author | Adrien Chauve <adrien.chauve@logilab.fr> |
Thu, 18 Mar 2010 09:07:10 +0100 | |
branch | stable |
changeset 4936 | a4b772a0d801 |
parent 4753 | dd6ae6512916 |
child 7637 | a8a3fcdb1f6e |
permissions | -rw-r--r-- |
4936
a4b772a0d801
Fixed some of the documentation warnings when building the book with sphinx.
Adrien Chauve <adrien.chauve@logilab.fr>
parents:
4753
diff
changeset
|
1 |
.. _LDAP: |
a4b772a0d801
Fixed some of the documentation warnings when building the book with sphinx.
Adrien Chauve <adrien.chauve@logilab.fr>
parents:
4753
diff
changeset
|
2 |
|
1714
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
3 |
LDAP integration |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
4 |
================ |
a721966779be
new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff
changeset
|
5 |
|
4740
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
6 |
Overview |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
7 |
-------- |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
8 |
|
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
9 |
Using LDAP as a source for user credentials and information is quite |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
10 |
easy. The most difficult part lies in building an LDAP schema or |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
11 |
using an existing one. |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
12 |
|
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
13 |
At cube creation time, one is asked if more sources are wanted. LDAP |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
14 |
is one possible option at this time. Of course, it is always possible |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
15 |
to set it up later in the `source` configuration file, which we |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
16 |
discuss there. |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
17 |
|
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
18 |
It is possible to add as many LDAP sources as wanted, which translates |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
19 |
in as many [ldapxxx] sections in the `source` configuration file. |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
20 |
|
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
21 |
The general principle of the LDAP source is, given a proper |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
22 |
configuration, to create local users matching the users available in |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
23 |
the directory, deriving local user attributes from directory users |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
24 |
attributes. Then a periodic task ensures local user information |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
25 |
synchronization with the directory. |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
26 |
|
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
27 |
Credential checks are _always_ done against the LDAP server. |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
28 |
|
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
29 |
The base functionality for this is in |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
30 |
cubicweb/server/sources/ldapuser.py. |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
31 |
|
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
32 |
Configurations options |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
33 |
---------------------- |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
34 |
|
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
35 |
Let us enumerate the options (but please keep in mind that the |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
36 |
authoritative source for these is in the aforementioned python |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
37 |
module), by categories (LDAP server connection, LDAP schema mapping |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
38 |
information, LDAP source internal configuration). |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
39 |
|
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
40 |
LDAP server connection options: |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
41 |
|
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
42 |
* host: may contain port information using <host>:<port> notation. |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
43 |
* protocol (choices are ldap, ldaps, ldapi) |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
44 |
* auth-mode (choices are simple, cram_md5, digest_md5, gssapi, support |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
45 |
for the later being partial as of now) |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
46 |
* auth-realm, realm to use when using gssapi/kerberos authentication |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
47 |
* data-cnx-dn, user dn to use to open data connection to the ldap (eg |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
48 |
used to respond to rql queries) |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
49 |
* data-cnx-password, password to use to open data connection to the |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
50 |
ldap (eg used to respond to rql queries) |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
51 |
|
4753
dd6ae6512916
[book/ldap] note on the role of two options
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
4740
diff
changeset
|
52 |
If the LDAP server accepts anonymous binds, then it is possible to |
dd6ae6512916
[book/ldap] note on the role of two options
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
4740
diff
changeset
|
53 |
leave data-cnx-dn and data-cnx-password empty. This is, however, quite |
dd6ae6512916
[book/ldap] note on the role of two options
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
4740
diff
changeset
|
54 |
unlikely in practice. |
dd6ae6512916
[book/ldap] note on the role of two options
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
4740
diff
changeset
|
55 |
|
4740
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
56 |
LDAP schema mapping: |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
57 |
|
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
58 |
* user-base-dn, base DN to lookup for users |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
59 |
* user-scope, user search scope |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
60 |
* user-classes, classes of user |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
61 |
* user-attrs-map, map from ldap user attributes to cubicweb attributes |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
62 |
* user-login-attr, attribute used as login on authentication |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
63 |
|
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
64 |
LDAP source internal configuration: |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
65 |
|
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
66 |
* user-default-group, name of a group in which ldap users will be by |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
67 |
default. You can set multiple groups by separating them by a comma |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
68 |
* synchronization-interval, interval between synchronization with the |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
69 |
ldap directory in seconds (default to once a day) |
fee30ae3bc08
[book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents:
1714
diff
changeset
|
70 |
* life time of query cache in minutes (default to two hours). |