doc/book/admin/ldap.rst
author Denis Laxalde <denis.laxalde@logilab.fr>
Tue, 04 Apr 2017 16:28:50 +0200
branch3.25
changeset 12142 db2fc87348ab
parent 10491 c67bcee93248
child 12534 e0e7d8ca051f
child 12904 2ad148f22c2f
permissions -rw-r--r--
[server] Make "sources_by_uri" and "sources_by_eid" properties of repository I.e. do not populate these dict as repo initialization (bootstrap step) but always use information from database. This is needed because when multiple instances of the same application run, if one instance adds a CWSource the other ones will not see it. In particular, when using a scheduler instance, new CWSource will be added by the web instance and not seen by the scheduler which is supposed to update them. We thus define properties for sources_by_eid and sources_by_uri instead attributes on repository instance. CWSource entities are thus retrieved from database every time these properties are accessed. We factor out initialization of the "source" instance (subclass of cubicweb.server.source.AbstractSource) in a _sources() method. Note that this method takes care of calling "init" method on the source as well as "set_schema" (previously done in repo.set_schema(), which now only touches system_source). Accordingly the "init_sources_from_database" method is dropped along with "add_source"/"remove_source" methods. In syncsources hook, we thus drop: * SourceAddedOp operation which called repo.add_source() so that the SourceAddedHook only cares about checking source configuration now; * SourceRemovedOp and SourceRenamedOp operations for the same reason; * SourceConfigUpdatedOp as updating the live config of source is meaningless once we rely on them being retrieved from the database; * SourceHostConfigUpdatedHook hook which is now useless without call to SourceConfigUpdatedOp; In 3.10 migration script, remove usage of sources_by_uri repo attribute which, unless I'm missing something, appears useless (at least now). In tests: * unittest_datafeed: remove test_update_url method since we dropped respective hook; * unittest_ldapsource: LDAPFeedUserDeletionTC.test_a_filter_inactivate() currently fails because it still relies on live config being updated, this will be fixed in the next changeset once all "live source" logic will be removed.
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
4936
a4b772a0d801 Fixed some of the documentation warnings when building the book with sphinx.
Adrien Chauve <adrien.chauve@logilab.fr>
parents: 4753
diff changeset
     1
.. _LDAP:
a4b772a0d801 Fixed some of the documentation warnings when building the book with sphinx.
Adrien Chauve <adrien.chauve@logilab.fr>
parents: 4753
diff changeset
     2
1714
a721966779be new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff changeset
     3
LDAP integration
a721966779be new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff changeset
     4
================
a721966779be new book layout, do not compile yet
sylvain.thenault@logilab.fr
parents:
diff changeset
     5
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
     6
Overview
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
     7
--------
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
     8
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
     9
Using LDAP as a source for user credentials and information is quite
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    10
easy. The most difficult part lies in building an LDAP schema or
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    11
using an existing one.
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    12
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    13
At cube creation time, one is asked if more sources are wanted. LDAP
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    14
is one possible option at this time. Of course, it is always possible
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    15
to set it up later using the `CWSource` entity type, which we discuss
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    16
there.
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    17
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    18
It is possible to add as many LDAP sources as wanted, which translates
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    19
in as many `CWSource` entities as needed.
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    20
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    21
The general principle of the LDAP source is, given a proper
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    22
configuration, to create local users matching the users available in
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    23
the directory and deriving local user attributes from directory users
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    24
attributes. Then a periodic task ensures local user information
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    25
synchronization with the directory.
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    26
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    27
Users handled by such a source should not be edited directly from
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    28
within the application instance itself. Rather, updates should happen
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    29
at the LDAP server level.
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    30
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    31
Credential checks are _always_ done against the LDAP server.
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    32
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    33
.. Note::
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    34
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    35
  There are currently two ldap source types: the older `ldapuser` and
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    36
  the newer `ldapfeed`. The older will be deprecated anytime soon, as
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    37
  the newer has now gained all the features of the old and does not
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    38
  suffer from some of its illnesses.
8478
e099ebc65e61 [ldap feed] fix error since with read security activated, password value is not selecteable (closes #2406597). Also add a note in the book about packages required to connect to an ldap server
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 7637
diff changeset
    39
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    40
  The ldapfeed creates real `CWUser` entities, and then
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    41
  activate/deactivate them depending on their presence/absence in the
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    42
  corresponding LDAP source. Their attribute and state
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    43
  (activated/deactivated) are hence managed by the source mechanism;
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    44
  they should not be altered by other means (as such alterations may
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    45
  be overridden in some subsequent source synchronisation).
8478
e099ebc65e61 [ldap feed] fix error since with read security activated, password value is not selecteable (closes #2406597). Also add a note in the book about packages required to connect to an ldap server
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 7637
diff changeset
    46
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    47
9502
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    48
Configuration of an LDAPfeed source
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    49
-----------------------------------
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    50
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    51
Additional sources are created at cube creation time or later through the
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    52
user interface.
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    53
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    54
Configure an `ldapfeed` source from the user interface under `Manage` then
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    55
`data sources`:
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    56
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    57
* At this point `type` has been set to `ldapfeed`.
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    58
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    59
* The `parser` attribute shall be set to `ldapfeed`.
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    60
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    61
* The `url` attribute shall be set to an URL such as ldap://ldapserver.domain/.
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    62
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    63
* The `configuration` attribute contains many options. They are described in
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    64
  detail in the next paragraph.
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    65
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    66
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    67
Options of an LDAPfeed source
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
    68
-----------------------------
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    69
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    70
Let us enumerate the options by categories (LDAP server connection,
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    71
LDAP schema mapping information).
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    72
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    73
LDAP server connection options:
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    74
7637
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
    75
* `auth-mode`, (choices are simple, cram_md5, digest_md5, gssapi, support
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    76
  for the later being partial as of now)
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    77
7637
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
    78
* `auth-realm`, realm to use when using gssapi/kerberos authentication
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    79
7637
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
    80
* `data-cnx-dn`, user dn to use to open data connection to the ldap (eg
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    81
  used to respond to rql queries)
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    82
7637
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
    83
* `data-cnx-password`, password to use to open data connection to the
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    84
  ldap (eg used to respond to rql queries)
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    85
4753
dd6ae6512916 [book/ldap] note on the role of two options
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 4740
diff changeset
    86
If the LDAP server accepts anonymous binds, then it is possible to
dd6ae6512916 [book/ldap] note on the role of two options
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 4740
diff changeset
    87
leave data-cnx-dn and data-cnx-password empty. This is, however, quite
9551
cbc46f94081d [ldapparser, book] document additional error causes
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9502
diff changeset
    88
unlikely in practice. Beware that the LDAP server might hide attributes
cbc46f94081d [ldapparser, book] document additional error causes
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9502
diff changeset
    89
such as "userPassword" while the rest of the attributes remain visible
cbc46f94081d [ldapparser, book] document additional error causes
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9502
diff changeset
    90
through an anonymous binding.
4753
dd6ae6512916 [book/ldap] note on the role of two options
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 4740
diff changeset
    91
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    92
LDAP schema mapping options:
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    93
7637
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
    94
* `user-base-dn`, base DN to lookup for users
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    95
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    96
* `user-scope`, user search scope (valid values: "BASE", "ONELEVEL",
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    97
  "SUBTREE")
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
    98
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
    99
* `user-classes`, classes of user (with Active Directory, you want to
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   100
  say "user" here)
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   101
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   102
* `user-filter`, additional filters to be set in the ldap query to
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   103
  find valid users
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   104
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   105
* `user-login-attr`, attribute used as login on authentication (with
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   106
  Active Directory, you want to use "sAMAccountName" here)
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
   107
7637
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
   108
* `user-default-group`, name of a group in which ldap users will be by
4740
fee30ae3bc08 [book/ldap] add missing LDAP section
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 1714
diff changeset
   109
  default. You can set multiple groups by separating them by a comma
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   110
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   111
* `user-attrs-map`, map from ldap user attributes to cubicweb
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   112
  attributes (with Active Directory, you want to use
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   113
  sAMAccountName:login,mail:email,givenName:firstname,sn:surname)
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   114
7637
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
   115
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
   116
Other notes
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
   117
-----------
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
   118
8639
2fddbe32ae8b [ldapfeed] if a deactivated user becomes available again in its source, reactivate it (closes #2542776)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8478
diff changeset
   119
* Cubicweb is able to start if ldap cannot be reached, even on
2fddbe32ae8b [ldapfeed] if a deactivated user becomes available again in its source, reactivate it (closes #2542776)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8478
diff changeset
   120
  cubicweb-ctl start ... If some source ldap server cannot be used
2fddbe32ae8b [ldapfeed] if a deactivated user becomes available again in its source, reactivate it (closes #2542776)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8478
diff changeset
   121
  while an instance is running, the corresponding users won't be
2fddbe32ae8b [ldapfeed] if a deactivated user becomes available again in its source, reactivate it (closes #2542776)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8478
diff changeset
   122
  authenticated but their status will not change (e.g. they will not
2fddbe32ae8b [ldapfeed] if a deactivated user becomes available again in its source, reactivate it (closes #2542776)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8478
diff changeset
   123
  be deactivated)
7637
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
   124
8678
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   125
* The user-base-dn is a key that helps cubicweb map CWUsers to LDAP
1771d4b0fa0d [doc/ldap] update the ldap chapter wrt the ldapfeed source type (closes #2551863)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8639
diff changeset
   126
  users: beware updating it
7637
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
   127
8639
2fddbe32ae8b [ldapfeed] if a deactivated user becomes available again in its source, reactivate it (closes #2542776)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8478
diff changeset
   128
* When a user is removed from an LDAP source, it is deactivated in the
2fddbe32ae8b [ldapfeed] if a deactivated user becomes available again in its source, reactivate it (closes #2542776)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8478
diff changeset
   129
  CubicWeb instance; when a deactivated user comes back in the LDAP
2fddbe32ae8b [ldapfeed] if a deactivated user becomes available again in its source, reactivate it (closes #2542776)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8478
diff changeset
   130
  source, it (automatically) is activated again
2fddbe32ae8b [ldapfeed] if a deactivated user becomes available again in its source, reactivate it (closes #2542776)
Aurelien Campeas <aurelien.campeas@logilab.fr>
parents: 8478
diff changeset
   131
7637
a8a3fcdb1f6e [book, ldap] backport some doc from my mailbox
Sylvain Thénault <sylvain.thenault@logilab.fr>
parents: 4936
diff changeset
   132
* You can use the :class:`CWSourceHostConfig` to have variants for a source
9502
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
   133
  configuration according to the host the instance is running on. To do so
711d4c864d57 [book] basic documentation for LDAPfeed
Dimitri Papadopoulos <dimitri.papadopoulos@cea.fr>
parents: 9483
diff changeset
   134
  go on the source's view from the sources management view.