cubicweb: doc/book/en/admin/ldap.rst@a8a3fcdb1f6e (annotated)

4936 a4b772a0d801 Fixed some of the documentation warnings when building the book with sphinx. Adrien Chauve <adrien.chauve@logilab.fr> parents: 4753 diff changeset	1	.. _LDAP:
a4b772a0d801 Fixed some of the documentation warnings when building the book with sphinx. Adrien Chauve <adrien.chauve@logilab.fr> parents: 4753 diff changeset	2
1714 a721966779be new book layout, do not compile yet sylvain.thenault@logilab.fr parents: diff changeset	3	LDAP integration
a721966779be new book layout, do not compile yet sylvain.thenault@logilab.fr parents: diff changeset	4	================
a721966779be new book layout, do not compile yet sylvain.thenault@logilab.fr parents: diff changeset	5
4740 fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	6	Overview
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	7	--------
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	8
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	9	Using LDAP as a source for user credentials and information is quite
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	10	easy. The most difficult part lies in building an LDAP schema or
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	11	using an existing one.
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	12
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	13	At cube creation time, one is asked if more sources are wanted. LDAP
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	14	is one possible option at this time. Of course, it is always possible
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	15	to set it up later in the `source` configuration file, which we
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	16	discuss there.
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	17
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	18	It is possible to add as many LDAP sources as wanted, which translates
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	19	in as many [ldapxxx] sections in the `source` configuration file.
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	20
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	21	The general principle of the LDAP source is, given a proper
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	22	configuration, to create local users matching the users available in
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	23	the directory, deriving local user attributes from directory users
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	24	attributes. Then a periodic task ensures local user information
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	25	synchronization with the directory.
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	26
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	27	Credential checks are _always_ done against the LDAP server.
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	28
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	29	The base functionality for this is in
7637 a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	30	:file:`cubicweb/server/sources/ldapuser.py`.
4740 fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	31
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	32	Configurations options
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	33	----------------------
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	34
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	35	Let us enumerate the options (but please keep in mind that the
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	36	authoritative source for these is in the aforementioned python
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	37	module), by categories (LDAP server connection, LDAP schema mapping
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	38	information, LDAP source internal configuration).
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	39
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	40	LDAP server connection options:
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	41
7637 a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	42	* `host`, may contain port information using <host>:<port> notation.
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	43	* `protocol`, choices are ldap, ldaps, ldapi
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	44	* `auth-mode`, (choices are simple, cram_md5, digest_md5, gssapi, support
4740 fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	45	for the later being partial as of now)
7637 a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	46	* `auth-realm`, realm to use when using gssapi/kerberos authentication
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	47	* `data-cnx-dn`, user dn to use to open data connection to the ldap (eg
4740 fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	48	used to respond to rql queries)
7637 a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	49	* `data-cnx-password`, password to use to open data connection to the
4740 fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	50	ldap (eg used to respond to rql queries)
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	51
4753 dd6ae6512916 [book/ldap] note on the role of two options Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 4740 diff changeset	52	If the LDAP server accepts anonymous binds, then it is possible to
dd6ae6512916 [book/ldap] note on the role of two options Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 4740 diff changeset	53	leave data-cnx-dn and data-cnx-password empty. This is, however, quite
dd6ae6512916 [book/ldap] note on the role of two options Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 4740 diff changeset	54	unlikely in practice.
dd6ae6512916 [book/ldap] note on the role of two options Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 4740 diff changeset	55
4740 fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	56	LDAP schema mapping:
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	57
7637 a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	58	* `user-base-dn`, base DN to lookup for users
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	59	* `user-scope`, user search scope
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	60	* `user-classes`, classes of user
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	61	* `user-attrs-map`, map from ldap user attributes to cubicweb attributes
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	62	* `user-login-attr`, attribute used as login on authentication
4740 fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	63
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	64	LDAP source internal configuration:
fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	65
7637 a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	66	* `user-default-group`, name of a group in which ldap users will be by
4740 fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	67	default. You can set multiple groups by separating them by a comma
7637 a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	68	* `synchronization-interval`, interval between synchronization with the
4740 fee30ae3bc08 [book/ldap] add missing LDAP section Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 1714 diff changeset	69	ldap directory in seconds (default to once a day)
7637 a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	70	* `cache-life-time`, life time of query cache in minutes (default to two hours).
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	71
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	72	Other notes
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	73	-----------
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	74
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	75	* Yes, cubicweb is able to start if ldap cannot be reached, even on c-c start,
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	76	though that will slow down the instance, since it will indefinitly attempt
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	77	to connect to the ldap on each query on users.
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	78
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	79	* Changing the name of the ldap server in your script is fine, changing the base
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	80	DN isn't since it's used to identify already known users from others
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	81
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	82	* You can use the :class:`CWSourceHostConfig` to have variants for a source
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	83	configuration according to the host the instance is running on. To do so go on
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4936 diff changeset	84	the source's view from the sources management view.

author	Sylvain Thénault <sylvain.thenault@logilab.fr>
	Thu, 07 Jul 2011 18:33:21 +0200
changeset 7637	a8a3fcdb1f6e
parent 4936	a4b772a0d801
child 8478	e099ebc65e61
permissions	-rw-r--r--