doc/book/en/admin/ldap.rst
author Nicolas Chauvat <nicolas.chauvat@logilab.fr>
Tue, 09 Mar 2010 19:39:50 +0100
branchstable
changeset 4852 1693d6174251
parent 4753 dd6ae6512916
child 4936 a4b772a0d801
permissions -rw-r--r--
[documentation] fix errors in book chapter instance-config
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
1714
a721966779be new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff changeset
     1
LDAP integration
a721966779be new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff changeset
     2
================
a721966779be new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff changeset
     3
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
     4
Overview
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
     5
--------
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
     6
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
     7
Using LDAP as a source for user credentials and information is quite
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
     8
easy. The most difficult part lies in building an LDAP schema or
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
     9
using an existing one.
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    10
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    11
At cube creation time, one is asked if more sources are wanted. LDAP
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    12
is one possible option at this time. Of course, it is always possible
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    13
to set it up later in the `source` configuration file, which we
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    14
discuss there.
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    15
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    16
It is possible to add as many LDAP sources as wanted, which translates
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    17
in as many [ldapxxx] sections in the `source` configuration file.
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    18
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    19
The general principle of the LDAP source is, given a proper
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    20
configuration, to create local users matching the users available in
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    21
the directory, deriving local user attributes from directory users
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    22
attributes. Then a periodic task ensures local user information
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    23
synchronization with the directory.
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    24
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    25
Credential checks are _always_ done against the LDAP server.
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    26
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    27
The base functionality for this is in
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    28
cubicweb/server/sources/ldapuser.py.
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    29
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    30
Configurations options
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    31
----------------------
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    32
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    33
Let us enumerate the options (but please keep in mind that the
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    34
authoritative source for these is in the aforementioned python
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    35
module), by categories (LDAP server connection, LDAP schema mapping
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    36
information, LDAP source internal configuration).
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    37
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    38
LDAP server connection options:
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    39
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    40
* host: may contain port information using <host>:<port> notation.
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    41
* protocol (choices are ldap, ldaps, ldapi)
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    42
* auth-mode (choices are simple, cram_md5, digest_md5, gssapi, support
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    43
  for the later being partial as of now)
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    44
* auth-realm, realm to use when using gssapi/kerberos authentication
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    45
* data-cnx-dn, user dn to use to open data connection to the ldap (eg
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    46
  used to respond to rql queries)
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    47
* data-cnx-password, password to use to open data connection to the
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    48
  ldap (eg used to respond to rql queries)
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    49
4753
dd6ae6512916 [book/ldap] note on the role of two options
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 4740
diff changeset
    50
If the LDAP server accepts anonymous binds, then it is possible to
dd6ae6512916 [book/ldap] note on the role of two options
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 4740
diff changeset
    51
leave data-cnx-dn and data-cnx-password empty. This is, however, quite
dd6ae6512916 [book/ldap] note on the role of two options
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 4740
diff changeset
    52
unlikely in practice.
dd6ae6512916 [book/ldap] note on the role of two options
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 4740
diff changeset
    53
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    54
LDAP schema mapping:
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    55
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    56
* user-base-dn, base DN to lookup for users
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    57
* user-scope, user search scope
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    58
* user-classes, classes of user
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    59
* user-attrs-map, map from ldap user attributes to cubicweb attributes
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    60
* user-login-attr, attribute used as login on authentication
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    61
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    62
LDAP source internal configuration:
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    63
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    64
* user-default-group, name of a group in which ldap users will be by
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    65
  default. You can set multiple groups by separating them by a comma
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    66
* synchronization-interval, interval between synchronization with the
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    67
  ldap directory in seconds (default to once a day)
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    68
* life time of query cache in minutes (default to two hours).