For installation and configuration of Celery, see the `Celery documentation`_.
579 Note that Celery requires a message broker service like RabbitMQ_ (recommended)
579 Note that Celery requires a message broker service like RabbitMQ_ (recommended)
580 or Redis_.
580 or Redis_.
581
581
582 The use of Celery is configured in the Kallithea ini configuration file.
582 The use of Celery is configured in the Kallithea ini configuration file.
583 To enable it, simply set::
583 To enable it, simply set::
584
584
585 use_celery = true
585 use_celery = true
586
586
587 and add or change the ``celery.*`` and ``broker.*`` configuration variables.
587 and add or change the ``celery.*`` and ``broker.*`` configuration variables.
588
588
589 Remember that the ini files use the format with '.' and not with '_' like
589 Remember that the ini files use the format with '.' and not with '_' like
590 Celery. So for example setting `BROKER_HOST` in Celery means setting
590 Celery. So for example setting `BROKER_HOST` in Celery means setting
591 `broker.host` in the configuration file.
591 `broker.host` in the configuration file.
592
592
593 To start the Celery process, run::
593 To start the Celery process, run::
594
594
595 paster celeryd <configfile.ini>
595 paster celeryd <configfile.ini>
596
596
597 .. note::
597 .. note::
598 Make sure you run this command from the same virtualenv, and with the same
598 Make sure you run this command from the same virtualenv, and with the same
599 user that Kallithea runs.
599 user that Kallithea runs.
600
600
601
601
602 HTTPS support
602 HTTPS support
603 -------------
603 -------------
604
604
605 Kallithea will by default generate URLs based on the WSGI environment.
605 Kallithea will by default generate URLs based on the WSGI environment.
606
606
607 Alternatively, you can use some special configuration settings to control
607 Alternatively, you can use some special configuration settings to control
608 directly which scheme/protocol Kallithea will use when generating URLs:
608 directly which scheme/protocol Kallithea will use when generating URLs:
609
609
610 - With ``https_fixup = true``, the scheme will be taken from the
610 - With ``https_fixup = true``, the scheme will be taken from the
611 ``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
611 ``X-Url-Scheme``, ``X-Forwarded-Scheme`` or ``X-Forwarded-Proto`` HTTP header
612 (default ``http``).
612 (default ``http``).
613 - With ``force_https = true`` the default will be ``https``.
613 - With ``force_https = true`` the default will be ``https``.
614 - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
614 - With ``use_htsts = true``, Kallithea will set ``Strict-Transport-Security`` when using https.
615
615
616
616
617 Nginx virtual host example
617 Nginx virtual host example
618 --------------------------
618 --------------------------
619
619
620 Sample config for Nginx using proxy:
620 Sample config for Nginx using proxy:
621
621
622 .. code-block:: nginx
622 .. code-block:: nginx
623
623
624 upstream kallithea {
624 upstream kallithea {
625 server 127.0.0.1:5000;
625 server 127.0.0.1:5000;
626 # add more instances for load balancing
626 # add more instances for load balancing
627 #server 127.0.0.1:5001;
627 #server 127.0.0.1:5001;
628 #server 127.0.0.1:5002;
628 #server 127.0.0.1:5002;
629 }
629 }
630
630
631 ## gist alias
631 ## gist alias
632 server {
632 server {
633 listen 443;
633 listen 443;
634 server_name gist.example.com;
634 server_name gist.example.com;
635 access_log /var/log/nginx/gist.access.log;
635 access_log /var/log/nginx/gist.access.log;
636 error_log /var/log/nginx/gist.error.log;
636 error_log /var/log/nginx/gist.error.log;
637
637
638 ssl on;
638 ssl on;
639 ssl_certificate gist.your.kallithea.server.crt;
639 ssl_certificate gist.your.kallithea.server.crt;
640 ssl_certificate_key gist.your.kallithea.server.key;
640 ssl_certificate_key gist.your.kallithea.server.key;
641
641
642 ssl_session_timeout 5m;
642 ssl_session_timeout 5m;
643
643
644 ssl_protocols SSLv3 TLSv1;
644 ssl_protocols SSLv3 TLSv1;
645 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
645 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
646 ssl_prefer_server_ciphers on;
646 ssl_prefer_server_ciphers on;
647
647
648 rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
648 rewrite ^/(.+)$ https://kallithea.example.com/_admin/gists/$1;
649 rewrite (.*) https://kallithea.example.com/_admin/gists;
649 rewrite (.*) https://kallithea.example.com/_admin/gists;
650 }
650 }
651
651
652 server {
652 server {
653 listen 443;
653 listen 443;
654 server_name kallithea.example.com
654 server_name kallithea.example.com
655 access_log /var/log/nginx/kallithea.access.log;
655 access_log /var/log/nginx/kallithea.access.log;
656 error_log /var/log/nginx/kallithea.error.log;
656 error_log /var/log/nginx/kallithea.error.log;
657
657
658 ssl on;
658 ssl on;
659 ssl_certificate your.kallithea.server.crt;
659 ssl_certificate your.kallithea.server.crt;
660 ssl_certificate_key your.kallithea.server.key;
660 ssl_certificate_key your.kallithea.server.key;
661
661
662 ssl_session_timeout 5m;
662 ssl_session_timeout 5m;
663
663
664 ssl_protocols SSLv3 TLSv1;
664 ssl_protocols SSLv3 TLSv1;
665 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
665 ssl_ciphers DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:EDH-RSA-DES-CBC3-SHA:AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5;
666 ssl_prefer_server_ciphers on;
666 ssl_prefer_server_ciphers on;
667
667
668 ## uncomment root directive if you want to serve static files by nginx
668 ## uncomment root directive if you want to serve static files by nginx
669 ## requires static_files = false in .ini file
669 ## requires static_files = false in .ini file
670 #root /srv/kallithea/kallithea/kallithea/public;
670 #root /srv/kallithea/kallithea/kallithea/public;
671 include /etc/nginx/proxy.conf;
671 include /etc/nginx/proxy.conf;
672 location / {
672 location / {
673 try_files $uri @kallithea;
673 try_files $uri @kallithea;
674 }
674 }
675
675
676 location @kallithea {
676 location @kallithea {
677 proxy_pass http://127.0.0.1:5000;
677 proxy_pass http://127.0.0.1:5000;
678 }
678 }
679
679
680 }
680 }
681
681
682 Here's the proxy.conf. It's tuned so it will not timeout on long
682 Here's the proxy.conf. It's tuned so it will not timeout on long
683 pushes or large pushes::
683 pushes or large pushes::
684
684
685 proxy_redirect off;
685 proxy_redirect off;
686 proxy_set_header Host $host;
686 proxy_set_header Host $host;
687 ## needed for container auth
687 ## needed for container auth
688 #proxy_set_header REMOTE_USER $remote_user;
688 #proxy_set_header REMOTE_USER $remote_user;
689 #proxy_set_header X-Forwarded-User $remote_user;
689 #proxy_set_header X-Forwarded-User $remote_user;
690 proxy_set_header X-Url-Scheme $scheme;
690 proxy_set_header X-Url-Scheme $scheme;
691 proxy_set_header X-Host $http_host;
691 proxy_set_header X-Host $http_host;
692 proxy_set_header X-Real-IP $remote_addr;
692 proxy_set_header X-Real-IP $remote_addr;
693 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
693 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
694 proxy_set_header Proxy-host $proxy_host;
694 proxy_set_header Proxy-host $proxy_host;
695 proxy_buffering off;
695 proxy_buffering off;
696 proxy_connect_timeout 7200;
696 proxy_connect_timeout 7200;
697 proxy_send_timeout 7200;
697 proxy_send_timeout 7200;
698 proxy_read_timeout 7200;
698 proxy_read_timeout 7200;
699 proxy_buffers 8 32k;
699 proxy_buffers 8 32k;
700 client_max_body_size 1024m;
700 client_max_body_size 1024m;
701 client_body_buffer_size 128k;
701 client_body_buffer_size 128k;
702 large_client_header_buffers 8 64k;
702 large_client_header_buffers 8 64k;
703
703
704
704
705 Apache virtual host reverse proxy example
705 Apache virtual host reverse proxy example
706 -----------------------------------------
706 -----------------------------------------
707
707
708 Here is a sample configuration file for Apache using proxy:
708 Here is a sample configuration file for Apache using proxy:
709
709
710 .. code-block:: apache
710 .. code-block:: apache
711
711
712 <VirtualHost *:80>
712 <VirtualHost *:80>
713 ServerName kallithea.example.com
713 ServerName kallithea.example.com
714
714
715 <Proxy *>
715 <Proxy *>
716 # For Apache 2.4 and later:
716 # For Apache 2.4 and later:
717 Require all granted
717 Require all granted
718
718
719 # For Apache 2.2 and earlier, instead use:
719 # For Apache 2.2 and earlier, instead use:
720 # Order allow,deny
720 # Order allow,deny
721 # Allow from all
721 # Allow from all
722 </Proxy>
722 </Proxy>
723
723
724 #important !
724 #important !
725 #Directive to properly generate url (clone url) for Kallithea
725 #Directive to properly generate url (clone url) for Kallithea
726 ProxyPreserveHost On
726 ProxyPreserveHost On
727
727
728 #kallithea instance
728 #kallithea instance
729 ProxyPass / http://127.0.0.1:5000/
729 ProxyPass / http://127.0.0.1:5000/
730 ProxyPassReverse / http://127.0.0.1:5000/
730 ProxyPassReverse / http://127.0.0.1:5000/
731
731
732 #to enable https use line below
732 #to enable https use line below
733 #SetEnvIf X-Url-Scheme https HTTPS=1
733 #SetEnvIf X-Url-Scheme https HTTPS=1
734 </VirtualHost>
734 </VirtualHost>
735
735
736 Additional tutorial
736 Additional tutorial
737 http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
737 http://pylonsbook.com/en/1.1/deployment.html#using-apache-to-proxy-requests-to-pylons
738
738
739
739
740 Apache as subdirectory
740 Apache as subdirectory
741 ----------------------
741 ----------------------
742
742
743 Apache subdirectory part:
743 Apache subdirectory part:
744
744
745 .. code-block:: apache
745 .. code-block:: apache
746
746
747 <Location /<someprefix> >
747 <Location /<someprefix> >
748 ProxyPass http://127.0.0.1:5000/<someprefix>
748 ProxyPass http://127.0.0.1:5000/<someprefix>
749 ProxyPassReverse http://127.0.0.1:5000/<someprefix>
749 ProxyPassReverse http://127.0.0.1:5000/<someprefix>
750 SetEnvIf X-Url-Scheme https HTTPS=1
750 SetEnvIf X-Url-Scheme https HTTPS=1
751 </Location>
751 </Location>
752
752
753 Besides the regular apache setup you will need to add the following line
753 Besides the regular apache setup you will need to add the following line
754 into ``[app:main]`` section of your .ini file::
754 into ``[app:main]`` section of your .ini file::
755
755
756 filter-with = proxy-prefix
756 filter-with = proxy-prefix
757
757
758 Add the following at the end of the .ini file::
758 Add the following at the end of the .ini file::
759
759
760 [filter:proxy-prefix]
760 [filter:proxy-prefix]
761 use = egg:PasteDeploy#prefix
761 use = egg:PasteDeploy#prefix
762 prefix = /<someprefix>
762 prefix = /<someprefix>
763
763
764 then change ``<someprefix>`` into your chosen prefix
764 then change ``<someprefix>`` into your chosen prefix
765
765
766
766
767 Apache with mod_wsgi
767 Apache with mod_wsgi
768 --------------------
768 --------------------
769
769
770 Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
770 Alternatively, Kallithea can be set up with Apache under mod_wsgi. For
771 that, you'll need to:
771 that, you'll need to:
772
772
773 - Install mod_wsgi. If using a Debian-based distro, you can install
773 - Install mod_wsgi. If using a Debian-based distro, you can install
774 the package libapache2-mod-wsgi::
774 the package libapache2-mod-wsgi::
775
775
776 aptitude install libapache2-mod-wsgi
776 aptitude install libapache2-mod-wsgi
777
777
778 - Enable mod_wsgi::
778 - Enable mod_wsgi::
779
779
780 a2enmod wsgi
780 a2enmod wsgi
781
781
782 - Add global Apache configuration to tell mod_wsgi that Python only will be
782 - Add global Apache configuration to tell mod_wsgi that Python only will be
783 used in the WSGI processes and shouldn't be initialized in the Apache
783 used in the WSGI processes and shouldn't be initialized in the Apache
784 processes::
784 processes::
785
785
786 WSGIRestrictEmbedded On
786 WSGIRestrictEmbedded On
787
787
788 - Create a wsgi dispatch script, like the one below. Make sure you
788 - Create a wsgi dispatch script, like the one below. Make sure you
789 check that the paths correctly point to where you installed Kallithea
789 check that the paths correctly point to where you installed Kallithea
790 and its Python Virtual Environment.
790 and its Python Virtual Environment.
791 - Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,
791 - Enable the ``WSGIScriptAlias`` directive for the WSGI dispatch script,
792 as in the following example. Once again, check the paths are
792 as in the following example. Once again, check the paths are
793 correctly specified.
793 correctly specified.
794
794
795 Here is a sample excerpt from an Apache Virtual Host configuration file:
795 Here is a sample excerpt from an Apache Virtual Host configuration file:
796
796
797 .. code-block:: apache
797 .. code-block:: apache
798
798
799 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 \
799 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100 \
800 python-home=/srv/kallithea/venv
800 python-home=/srv/kallithea/venv
801 WSGIProcessGroup kallithea
801 WSGIProcessGroup kallithea
802 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
802 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
803 WSGIPassAuthorization On
803 WSGIPassAuthorization On
804
804
805 Or if using a dispatcher WSGI script with proper virtualenv activation:
805 Or if using a dispatcher WSGI script with proper virtualenv activation:
806
806
807 .. code-block:: apache
807 .. code-block:: apache
808
808
809 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100
809 WSGIDaemonProcess kallithea processes=5 threads=1 maximum-requests=100
810 WSGIProcessGroup kallithea
810 WSGIProcessGroup kallithea
811 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
811 WSGIScriptAlias / /srv/kallithea/dispatch.wsgi
812 WSGIPassAuthorization On
812 WSGIPassAuthorization On
813
813
814 Apache will by default run as a special Apache user, on Linux systems
814 Apache will by default run as a special Apache user, on Linux systems
815 usually ``www-data`` or ``apache``. If you need to have the repositories
815 usually ``www-data`` or ``apache``. If you need to have the repositories
816 directory owned by a different user, use the user and group options to
816 directory owned by a different user, use the user and group options to
817 WSGIDaemonProcess to set the name of the user and group.
817 WSGIDaemonProcess to set the name of the user and group.
818
818
819 Example WSGI dispatch script:
819 Example WSGI dispatch script:
820
820
821 .. code-block:: python
821 .. code-block:: python
822
822
823 import os
823 import os
824 os.environ["HGENCODING"] = "UTF-8"
824 os.environ["HGENCODING"] = "UTF-8"
825 os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
825 os.environ['PYTHON_EGG_CACHE'] = '/srv/kallithea/.egg-cache'
826
826
827 # sometimes it's needed to set the current dir
827 # sometimes it's needed to set the current dir
828 os.chdir('/srv/kallithea/')
828 os.chdir('/srv/kallithea/')
829
829
830 import site
830 import site
831 site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
831 site.addsitedir("/srv/kallithea/venv/lib/python2.7/site-packages")
832
832
833 ini = '/srv/kallithea/my.ini'
833 ini = '/srv/kallithea/my.ini'
834 from paste.script.util.logging_config import fileConfig
834 from paste.script.util.logging_config import fileConfig
835 fileConfig(ini)
835 fileConfig(ini)
836 from paste.deploy import loadapp
836 from paste.deploy import loadapp
837 application = loadapp('config:' + ini)
837 application = loadapp('config:' + ini)
838
838
839 Or using proper virtualenv activation:
839 Or using proper virtualenv activation:
840
840
841 .. code-block:: python
841 .. code-block:: python
842
842
843 activate_this = '/srv/kallithea/venv/bin/activate_this.py'
843 activate_this = '/srv/kallithea/venv/bin/activate_this.py'
844 execfile(activate_this, dict(__file__=activate_this))
844 execfile(activate_this, dict(__file__=activate_this))
845
845
846 import os
846 import os
847 os.environ['HOME'] = '/srv/kallithea'
847 os.environ['HOME'] = '/srv/kallithea'
848
848
849 ini = '/srv/kallithea/kallithea.ini'
849 ini = '/srv/kallithea/kallithea.ini'
850 from paste.script.util.logging_config import fileConfig
850 from paste.script.util.logging_config import fileConfig
851 fileConfig(ini)
851 fileConfig(ini)
852 from paste.deploy import loadapp
852 from paste.deploy import loadapp
853 application = loadapp('config:' + ini)
853 application = loadapp('config:' + ini)
854
854
855
855
856 Other configuration files
856 Other configuration files
857 -------------------------
857 -------------------------
858
858
859 A number of `example init.d scripts`__ can be found in
859 A number of `example init.d scripts`__ can be found in
860 the ``init.d`` directory of the Kallithea source.
860 the ``init.d`` directory of the Kallithea source.
861
861
862 .. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
862 .. __: https://kallithea-scm.org/repos/kallithea/files/tip/init.d/ .
863
863
864
864
865 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
865 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
866 .. _python: http://www.python.org/
866 .. _python: http://www.python.org/
867 .. _Mercurial: https://www.mercurial-scm.org/
867 .. _Mercurial: https://www.mercurial-scm.org/
868 .. _Celery: http://celeryproject.org/
868 .. _Celery: http://celeryproject.org/
869 .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
869 .. _Celery documentation: http://docs.celeryproject.org/en/latest/getting-started/index.html
870 .. _RabbitMQ: http://www.rabbitmq.com/
870 .. _RabbitMQ: http://www.rabbitmq.com/
871 .. _Redis: http://redis.io/
871 .. _Redis: http://redis.io/
872 .. _python-ldap: http://www.python-ldap.org/
872 .. _python-ldap: http://www.python-ldap.org/
873 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
873 .. _mercurial-server: http://www.lshift.net/mercurial-server.html
874 .. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories
874 .. _PublishingRepositories: https://www.mercurial-scm.org/wiki/PublishingRepositories
Show file before | Show file after | Hide comments
@@ -1,11 +1,11 b''
1 [default]
1 [default]
2 api_url = http://kallithea.example.com/_admin/api
2 api_url = http://kallithea.example.com/_admin/api
3 api_user = admin
3 api_user = admin
4 api_key = XXXXXXXXXXXX
4 api_key = XXXXXXXXXXXX
5
5
6 ldap_uri = ldap://ldap.example.com:389
6 ldap_uri = ldaps://ldap.example.com:636
7 ldap_user = cn=kallithea,dc=example,dc=com
7 ldap_user = cn=kallithea,dc=example,dc=com
8 ldap_key = XXXXXXXXX
8 ldap_key = XXXXXXXXX
9 base_dn = dc=example,dc=com
9 base_dn = dc=example,dc=com
10
10
11 sync_users = True
11 sync_users = True
Show file before | Show file after | Hide comments
@@ -1,370 +1,370 b''
1 # -*- coding: utf-8 -*-
1 # -*- coding: utf-8 -*-
2 # This program is free software: you can redistribute it and/or modify
2 # This program is free software: you can redistribute it and/or modify
3 # it under the terms of the GNU General Public License as published by
3 # it under the terms of the GNU General Public License as published by
4 # the Free Software Foundation, either version 3 of the License, or
4 # the Free Software Foundation, either version 3 of the License, or
5 # (at your option) any later version.
5 # (at your option) any later version.
6 #
6 #
7 # This program is distributed in the hope that it will be useful,
7 # This program is distributed in the hope that it will be useful,
8 # but WITHOUT ANY WARRANTY; without even the implied warranty of
8 # but WITHOUT ANY WARRANTY; without even the implied warranty of
9 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
9 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 # GNU General Public License for more details.
10 # GNU General Public License for more details.
11 #
11 #
12 # You should have received a copy of the GNU General Public License
12 # You should have received a copy of the GNU General Public License
13 # along with this program. If not, see <http://www.gnu.org/licenses/>.
13 # along with this program. If not, see <http://www.gnu.org/licenses/>.
14 """
14 """
15 kallithea.lib.auth_modules.auth_ldap
15 kallithea.lib.auth_modules.auth_ldap
16 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
16 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
17
17
18 Kallithea authentication plugin for LDAP
18 Kallithea authentication plugin for LDAP
19
19
20 This file was forked by the Kallithea project in July 2014.
20 This file was forked by the Kallithea project in July 2014.
21 Original author and date, and relevant copyright and licensing information is below:
21 Original author and date, and relevant copyright and licensing information is below:
22 :created_on: Created on Nov 17, 2010
22 :created_on: Created on Nov 17, 2010
23 :author: marcink
23 :author: marcink
24 :copyright: (c) 2013 RhodeCode GmbH, and others.
24 :copyright: (c) 2013 RhodeCode GmbH, and others.
25 :license: GPLv3, see LICENSE.md for more details.
25 :license: GPLv3, see LICENSE.md for more details.
26 """
26 """
27
27
28
28
29 import logging
29 import logging
30 import traceback
30 import traceback
31
31
32 from kallithea.lib import auth_modules
32 from kallithea.lib import auth_modules
33 from kallithea.lib.compat import hybrid_property
33 from kallithea.lib.compat import hybrid_property
34 from kallithea.lib.utils2 import safe_unicode, safe_str
34 from kallithea.lib.utils2 import safe_unicode, safe_str
35 from kallithea.lib.exceptions import (
35 from kallithea.lib.exceptions import (
36 LdapConnectionError, LdapUsernameError, LdapPasswordError, LdapImportError
36 LdapConnectionError, LdapUsernameError, LdapPasswordError, LdapImportError
37 )
37 )
38 from kallithea.model.db import User
38 from kallithea.model.db import User
39
39
40 log = logging.getLogger(__name__)
40 log = logging.getLogger(__name__)
41
41
42 try:
42 try:
43 import ldap
43 import ldap
44 import ldap.filter
44 import ldap.filter
45 except ImportError:
45 except ImportError:
46 # means that python-ldap is not installed
46 # means that python-ldap is not installed
47 ldap = None
47 ldap = None
48
48
49
49
50 class AuthLdap(object):
50 class AuthLdap(object):
51
51
52 def __init__(self, server, base_dn, port=None, bind_dn='', bind_pass='',
52 def __init__(self, server, base_dn, port=None, bind_dn='', bind_pass='',
53 tls_kind='PLAIN', tls_reqcert='DEMAND', cacertdir=None, ldap_version=3,
53 tls_kind='LDAPS', tls_reqcert='DEMAND', cacertdir=None, ldap_version=3,
54 ldap_filter='(&(objectClass=user)(!(objectClass=computer)))',
54 ldap_filter='(&(objectClass=user)(!(objectClass=computer)))',
55 search_scope='SUBTREE', attr_login='uid'):
55 search_scope='SUBTREE', attr_login='uid'):
56 if ldap is None:
56 if ldap is None:
57 raise LdapImportError
57 raise LdapImportError
58
58
59 self.ldap_version = ldap_version
59 self.ldap_version = ldap_version
60
60
61 self.TLS_KIND = tls_kind
61 self.TLS_KIND = tls_kind
62 OPT_X_TLS_DEMAND = 2
62 OPT_X_TLS_DEMAND = 2
63 self.TLS_REQCERT = getattr(ldap, 'OPT_X_TLS_%s' % tls_reqcert,
63 self.TLS_REQCERT = getattr(ldap, 'OPT_X_TLS_%s' % tls_reqcert,
64 OPT_X_TLS_DEMAND)
64 OPT_X_TLS_DEMAND)
65 self.cacertdir = cacertdir
65 self.cacertdir = cacertdir
66
66
67 protocol = 'ldaps' if self.TLS_KIND == 'LDAPS' else 'ldap'
67 protocol = 'ldaps' if self.TLS_KIND == 'LDAPS' else 'ldap'
68 if not port:
68 if not port:
69 port = 636 if self.TLS_KIND == 'LDAPS' else 389
69 port = 636 if self.TLS_KIND == 'LDAPS' else 389
70 self.LDAP_SERVER = str(', '.join(
70 self.LDAP_SERVER = str(', '.join(
71 "%s://%s:%s" % (protocol,
71 "%s://%s:%s" % (protocol,
72 host.strip(),
72 host.strip(),
73 port)
73 port)
74 for host in server.split(',')))
74 for host in server.split(',')))
75
75
76 self.LDAP_BIND_DN = safe_str(bind_dn)
76 self.LDAP_BIND_DN = safe_str(bind_dn)
77 self.LDAP_BIND_PASS = safe_str(bind_pass)
77 self.LDAP_BIND_PASS = safe_str(bind_pass)
78
78
79 self.BASE_DN = safe_str(base_dn)
79 self.BASE_DN = safe_str(base_dn)
80 self.LDAP_FILTER = safe_str(ldap_filter)
80 self.LDAP_FILTER = safe_str(ldap_filter)
81 self.SEARCH_SCOPE = getattr(ldap, 'SCOPE_%s' % search_scope)
81 self.SEARCH_SCOPE = getattr(ldap, 'SCOPE_%s' % search_scope)
82 self.attr_login = attr_login
82 self.attr_login = attr_login
83
83
84 def authenticate_ldap(self, username, password):
84 def authenticate_ldap(self, username, password):
85 """
85 """
86 Authenticate a user via LDAP and return his/her LDAP properties.
86 Authenticate a user via LDAP and return his/her LDAP properties.
87
87
88 Raises AuthenticationError if the credentials are rejected, or
88 Raises AuthenticationError if the credentials are rejected, or
89 EnvironmentError if the LDAP server can't be reached.
89 EnvironmentError if the LDAP server can't be reached.
90
90
91 :param username: username
91 :param username: username
92 :param password: password
92 :param password: password
93 """
93 """
94
94
95 if not password:
95 if not password:
96 log.debug("Attempt to authenticate LDAP user "
96 log.debug("Attempt to authenticate LDAP user "
97 "with blank password rejected.")
97 "with blank password rejected.")
98 raise LdapPasswordError()
98 raise LdapPasswordError()
99 if "," in username:
99 if "," in username:
100 raise LdapUsernameError("invalid character in username: ,")
100 raise LdapUsernameError("invalid character in username: ,")
101 try:
101 try:
102 if self.cacertdir:
102 if self.cacertdir:
103 if hasattr(ldap, 'OPT_X_TLS_CACERTDIR'):
103 if hasattr(ldap, 'OPT_X_TLS_CACERTDIR'):
104 ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, self.cacertdir)
104 ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, self.cacertdir)
105 else:
105 else:
106 log.debug("OPT_X_TLS_CACERTDIR is not available - can't set %s", self.cacertdir)
106 log.debug("OPT_X_TLS_CACERTDIR is not available - can't set %s", self.cacertdir)
107 ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)
107 ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)
108 ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON)
108 ldap.set_option(ldap.OPT_RESTART, ldap.OPT_ON)
109 ldap.set_option(ldap.OPT_TIMEOUT, 20)
109 ldap.set_option(ldap.OPT_TIMEOUT, 20)
110 ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10)
110 ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 10)
111 ldap.set_option(ldap.OPT_TIMELIMIT, 15)
111 ldap.set_option(ldap.OPT_TIMELIMIT, 15)
112 if self.TLS_KIND != 'PLAIN':
112 if self.TLS_KIND != 'PLAIN':
113 ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT)
113 ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, self.TLS_REQCERT)
114 server = ldap.initialize(self.LDAP_SERVER)
114 server = ldap.initialize(self.LDAP_SERVER)
115 if self.ldap_version == 2:
115 if self.ldap_version == 2:
116 server.protocol = ldap.VERSION2
116 server.protocol = ldap.VERSION2
117 else:
117 else:
118 server.protocol = ldap.VERSION3
118 server.protocol = ldap.VERSION3
119
119
120 if self.TLS_KIND == 'START_TLS':
120 if self.TLS_KIND == 'START_TLS':
121 server.start_tls_s()
121 server.start_tls_s()
122
122
123 if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:
123 if self.LDAP_BIND_DN and self.LDAP_BIND_PASS:
124 log.debug('Trying simple_bind with password and given DN: %s',
124 log.debug('Trying simple_bind with password and given DN: %s',
125 self.LDAP_BIND_DN)
125 self.LDAP_BIND_DN)
126 server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)
126 server.simple_bind_s(self.LDAP_BIND_DN, self.LDAP_BIND_PASS)
127
127
128 filter_ = '(&%s(%s=%s))' % (self.LDAP_FILTER,
128 filter_ = '(&%s(%s=%s))' % (self.LDAP_FILTER,
129 ldap.filter.escape_filter_chars(self.attr_login),
129 ldap.filter.escape_filter_chars(self.attr_login),
130 ldap.filter.escape_filter_chars(username))
130 ldap.filter.escape_filter_chars(username))
131 log.debug("Authenticating %r filter %s at %s", self.BASE_DN,
131 log.debug("Authenticating %r filter %s at %s", self.BASE_DN,
132 filter_, self.LDAP_SERVER)
132 filter_, self.LDAP_SERVER)
133 lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE,
133 lobjects = server.search_ext_s(self.BASE_DN, self.SEARCH_SCOPE,
134 filter_)
134 filter_)
135
135
136 if not lobjects:
136 if not lobjects:
137 raise ldap.NO_SUCH_OBJECT()
137 raise ldap.NO_SUCH_OBJECT()
138
138
139 for (dn, _attrs) in lobjects:
139 for (dn, _attrs) in lobjects:
140 if dn is None:
140 if dn is None:
141 continue
141 continue
142
142
143 try:
143 try:
144 log.debug('Trying simple bind with %s', dn)
144 log.debug('Trying simple bind with %s', dn)
145 server.simple_bind_s(dn, safe_str(password))
145 server.simple_bind_s(dn, safe_str(password))
146 results = server.search_ext_s(dn, ldap.SCOPE_BASE,
146 results = server.search_ext_s(dn, ldap.SCOPE_BASE,
147 '(objectClass=*)')
147 '(objectClass=*)')
148 if len(results) == 1:
148 if len(results) == 1:
149 dn_, attrs = results[0]
149 dn_, attrs = results[0]
150 assert dn_ == dn
150 assert dn_ == dn
151 return dn, attrs
151 return dn, attrs
152
152
153 except ldap.INVALID_CREDENTIALS:
153 except ldap.INVALID_CREDENTIALS:
154 log.debug("LDAP rejected password for user '%s': %s",
154 log.debug("LDAP rejected password for user '%s': %s",
155 username, dn)
155 username, dn)
156 continue # accept authentication as another ldap user with same username
156 continue # accept authentication as another ldap user with same username
157
157
158 log.debug("No matching LDAP objects for authentication "
158 log.debug("No matching LDAP objects for authentication "
159 "of '%s'", username)
159 "of '%s'", username)
160 raise LdapPasswordError()
160 raise LdapPasswordError()
161
161
162 except ldap.NO_SUCH_OBJECT:
162 except ldap.NO_SUCH_OBJECT:
163 log.debug("LDAP says no such user '%s'", username)
163 log.debug("LDAP says no such user '%s'", username)
164 raise LdapUsernameError()
164 raise LdapUsernameError()
165 except ldap.SERVER_DOWN:
165 except ldap.SERVER_DOWN:
166 # [0] might be {'info': "TLS error -8179:Peer's Certificate issuer is not recognized.", 'desc': "Can't contact LDAP server"}
166 # [0] might be {'info': "TLS error -8179:Peer's Certificate issuer is not recognized.", 'desc': "Can't contact LDAP server"}
167 raise LdapConnectionError("LDAP can't connect to authentication server")
167 raise LdapConnectionError("LDAP can't connect to authentication server")
168
168
169
169
170 class KallitheaAuthPlugin(auth_modules.KallitheaExternalAuthPlugin):
170 class KallitheaAuthPlugin(auth_modules.KallitheaExternalAuthPlugin):
171 def __init__(self):
171 def __init__(self):
172 self._logger = logging.getLogger(__name__)
172 self._logger = logging.getLogger(__name__)
173 self._tls_kind_values = ["PLAIN", "LDAPS", "START_TLS"]
173 self._tls_kind_values = ["PLAIN", "LDAPS", "START_TLS"]
174 self._tls_reqcert_values = ["NEVER", "ALLOW", "TRY", "DEMAND", "HARD"]
174 self._tls_reqcert_values = ["NEVER", "ALLOW", "TRY", "DEMAND", "HARD"]
175 self._search_scopes = ["BASE", "ONELEVEL", "SUBTREE"]
175 self._search_scopes = ["BASE", "ONELEVEL", "SUBTREE"]
176
176
177 @hybrid_property
177 @hybrid_property
178 def name(self):
178 def name(self):
179 return "ldap"
179 return "ldap"
180
180
181 def settings(self):
181 def settings(self):
182 settings = [
182 settings = [
183 {
183 {
184 "name": "host",
184 "name": "host",
185 "validator": self.validators.UnicodeString(strip=True),
185 "validator": self.validators.UnicodeString(strip=True),
186 "type": "string",
186 "type": "string",
187 "description": "Host of the LDAP Server",
187 "description": "Host of the LDAP Server",
188 "formname": "LDAP Host"
188 "formname": "LDAP Host"
189 },
189 },
190 {
190 {
191 "name": "port",
191 "name": "port",
192 "validator": self.validators.Number(strip=True),
192 "validator": self.validators.Number(strip=True),
193 "type": "string",
193 "type": "string",
194 "description": "Port that the LDAP server is listening on. Defaults to 389 for PLAIN/START_TLS and 636 for LDAPS.",
194 "description": "Port that the LDAP server is listening on. Defaults to 389 for PLAIN/START_TLS and 636 for LDAPS.",
195 "default": "",
195 "default": "",
196 "formname": "Custom LDAP Port"
196 "formname": "Custom LDAP Port"
197 },
197 },
198 {
198 {
199 "name": "dn_user",
199 "name": "dn_user",
200 "validator": self.validators.UnicodeString(strip=True),
200 "validator": self.validators.UnicodeString(strip=True),
201 "type": "string",
201 "type": "string",
202 "description": "User to connect to LDAP",
202 "description": "User to connect to LDAP",
203 "formname": "Account"
203 "formname": "Account"
204 },
204 },
205 {
205 {
206 "name": "dn_pass",
206 "name": "dn_pass",
207 "validator": self.validators.UnicodeString(strip=True),
207 "validator": self.validators.UnicodeString(strip=True),
208 "type": "password",
208 "type": "password",
209 "description": "Password to connect to LDAP",
209 "description": "Password to connect to LDAP",
210 "formname": "Password"
210 "formname": "Password"
211 },
211 },
212 {
212 {
213 "name": "tls_kind",
213 "name": "tls_kind",
214 "validator": self.validators.OneOf(self._tls_kind_values),
214 "validator": self.validators.OneOf(self._tls_kind_values),
215 "type": "select",
215 "type": "select",
216 "values": self._tls_kind_values,
216 "values": self._tls_kind_values,
217 "description": "TLS Type",
217 "description": "TLS Type",
218 "default": 'PLAIN',
218 "default": 'LDAPS',
219 "formname": "Connection Security"
219 "formname": "Connection Security"
220 },
220 },
221 {
221 {
222 "name": "tls_reqcert",
222 "name": "tls_reqcert",
223 "validator": self.validators.OneOf(self._tls_reqcert_values),
223 "validator": self.validators.OneOf(self._tls_reqcert_values),
224 "type": "select",
224 "type": "select",
225 "values": self._tls_reqcert_values,
225 "values": self._tls_reqcert_values,
226 "description": "Require Cert over TLS?",
226 "description": "Require Cert over TLS?",
227 "formname": "Certificate Checks"
227 "formname": "Certificate Checks"
228 },
228 },
229 {
229 {
230 "name": "cacertdir",
230 "name": "cacertdir",
231 "validator": self.validators.UnicodeString(strip=True),
231 "validator": self.validators.UnicodeString(strip=True),
232 "type": "string",
232 "type": "string",
233 "description": "Optional: Custom CA certificate directory for validating LDAPS",
233 "description": "Optional: Custom CA certificate directory for validating LDAPS",
234 "formname": "Custom CA Certificates"
234 "formname": "Custom CA Certificates"
235 },
235 },
236 {
236 {
237 "name": "base_dn",
237 "name": "base_dn",
238 "validator": self.validators.UnicodeString(strip=True),
238 "validator": self.validators.UnicodeString(strip=True),
239 "type": "string",
239 "type": "string",
240 "description": "Base DN to search (e.g., dc=mydomain,dc=com)",
240 "description": "Base DN to search (e.g., dc=mydomain,dc=com)",
241 "formname": "Base DN"
241 "formname": "Base DN"
242 },
242 },
243 {
243 {
244 "name": "filter",
244 "name": "filter",
245 "validator": self.validators.UnicodeString(strip=True),
245 "validator": self.validators.UnicodeString(strip=True),
246 "type": "string",
246 "type": "string",
247 "description": "Filter to narrow results (e.g., ou=Users, etc)",
247 "description": "Filter to narrow results (e.g., ou=Users, etc)",
248 "formname": "LDAP Search Filter"
248 "formname": "LDAP Search Filter"
249 },
249 },
250 {
250 {
251 "name": "search_scope",
251 "name": "search_scope",
252 "validator": self.validators.OneOf(self._search_scopes),
252 "validator": self.validators.OneOf(self._search_scopes),
253 "type": "select",
253 "type": "select",
254 "values": self._search_scopes,
254 "values": self._search_scopes,
255 "description": "How deep to search LDAP",
255 "description": "How deep to search LDAP",
256 "formname": "LDAP Search Scope"
256 "formname": "LDAP Search Scope"
257 },
257 },
258 {
258 {
259 "name": "attr_login",
259 "name": "attr_login",
260 "validator": self.validators.AttrLoginValidator(not_empty=True, strip=True),
260 "validator": self.validators.AttrLoginValidator(not_empty=True, strip=True),
261 "type": "string",
261 "type": "string",
262 "description": "LDAP Attribute to map to user name",
262 "description": "LDAP Attribute to map to user name",
263 "formname": "Login Attribute"
263 "formname": "Login Attribute"
264 },
264 },
265 {
265 {
266 "name": "attr_firstname",
266 "name": "attr_firstname",
267 "validator": self.validators.UnicodeString(strip=True),
267 "validator": self.validators.UnicodeString(strip=True),
268 "type": "string",
268 "type": "string",
269 "description": "LDAP Attribute to map to first name",
269 "description": "LDAP Attribute to map to first name",
270 "formname": "First Name Attribute"
270 "formname": "First Name Attribute"
271 },
271 },
272 {
272 {
273 "name": "attr_lastname",
273 "name": "attr_lastname",
274 "validator": self.validators.UnicodeString(strip=True),
274 "validator": self.validators.UnicodeString(strip=True),
275 "type": "string",
275 "type": "string",
276 "description": "LDAP Attribute to map to last name",
276 "description": "LDAP Attribute to map to last name",
277 "formname": "Last Name Attribute"
277 "formname": "Last Name Attribute"
278 },
278 },
279 {
279 {
280 "name": "attr_email",
280 "name": "attr_email",
281 "validator": self.validators.UnicodeString(strip=True),
281 "validator": self.validators.UnicodeString(strip=True),
282 "type": "string",
282 "type": "string",
283 "description": "LDAP Attribute to map to email address",
283 "description": "LDAP Attribute to map to email address",
284 "formname": "Email Attribute"
284 "formname": "Email Attribute"
285 }
285 }
286 ]
286 ]
287 return settings
287 return settings
288
288
289 def use_fake_password(self):
289 def use_fake_password(self):
290 return True
290 return True
291
291
292 def user_activation_state(self):
292 def user_activation_state(self):
293 def_user_perms = User.get_default_user().AuthUser.permissions['global']
293 def_user_perms = User.get_default_user().AuthUser.permissions['global']
294 return 'hg.extern_activate.auto' in def_user_perms
294 return 'hg.extern_activate.auto' in def_user_perms
295
295
296 def auth(self, userobj, username, password, settings, **kwargs):
296 def auth(self, userobj, username, password, settings, **kwargs):
297 """
297 """
298 Given a user object (which may be null), username, a plaintext password,
298 Given a user object (which may be null), username, a plaintext password,
299 and a settings object (containing all the keys needed as listed in settings()),
299 and a settings object (containing all the keys needed as listed in settings()),
300 authenticate this user's login attempt.
300 authenticate this user's login attempt.
301
301
302 Return None on failure. On success, return a dictionary of the form:
302 Return None on failure. On success, return a dictionary of the form:
303
303
304 see: KallitheaAuthPluginBase.auth_func_attrs
304 see: KallitheaAuthPluginBase.auth_func_attrs
305 This is later validated for correctness
305 This is later validated for correctness
306 """
306 """
307
307
308 if not username or not password:
308 if not username or not password:
309 log.debug('Empty username or password skipping...')
309 log.debug('Empty username or password skipping...')
310 return None
310 return None
311
311
312 kwargs = {
312 kwargs = {
313 'server': settings.get('host', ''),
313 'server': settings.get('host', ''),
314 'base_dn': settings.get('base_dn', ''),
314 'base_dn': settings.get('base_dn', ''),
315 'port': settings.get('port'),
315 'port': settings.get('port'),
316 'bind_dn': settings.get('dn_user'),
316 'bind_dn': settings.get('dn_user'),
317 'bind_pass': settings.get('dn_pass'),
317 'bind_pass': settings.get('dn_pass'),
318 'tls_kind': settings.get('tls_kind'),
318 'tls_kind': settings.get('tls_kind'),
319 'tls_reqcert': settings.get('tls_reqcert'),
319 'tls_reqcert': settings.get('tls_reqcert'),
320 'cacertdir': settings.get('cacertdir'),
320 'cacertdir': settings.get('cacertdir'),
321 'ldap_filter': settings.get('filter'),
321 'ldap_filter': settings.get('filter'),
322 'search_scope': settings.get('search_scope'),
322 'search_scope': settings.get('search_scope'),
323 'attr_login': settings.get('attr_login'),
323 'attr_login': settings.get('attr_login'),
324 'ldap_version': 3,
324 'ldap_version': 3,
325 }
325 }
326
326
327 if kwargs['bind_dn'] and not kwargs['bind_pass']:
327 if kwargs['bind_dn'] and not kwargs['bind_pass']:
328 log.debug('Using dynamic binding.')
328 log.debug('Using dynamic binding.')
329 kwargs['bind_dn'] = kwargs['bind_dn'].replace('$login', username)
329 kwargs['bind_dn'] = kwargs['bind_dn'].replace('$login', username)
330 kwargs['bind_pass'] = password
330 kwargs['bind_pass'] = password
331 log.debug('Checking for ldap authentication')
331 log.debug('Checking for ldap authentication')
332
332
333 try:
333 try:
334 aldap = AuthLdap(**kwargs)
334 aldap = AuthLdap(**kwargs)
335 (user_dn, ldap_attrs) = aldap.authenticate_ldap(username, password)
335 (user_dn, ldap_attrs) = aldap.authenticate_ldap(username, password)
336 log.debug('Got ldap DN response %s', user_dn)
336 log.debug('Got ldap DN response %s', user_dn)
337
337
338 get_ldap_attr = lambda k: ldap_attrs.get(settings.get(k), [''])[0]
338 get_ldap_attr = lambda k: ldap_attrs.get(settings.get(k), [''])[0]
339
339
340 # old attrs fetched from Kallithea database
340 # old attrs fetched from Kallithea database
341 admin = getattr(userobj, 'admin', False)
341 admin = getattr(userobj, 'admin', False)
342 active = getattr(userobj, 'active', self.user_activation_state())
342 active = getattr(userobj, 'active', self.user_activation_state())
343 email = getattr(userobj, 'email', '')
343 email = getattr(userobj, 'email', '')
344 firstname = getattr(userobj, 'firstname', '')
344 firstname = getattr(userobj, 'firstname', '')
345 lastname = getattr(userobj, 'lastname', '')
345 lastname = getattr(userobj, 'lastname', '')
346
346
347 user_data = {
347 user_data = {
348 'username': username,
348 'username': username,
349 'firstname': safe_unicode(get_ldap_attr('attr_firstname') or firstname),
349 'firstname': safe_unicode(get_ldap_attr('attr_firstname') or firstname),
350 'lastname': safe_unicode(get_ldap_attr('attr_lastname') or lastname),
350 'lastname': safe_unicode(get_ldap_attr('attr_lastname') or lastname),
351 'groups': [],
351 'groups': [],
352 'email': get_ldap_attr('attr_email') or email,
352 'email': get_ldap_attr('attr_email') or email,
353 'admin': admin,
353 'admin': admin,
354 'active': active,
354 'active': active,
355 "active_from_extern": None,
355 "active_from_extern": None,
356 'extern_name': user_dn,
356 'extern_name': user_dn,
357 }
357 }
358 log.info('user %s authenticated correctly', user_data['username'])
358 log.info('user %s authenticated correctly', user_data['username'])
359 return user_data
359 return user_data
360
360
361 except LdapUsernameError:
361 except LdapUsernameError:
362 log.info('Error authenticating %s with LDAP: User not found', username)
362 log.info('Error authenticating %s with LDAP: User not found', username)
363 except LdapPasswordError:
363 except LdapPasswordError:
364 log.info('Error authenticating %s with LDAP: Password error', username)
364 log.info('Error authenticating %s with LDAP: Password error', username)
365 except LdapImportError:
365 except LdapImportError:
366 log.error('Error authenticating %s with LDAP: LDAP not available', username)
366 log.error('Error authenticating %s with LDAP: LDAP not available', username)
367 return None
367 return None
368
368
369 def get_managed_fields(self):
369 def get_managed_fields(self):
370 return ['username', 'firstname', 'lastname', 'email', 'password']
370 return ['username', 'firstname', 'lastname', 'email', 'password']
General Comments 0
You need to be logged in to leave comments. Login now