Mercurial > kallithea
comparison docs/setup.rst @ 992:c03d16787b5c issue-108
Update documentation for LDAP settings (and add Active Directory information).
author | Thayne Harbaugh <thayne@fusionio.com> |
---|---|
date | Thu, 03 Feb 2011 18:27:00 -0700 |
parents | aa550e290f26 |
children | 053983a464e4 |
comparison
equal
deleted
inserted
replaced
991:b232a36cc51f | 992:c03d16787b5c |
---|---|
125 | 125 |
126 Setting up LDAP support | 126 Setting up LDAP support |
127 ----------------------- | 127 ----------------------- |
128 | 128 |
129 RhodeCode starting from version 1.1 supports ldap authentication. In order | 129 RhodeCode starting from version 1.1 supports ldap authentication. In order |
130 to use ldap, You have to install python-ldap package. This package is available | 130 to use LDAP, You have to install python-ldap_ package. This package is available |
131 via pypi, so You can install it by running | 131 via pypi, so You can install it by running |
132 | 132 |
133 :: | 133 :: |
134 | 134 |
135 easy_install python-ldap | 135 easy_install python-ldap |
140 | 140 |
141 .. note:: | 141 .. note:: |
142 python-ldap requires some certain libs on Your system, so before installing | 142 python-ldap requires some certain libs on Your system, so before installing |
143 it check that You have at least `openldap`, and `sasl` libraries. | 143 it check that You have at least `openldap`, and `sasl` libraries. |
144 | 144 |
145 ldap settings are located in admin->ldap section, | 145 LDAP settings are located in admin->ldap section, |
146 | 146 |
147 Here's a typical ldap setup:: | 147 This is a typical LDAP setup:: |
148 | 148 |
149 Enable ldap = checked #controls if ldap access is enabled | 149 Connection settings |
150 Host = host.domain.org #actual ldap server to connect | 150 Enable LDAP = checked |
151 Port = 389 or 689 for ldaps #ldap server ports | 151 Host = host.example.org |
152 Enable LDAPS = unchecked #enable disable ldaps | 152 Port = 389 |
153 Account = <account> #access for ldap server(if required) | 153 Account = <account> |
154 Password = <password> #password for ldap server(if required) | 154 Password = <password> |
155 Base DN = uid=%(user)s,CN=users,DC=host,DC=domain,DC=org | 155 Enable LDAPS = checked |
156 | 156 Certificate Checks = DEMAND |
157 | 157 |
158 `Account` and `Password` are optional, and used for two-phase ldap | 158 Search settings |
159 authentication so those are credentials to access Your ldap, if it doesn't | 159 Base DN = CN=users,DC=host,DC=example,DC=org |
160 support anonymous search/user lookups. | 160 LDAP Filter = (&(objectClass=user)(!(objectClass=computer))) |
161 | 161 LDAP Search Scope = SUBTREE |
162 Base DN must have %(user)s template inside, it's a placer where Your uid used | 162 |
163 to login would go, it allows admins to specify not standard schema for uid | 163 Attribute mappings |
164 variable | 164 Login Attribute = uid |
165 | 165 First Name Attribute = firstName |
166 If all data are entered correctly, and `python-ldap` is properly installed | 166 Last Name Attribute = lastName |
167 Users should be granted to access RhodeCode wit ldap accounts. When | 167 E-mail Attribute = mail |
168 logging at the first time an special ldap account is created inside RhodeCode, | 168 |
169 so You can control over permissions even on ldap users. If such user exists | 169 .. _enable_ldap: |
170 already in RhodeCode database ldap user with the same username would be not | 170 |
171 able to access RhodeCode. | 171 Enable LDAP : required |
172 | 172 Whether to use LDAP for authenticating users. |
173 If You have problems with ldap access and believe You entered correct | 173 |
174 information check out the RhodeCode logs,any error messages sent from | 174 .. _ldap_host: |
175 ldap will be saved there. | 175 |
176 | 176 Host : required |
177 | 177 LDAP server hostname or IP address. |
178 | |
179 .. _Port: | |
180 | |
181 Port : required | |
182 389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP. | |
183 | |
184 .. _ldap_account: | |
185 | |
186 Account : optional | |
187 Only required if the LDAP server does not allow anonymous browsing of | |
188 records. This should be a special account for record browsing. This | |
189 will require `LDAP Password`_ below. | |
190 | |
191 .. _LDAP Password: | |
192 | |
193 Password : optional | |
194 Only required if the LDAP server does not allow anonymous browsing of | |
195 records. | |
196 | |
197 .. _Enable LDAPS: | |
198 | |
199 Enable LDAPS : optional | |
200 Check this if SSL encryption is necessary for communication with the | |
201 LDAP server - it will likely require `Port`_ to be set to a different | |
202 value (standard LDAPS port is 636). When LDAPS is enabled then | |
203 `Certificate Checks`_ is required. | |
204 | |
205 .. _Certificate Checks: | |
206 | |
207 Certificate Checks : optional | |
208 How SSL certificates verification is handled - this is only useful when | |
209 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security while | |
210 the other options are susceptible to man-in-the-middle attacks. SSL | |
211 certificates can be installed to /etc/openldap/cacerts so that the | |
212 DEMAND or HARD options can be used with self-signed certificates or | |
213 certificates that do not have traceable certificates of authority. | |
214 | |
215 NEVER | |
216 A serve certificate will never be requested or checked. | |
217 | |
218 ALLOW | |
219 A server certificate is requested. Failure to provide a | |
220 certificate or providing a bad certificate will not terminate the | |
221 session. | |
222 | |
223 TRY | |
224 A server certificate is requested. Failure to provide a | |
225 certificate does not halt the session; providing a bad certificate | |
226 halts the session. | |
227 | |
228 DEMAND | |
229 A server certificate is requested and must be provided and | |
230 authenticated for the session to proceed. | |
231 | |
232 HARD | |
233 The same as DEMAND. | |
234 | |
235 .. _Base DN: | |
236 | |
237 Base DN : required | |
238 The Distinguished Name (DN) where searches for users will be performed. | |
239 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_. | |
240 | |
241 .. _LDAP Filter: | |
242 | |
243 LDAP Filter : optional | |
244 A LDAP filter defined by RFC 2254. This is more useful when `LDAP | |
245 Search Scope`_ is set to SUBTREE. The filter is useful for limiting | |
246 which LDAP objects are identified as representing Users for | |
247 authentication. The filter is augmented by `Login Attribute`_ below. | |
248 This can commonly be left blank. | |
249 | |
250 .. _LDAP Search Scope: | |
251 | |
252 LDAP Search Scope : required | |
253 This limits how far LDAP will search for a matching object. | |
254 | |
255 BASE | |
256 Only allows searching of `Base DN`_ and is usually not what you | |
257 want. | |
258 | |
259 ONELEVEL | |
260 Searches all entries under `Base DN`_, but not Base DN itself. | |
261 | |
262 SUBTREE | |
263 Searches all entries below `Base DN`_, but not Base DN itself. | |
264 When using SUBTREE `LDAP Filter`_ is useful to limit object | |
265 location. | |
266 | |
267 .. _Login Attribute: | |
268 | |
269 Login Attribute : required | |
270 The LDAP record attribute that will be matched as the USERNAME or | |
271 ACCOUNT used to connect to RhodeCode. This will be added to `LDAP | |
272 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as | |
273 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has | |
274 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below | |
275 :: | |
276 | |
277 (&(LDAPFILTER)(uid=jsmith)) | |
278 | |
279 .. _ldap_attr_firstname: | |
280 | |
281 First Name Attribute : required | |
282 The LDAP record attribute which represents the user's first name. | |
283 | |
284 .. _ldap_attr_lastname: | |
285 | |
286 Last Name Attribute : required | |
287 The LDAP record attribute which represents the user's last name. | |
288 | |
289 .. _ldap_attr_email: | |
290 | |
291 Email Attribute : required | |
292 The LDAP record attribute which represents the user's email address. | |
293 | |
294 If all data are entered correctly, and python-ldap_ is properly installed | |
295 users should be granted access to RhodeCode with ldap accounts. At this | |
296 time user information is copied from LDAP into the RhodeCode user database. | |
297 This means that updates of an LDAP user object may not be reflected as a | |
298 user update in RhodeCode. | |
299 | |
300 If You have problems with LDAP access and believe You entered correct | |
301 information check out the RhodeCode logs, any error messages sent from LDAP | |
302 will be saved there. | |
303 | |
304 Active Directory | |
305 '''''''''''''''' | |
306 | |
307 RhodeCode can use Microsoft Active Directory for user authentication. This | |
308 is done through an LDAP or LDAPS connection to Active Directory. The | |
309 following LDAP configuration settings are typical for using Active | |
310 Directory :: | |
311 | |
312 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local | |
313 Login Attribute = sAMAccountName | |
314 First Name Attribute = givenName | |
315 Last Name Attribute = sn | |
316 E-mail Attribute = mail | |
317 | |
318 All other LDAP settings will likely be site-specific and should be | |
319 appropriately configured. | |
178 | 320 |
179 Setting Up Celery | 321 Setting Up Celery |
180 ----------------- | 322 ----------------- |
181 | 323 |
182 Since version 1.1 celery is configured by the rhodecode ini configuration files | 324 Since version 1.1 celery is configured by the rhodecode ini configuration files |
325 .. _virtualenv: http://pypi.python.org/pypi/virtualenv | 467 .. _virtualenv: http://pypi.python.org/pypi/virtualenv |
326 .. _python: http://www.python.org/ | 468 .. _python: http://www.python.org/ |
327 .. _mercurial: http://mercurial.selenic.com/ | 469 .. _mercurial: http://mercurial.selenic.com/ |
328 .. _celery: http://celeryproject.org/ | 470 .. _celery: http://celeryproject.org/ |
329 .. _rabbitmq: http://www.rabbitmq.com/ | 471 .. _rabbitmq: http://www.rabbitmq.com/ |
472 .. _python-ldap: http://www.python-ldap.org/ |