author | Nicolas Chauvat <nicolas.chauvat@logilab.fr> |
Wed, 28 Nov 2012 11:44:15 +0100 | |
branch | stable |
changeset 8604 | 7bacc4f21edc |
parent 8478 | e099ebc65e61 |
child 8639 | 2fddbe32ae8b |
permissions | -rw-r--r-- |
4936
a4b772a0d801
Fixed some of the documentation warnings when building the book with sphinx.
Adrien Chauve <adrien.chauve@logilab.fr>
parents:
4753
diff
changeset
|
1 |
.. _LDAP: |
a4b772a0d801
Fixed some of the documentation warnings when building the book with sphinx.
Adrien Chauve <adrien.chauve@logilab.fr>
parents:
4753
diff
changeset
|
2 |
|
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
3 |
LDAP integration |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
4 |
================ |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
5 |
|
4740
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
6 |
Overview |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
7 |
-------- |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
8 |
|
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
9 |
Using LDAP as a source for user credentials and information is quite |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
10 |
easy. The most difficult part lies in building an LDAP schema or |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
11 |
using an existing one. |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
12 |
|
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
13 |
At cube creation time, one is asked if more sources are wanted. LDAP |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
14 |
is one possible option at this time. Of course, it is always possible |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
15 |
to set it up later in the `source` configuration file, which we |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
16 |
discuss there. |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
17 |
|
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
18 |
It is possible to add as many LDAP sources as wanted, which translates |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
19 |
in as many [ldapxxx] sections in the `source` configuration file. |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
20 |
|
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
21 |
The general principle of the LDAP source is, given a proper |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
22 |
configuration, to create local users matching the users available in |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
23 |
the directory, deriving local user attributes from directory users |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
24 |
attributes. Then a periodic task ensures local user information |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
25 |
synchronization with the directory. |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
26 |
|
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
27 |
Credential checks are _always_ done against the LDAP server. |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
28 |
|
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
29 |
The base functionality for this is in |
7637
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
30 |
:file:`cubicweb/server/sources/ldapuser.py`. |
4740
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
31 |
|
8478
e099ebc65e61
[ldap feed] fix error since with read security activated, password value is not selecteable (closes #2406597). Also add a note in the book about packages required to connect to an ldap server
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7637
diff
changeset
|
32 |
External dependencies |
e099ebc65e61
[ldap feed] fix error since with read security activated, password value is not selecteable (closes #2406597). Also add a note in the book about packages required to connect to an ldap server
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7637
diff
changeset
|
33 |
--------------------- |
e099ebc65e61
[ldap feed] fix error since with read security activated, password value is not selecteable (closes #2406597). Also add a note in the book about packages required to connect to an ldap server
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7637
diff
changeset
|
34 |
|
e099ebc65e61
[ldap feed] fix error since with read security activated, password value is not selecteable (closes #2406597). Also add a note in the book about packages required to connect to an ldap server
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7637
diff
changeset
|
35 |
You'll need the following packages to make CubicWeb interact with your LDAP / |
e099ebc65e61
[ldap feed] fix error since with read security activated, password value is not selecteable (closes #2406597). Also add a note in the book about packages required to connect to an ldap server
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7637
diff
changeset
|
36 |
Active Directory server: |
e099ebc65e61
[ldap feed] fix error since with read security activated, password value is not selecteable (closes #2406597). Also add a note in the book about packages required to connect to an ldap server
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7637
diff
changeset
|
37 |
|
e099ebc65e61
[ldap feed] fix error since with read security activated, password value is not selecteable (closes #2406597). Also add a note in the book about packages required to connect to an ldap server
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7637
diff
changeset
|
38 |
* python-ldap |
e099ebc65e61
[ldap feed] fix error since with read security activated, password value is not selecteable (closes #2406597). Also add a note in the book about packages required to connect to an ldap server
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7637
diff
changeset
|
39 |
* ldaputils if using `ldapfeed` source |
e099ebc65e61
[ldap feed] fix error since with read security activated, password value is not selecteable (closes #2406597). Also add a note in the book about packages required to connect to an ldap server
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
7637
diff
changeset
|
40 |
|
4740
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
41 |
Configurations options |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
42 |
---------------------- |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
43 |
|
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
44 |
Let us enumerate the options (but please keep in mind that the |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
45 |
authoritative source for these is in the aforementioned python |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
46 |
module), by categories (LDAP server connection, LDAP schema mapping |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
47 |
information, LDAP source internal configuration). |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
48 |
|
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
49 |
LDAP server connection options: |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
50 |
|
7637
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
51 |
* `host`, may contain port information using <host>:<port> notation. |
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
52 |
* `protocol`, choices are ldap, ldaps, ldapi |
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
53 |
* `auth-mode`, (choices are simple, cram_md5, digest_md5, gssapi, support |
4740
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
54 |
for the later being partial as of now) |
7637
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
55 |
* `auth-realm`, realm to use when using gssapi/kerberos authentication |
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
56 |
* `data-cnx-dn`, user dn to use to open data connection to the ldap (eg |
4740
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
57 |
used to respond to rql queries) |
7637
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
58 |
* `data-cnx-password`, password to use to open data connection to the |
4740
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
59 |
ldap (eg used to respond to rql queries) |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
60 |
|
4753
dd6ae6512916
[book/ldap] note on the role of two options
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
4740
diff
changeset
|
61 |
If the LDAP server accepts anonymous binds, then it is possible to |
dd6ae6512916
[book/ldap] note on the role of two options
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
4740
diff
changeset
|
62 |
leave data-cnx-dn and data-cnx-password empty. This is, however, quite |
dd6ae6512916
[book/ldap] note on the role of two options
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
4740
diff
changeset
|
63 |
unlikely in practice. |
dd6ae6512916
[book/ldap] note on the role of two options
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
4740
diff
changeset
|
64 |
|
4740
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
65 |
LDAP schema mapping: |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
66 |
|
7637
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
67 |
* `user-base-dn`, base DN to lookup for users |
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
68 |
* `user-scope`, user search scope |
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
69 |
* `user-classes`, classes of user |
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
70 |
* `user-attrs-map`, map from ldap user attributes to cubicweb attributes |
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
71 |
* `user-login-attr`, attribute used as login on authentication |
4740
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
72 |
|
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
73 |
LDAP source internal configuration: |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
74 |
|
7637
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
75 |
* `user-default-group`, name of a group in which ldap users will be by |
4740
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
76 |
default. You can set multiple groups by separating them by a comma |
7637
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
77 |
* `synchronization-interval`, interval between synchronization with the |
4740
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
78 |
ldap directory in seconds (default to once a day) |
7637
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
79 |
* `cache-life-time`, life time of query cache in minutes (default to two hours). |
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
80 |
|
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
81 |
Other notes |
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
82 |
----------- |
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
83 |
|
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
84 |
* Yes, cubicweb is able to start if ldap cannot be reached, even on c-c start, |
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
85 |
though that will slow down the instance, since it will indefinitly attempt |
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
86 |
to connect to the ldap on each query on users. |
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
87 |
|
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
88 |
* Changing the name of the ldap server in your script is fine, changing the base |
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
89 |
DN isn't since it's used to identify already known users from others |
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
90 |
|
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
91 |
* You can use the :class:`CWSourceHostConfig` to have variants for a source |
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
92 |
configuration according to the host the instance is running on. To do so go on |
a8a3fcdb1f6e
[book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents:
4936
diff
changeset
|
93 |
the source's view from the sources management view. |