Mercurial > kallithea

comparison docs/setup.rst @ 992:c03d16787b5c issue-108

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Update documentation for LDAP settings (and add Active Directory information).
author Thayne Harbaugh <thayne@fusionio.com>
date Thu, 03 Feb 2011 18:27:00 -0700
parents aa550e290f26
children 053983a464e4
comparison
equal deleted inserted replaced
991:b232a36cc51f 992:c03d16787b5c
125 125
126 Setting up LDAP support 126 Setting up LDAP support
127 ----------------------- 127 -----------------------
128 128
129 RhodeCode starting from version 1.1 supports ldap authentication. In order 129 RhodeCode starting from version 1.1 supports ldap authentication. In order
130 to use ldap, You have to install python-ldap package. This package is available 130 to use LDAP, You have to install python-ldap_ package. This package is available
131 via pypi, so You can install it by running 131 via pypi, so You can install it by running
132 132
133 :: 133 ::
134 134
135 easy_install python-ldap 135 easy_install python-ldap
140 140
141 .. note:: 141 .. note::
142 python-ldap requires some certain libs on Your system, so before installing 142 python-ldap requires some certain libs on Your system, so before installing
143 it check that You have at least `openldap`, and `sasl` libraries. 143 it check that You have at least `openldap`, and `sasl` libraries.
144 144
145 ldap settings are located in admin->ldap section, 145 LDAP settings are located in admin->ldap section,
146 146
147 Here's a typical ldap setup:: 147 This is a typical LDAP setup::
148 148
149 Enable ldap = checked #controls if ldap access is enabled 149 Connection settings
150 Host = host.domain.org #actual ldap server to connect 150 Enable LDAP = checked
151 Port = 389 or 689 for ldaps #ldap server ports 151 Host = host.example.org
152 Enable LDAPS = unchecked #enable disable ldaps 152 Port = 389
153 Account = <account> #access for ldap server(if required) 153 Account = <account>
154 Password = <password> #password for ldap server(if required) 154 Password = <password>
155 Base DN = uid=%(user)s,CN=users,DC=host,DC=domain,DC=org 155 Enable LDAPS = checked
156 156 Certificate Checks = DEMAND
157 157
158 `Account` and `Password` are optional, and used for two-phase ldap 158 Search settings
159 authentication so those are credentials to access Your ldap, if it doesn't 159 Base DN = CN=users,DC=host,DC=example,DC=org
160 support anonymous search/user lookups. 160 LDAP Filter = (&(objectClass=user)(!(objectClass=computer)))
161 161 LDAP Search Scope = SUBTREE
162 Base DN must have %(user)s template inside, it's a placer where Your uid used 162
163 to login would go, it allows admins to specify not standard schema for uid 163 Attribute mappings
164 variable 164 Login Attribute = uid
165 165 First Name Attribute = firstName
166 If all data are entered correctly, and `python-ldap` is properly installed 166 Last Name Attribute = lastName
167 Users should be granted to access RhodeCode wit ldap accounts. When 167 E-mail Attribute = mail
168 logging at the first time an special ldap account is created inside RhodeCode, 168
169 so You can control over permissions even on ldap users. If such user exists 169 .. _enable_ldap:
170 already in RhodeCode database ldap user with the same username would be not 170
171 able to access RhodeCode. 171 Enable LDAP : required
172 172 Whether to use LDAP for authenticating users.
173 If You have problems with ldap access and believe You entered correct 173
174 information check out the RhodeCode logs,any error messages sent from 174 .. _ldap_host:
175 ldap will be saved there. 175
176 176 Host : required
177 177 LDAP server hostname or IP address.
178
179 .. _Port:
180
181 Port : required
182 389 for un-encrypted LDAP, 636 for SSL-encrypted LDAP.
183
184 .. _ldap_account:
185
186 Account : optional
187 Only required if the LDAP server does not allow anonymous browsing of
188 records. This should be a special account for record browsing. This
189 will require `LDAP Password`_ below.
190
191 .. _LDAP Password:
192
193 Password : optional
194 Only required if the LDAP server does not allow anonymous browsing of
195 records.
196
197 .. _Enable LDAPS:
198
199 Enable LDAPS : optional
200 Check this if SSL encryption is necessary for communication with the
201 LDAP server - it will likely require `Port`_ to be set to a different
202 value (standard LDAPS port is 636). When LDAPS is enabled then
203 `Certificate Checks`_ is required.
204
205 .. _Certificate Checks:
206
207 Certificate Checks : optional
208 How SSL certificates verification is handled - this is only useful when
209 `Enable LDAPS`_ is enabled. Only DEMAND or HARD offer full SSL security while
210 the other options are susceptible to man-in-the-middle attacks. SSL
211 certificates can be installed to /etc/openldap/cacerts so that the
212 DEMAND or HARD options can be used with self-signed certificates or
213 certificates that do not have traceable certificates of authority.
214
215 NEVER
216 A serve certificate will never be requested or checked.
217
218 ALLOW
219 A server certificate is requested. Failure to provide a
220 certificate or providing a bad certificate will not terminate the
221 session.
222
223 TRY
224 A server certificate is requested. Failure to provide a
225 certificate does not halt the session; providing a bad certificate
226 halts the session.
227
228 DEMAND
229 A server certificate is requested and must be provided and
230 authenticated for the session to proceed.
231
232 HARD
233 The same as DEMAND.
234
235 .. _Base DN:
236
237 Base DN : required
238 The Distinguished Name (DN) where searches for users will be performed.
239 Searches can be controlled by `LDAP Filter`_ and `LDAP Search Scope`_.
240
241 .. _LDAP Filter:
242
243 LDAP Filter : optional
244 A LDAP filter defined by RFC 2254. This is more useful when `LDAP
245 Search Scope`_ is set to SUBTREE. The filter is useful for limiting
246 which LDAP objects are identified as representing Users for
247 authentication. The filter is augmented by `Login Attribute`_ below.
248 This can commonly be left blank.
249
250 .. _LDAP Search Scope:
251
252 LDAP Search Scope : required
253 This limits how far LDAP will search for a matching object.
254
255 BASE
256 Only allows searching of `Base DN`_ and is usually not what you
257 want.
258
259 ONELEVEL
260 Searches all entries under `Base DN`_, but not Base DN itself.
261
262 SUBTREE
263 Searches all entries below `Base DN`_, but not Base DN itself.
264 When using SUBTREE `LDAP Filter`_ is useful to limit object
265 location.
266
267 .. _Login Attribute:
268
269 Login Attribute : required
270 The LDAP record attribute that will be matched as the USERNAME or
271 ACCOUNT used to connect to RhodeCode. This will be added to `LDAP
272 Filter`_ for locating the User object. If `LDAP Filter`_ is specified as
273 "LDAPFILTER", `Login Attribute`_ is specified as "uid" and the user has
274 connected as "jsmith" then the `LDAP Filter`_ will be augmented as below
275 ::
276
277 (&(LDAPFILTER)(uid=jsmith))
278
279 .. _ldap_attr_firstname:
280
281 First Name Attribute : required
282 The LDAP record attribute which represents the user's first name.
283
284 .. _ldap_attr_lastname:
285
286 Last Name Attribute : required
287 The LDAP record attribute which represents the user's last name.
288
289 .. _ldap_attr_email:
290
291 Email Attribute : required
292 The LDAP record attribute which represents the user's email address.
293
294 If all data are entered correctly, and python-ldap_ is properly installed
295 users should be granted access to RhodeCode with ldap accounts. At this
296 time user information is copied from LDAP into the RhodeCode user database.
297 This means that updates of an LDAP user object may not be reflected as a
298 user update in RhodeCode.
299
300 If You have problems with LDAP access and believe You entered correct
301 information check out the RhodeCode logs, any error messages sent from LDAP
302 will be saved there.
303
304 Active Directory
305 ''''''''''''''''
306
307 RhodeCode can use Microsoft Active Directory for user authentication. This
308 is done through an LDAP or LDAPS connection to Active Directory. The
309 following LDAP configuration settings are typical for using Active
310 Directory ::
311
312 Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
313 Login Attribute = sAMAccountName
314 First Name Attribute = givenName
315 Last Name Attribute = sn
316 E-mail Attribute = mail
317
318 All other LDAP settings will likely be site-specific and should be
319 appropriately configured.
178 320
179 Setting Up Celery 321 Setting Up Celery
180 ----------------- 322 -----------------
181 323
182 Since version 1.1 celery is configured by the rhodecode ini configuration files 324 Since version 1.1 celery is configured by the rhodecode ini configuration files
325 .. _virtualenv: http://pypi.python.org/pypi/virtualenv 467 .. _virtualenv: http://pypi.python.org/pypi/virtualenv
326 .. _python: http://www.python.org/ 468 .. _python: http://www.python.org/
327 .. _mercurial: http://mercurial.selenic.com/ 469 .. _mercurial: http://mercurial.selenic.com/
328 .. _celery: http://celeryproject.org/ 470 .. _celery: http://celeryproject.org/
329 .. _rabbitmq: http://www.rabbitmq.com/ 471 .. _rabbitmq: http://www.rabbitmq.com/
472 .. _python-ldap: http://www.python-ldap.org/