doc/book/admin/ldap.rst
author David Douard <david.douard@logilab.fr>
Wed, 02 Nov 2016 15:59:39 +0100
changeset 11793 b455460630a0
parent 10491 c67bcee93248
child 12534 e0e7d8ca051f
child 12904 2ad148f22c2f
permissions -rw-r--r--
[config] fix the load_site_cubicweb() method for to 'new-style' cubes (closes #16059402) We first try to load the site_cubicweb module from the cubicweb_<cube> package, and if it fails, revert back to old cube path.
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
4936
a4b772a0d801 Fixed some of the documentation warnings when building the book with sphinx.
Adrien Chauve <adrien.chauve@logilab.fr>
parents: 4753
diff changeset
     1
.. _LDAP:
a4b772a0d801 Fixed some of the documentation warnings when building the book with sphinx.
Adrien Chauve <adrien.chauve@logilab.fr>
parents: 4753
diff changeset
     2
1714
a721966779be new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff changeset
     3
LDAP integration
a721966779be new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff changeset
     4
================
a721966779be new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff changeset
     5
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
     6
Overview
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
     7
--------
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
     8
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
     9
Using LDAP as a source for user credentials and information is quite
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    10
easy. The most difficult part lies in building an LDAP schema or
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    11
using an existing one.
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    12
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    13
At cube creation time, one is asked if more sources are wanted. LDAP
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    14
is one possible option at this time. Of course, it is always possible
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    15
to set it up later using the `CWSource` entity type, which we discuss
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    16
there.
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    17
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    18
It is possible to add as many LDAP sources as wanted, which translates
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    19
in as many `CWSource` entities as needed.
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    20
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    21
The general principle of the LDAP source is, given a proper
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    22
configuration, to create local users matching the users available in
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    23
the directory and deriving local user attributes from directory users
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    24
attributes. Then a periodic task ensures local user information
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    25
synchronization with the directory.
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    26
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    27
Users handled by such a source should not be edited directly from
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    28
within the application instance itself. Rather, updates should happen
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    29
at the LDAP server level.
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    30
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    31
Credential checks are _always_ done against the LDAP server.
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    32
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    33
.. Note::
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    34
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    35
  There are currently two ldap source types: the older `ldapuser` and
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    36
  the newer `ldapfeed`. The older will be deprecated anytime soon, as
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    37
  the newer has now gained all the features of the old and does not
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    38
  suffer from some of its illnesses.
8478
e099ebc65e61 [ldap feed] fix error since with read security activated, password value is not selecteable (closes #2406597). Also add a note in the book about packages required to connect to an ldap server
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 7637
diff changeset
    39
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    40
  The ldapfeed creates real `CWUser` entities, and then
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    41
  activate/deactivate them depending on their presence/absence in the
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    42
  corresponding LDAP source. Their attribute and state
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    43
  (activated/deactivated) are hence managed by the source mechanism;
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    44
  they should not be altered by other means (as such alterations may
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    45
  be overridden in some subsequent source synchronisation).
8478
e099ebc65e61 [ldap feed] fix error since with read security activated, password value is not selecteable (closes #2406597). Also add a note in the book about packages required to connect to an ldap server
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 7637
diff changeset
    46
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    47
9502
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    48
Configuration of an LDAPfeed source
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    49
-----------------------------------
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    50
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    51
Additional sources are created at cube creation time or later through the
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    52
user interface.
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    53
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    54
Configure an `ldapfeed` source from the user interface under `Manage` then
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    55
`data sources`:
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    56
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    57
* At this point `type` has been set to `ldapfeed`.
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    58
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    59
* The `parser` attribute shall be set to `ldapfeed`.
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    60
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    61
* The `url` attribute shall be set to an URL such as ldap://ldapserver.domain/.
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    62
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    63
* The `configuration` attribute contains many options. They are described in
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    64
  detail in the next paragraph.
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    65
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    66
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    67
Options of an LDAPfeed source
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    68
-----------------------------
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    69
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    70
Let us enumerate the options by categories (LDAP server connection,
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    71
LDAP schema mapping information).
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    72
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    73
LDAP server connection options:
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    74
7637
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
    75
* `auth-mode`, (choices are simple, cram_md5, digest_md5, gssapi, support
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    76
  for the later being partial as of now)
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    77
7637
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
    78
* `auth-realm`, realm to use when using gssapi/kerberos authentication
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    79
7637
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
    80
* `data-cnx-dn`, user dn to use to open data connection to the ldap (eg
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    81
  used to respond to rql queries)
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    82
7637
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
    83
* `data-cnx-password`, password to use to open data connection to the
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    84
  ldap (eg used to respond to rql queries)
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    85
4753
dd6ae6512916 [book/ldap] note on the role of two options
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 4740
diff changeset
    86
If the LDAP server accepts anonymous binds, then it is possible to
dd6ae6512916 [book/ldap] note on the role of two options
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 4740
diff changeset
    87
leave data-cnx-dn and data-cnx-password empty. This is, however, quite
9551
cbc46f94081d [ldapparser, book] document additional error causes
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9502
diff changeset
    88
unlikely in practice. Beware that the LDAP server might hide attributes
cbc46f94081d [ldapparser, book] document additional error causes
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9502
diff changeset
    89
such as "userPassword" while the rest of the attributes remain visible
cbc46f94081d [ldapparser, book] document additional error causes
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9502
diff changeset
    90
through an anonymous binding.
4753
dd6ae6512916 [book/ldap] note on the role of two options
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 4740
diff changeset
    91
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    92
LDAP schema mapping options:
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    93
7637
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
    94
* `user-base-dn`, base DN to lookup for users
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    95
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    96
* `user-scope`, user search scope (valid values: "BASE", "ONELEVEL",
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    97
  "SUBTREE")
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    98
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    99
* `user-classes`, classes of user (with Active Directory, you want to
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   100
  say "user" here)
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   101
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   102
* `user-filter`, additional filters to be set in the ldap query to
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   103
  find valid users
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   104
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   105
* `user-login-attr`, attribute used as login on authentication (with
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   106
  Active Directory, you want to use "sAMAccountName" here)
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
   107
7637
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
   108
* `user-default-group`, name of a group in which ldap users will be by
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
   109
  default. You can set multiple groups by separating them by a comma
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   110
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   111
* `user-attrs-map`, map from ldap user attributes to cubicweb
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   112
  attributes (with Active Directory, you want to use
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   113
  sAMAccountName:login,mail:email,givenName:firstname,sn:surname)
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   114
7637
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
   115
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
   116
Other notes
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
   117
-----------
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
   118
8639
2fddbe32ae8b [ldapfeed] if a deactivated user becomes available again in its source, reactivate it (closes #2542776)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8478
diff changeset
   119
* Cubicweb is able to start if ldap cannot be reached, even on
2fddbe32ae8b [ldapfeed] if a deactivated user becomes available again in its source, reactivate it (closes #2542776)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8478
diff changeset
   120
  cubicweb-ctl start ... If some source ldap server cannot be used
2fddbe32ae8b [ldapfeed] if a deactivated user becomes available again in its source, reactivate it (closes #2542776)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8478
diff changeset
   121
  while an instance is running, the corresponding users won't be
2fddbe32ae8b [ldapfeed] if a deactivated user becomes available again in its source, reactivate it (closes #2542776)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8478
diff changeset
   122
  authenticated but their status will not change (e.g. they will not
2fddbe32ae8b [ldapfeed] if a deactivated user becomes available again in its source, reactivate it (closes #2542776)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8478
diff changeset
   123
  be deactivated)
7637
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
   124
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   125
* The user-base-dn is a key that helps cubicweb map CWUsers to LDAP
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   126
  users: beware updating it
7637
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
   127
8639
2fddbe32ae8b [ldapfeed] if a deactivated user becomes available again in its source, reactivate it (closes #2542776)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8478
diff changeset
   128
* When a user is removed from an LDAP source, it is deactivated in the
2fddbe32ae8b [ldapfeed] if a deactivated user becomes available again in its source, reactivate it (closes #2542776)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8478
diff changeset
   129
  CubicWeb instance; when a deactivated user comes back in the LDAP
2fddbe32ae8b [ldapfeed] if a deactivated user becomes available again in its source, reactivate it (closes #2542776)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8478
diff changeset
   130
  source, it (automatically) is activated again
2fddbe32ae8b [ldapfeed] if a deactivated user becomes available again in its source, reactivate it (closes #2542776)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8478
diff changeset
   131
7637
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
   132
* You can use the :class:`CWSourceHostConfig` to have variants for a source
9502
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
   133
  configuration according to the host the instance is running on. To do so
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
   134
  go on the source's view from the sources management view.