Authentication Plugins

RhodeCode Enterprise provides a built in authentication plugin rhodecode.lib.auth_rhodecode. This is enabled by default and accessed through the administrative interface. Additionally, RhodeCode Enterprise provides a Pluggable Authentication System (PAS). This gives the administrator greater control over how users authenticate with the system.

Note

If you disable the default rhodecode.lib.auth_rhodecode authentication plugin and your external authentication tools fails, you will be unable to access the RhodeCode Enterprise administrative interface.

PAS allows administrators to plug in their own authentication service to manage user access to their instance of RhodeCode Enterprise. To manage all user authentication plugins and settings, use the administrative interface: |buttonAdmin| > |buttonAuthentication|

LDAP / Active Directory

RhodeCode Enterprise supports authentication with an existing Active Directory through LDAP (Lightweight Directory Access Protocol). To configure LDAP on your RhodeCode Enterprise installation, use the following information.

Note

You need administrator privileges to configure LDAP / Active Directory on RhodeCode Enterprise.

Prerequisites

To support LDAP you need the following libraries installed on your system: openldap and sasl. To run LDAP with RhodeCode Enterprise you need to install the python-ldap package. To install these use the following example:

Configuring LDAP on RhodeCode Enterprise

To configure LDAP / Active Directory, use the following steps:

  1. From the RhodeCode Enterprise dashboard select |buttonAdmin| > |buttonAuthentication|

  2. Enable the rhodecode.lib.auth_modules.auth_ldap plugin and select save

  3. Select the Enabled check box in the plugin configuration section

  4. Add the following information for your LDAP instance.

    • Your LDAP host name, e.g. hostname1,hostname2
    • Your LDAP port number, e.g. portnumber
    • You LDAP account ID, e.g. uid=admin,cn=users,cn=accounts,dc=localdomain,dc=tld
    • Your LDAP user password, e.g. password
    • Set your connection security level, e.g. LDAPS
    • Set the level of SSL certificate checking, e.g.
    • Set the Base DN
    • Create an LDAP Search filter
    • Create an LDAP login attribute to map to your RhodeCode user name
    • Enter your first name
    • Enter your surname
    • Enter an email address

For a more detailed description of there LDAP objects, see LDAP / Active Directory Glossary:

Example LDAP Configuration

{
"attr_email": "mail",
"attr_firstname": "givenName",
"attr_lastname": "sn",
"attr_login": "uid",
"base_dn": "dc=company,dc=com",
"dn_pass": "bar",
"dn_user": "cn=Directory Manager",
"enabled": "True",
"filter": "ou=people",
"host": "localhost",
"port": "389",
"search_scope": "SUBTREE",
"tls_kind": "PLAIN",
"tls_reqcert": "NEVER"
}

Example FreeIPA LDAP configuration

LDAP Host hostname1,hostname2                                   # set your LDAP host name
Port portnumber                                                 # set the LDAP port number
Account: `uid=admin,cn=users,cn=accounts,dc=localdomain,dc=tld` # set your account user details
Password: userpassword                                          # Set the user password
Connection Security LDAPS                                       # set the LDAP level
Certificate Checks DEMAND                                       # Set the certificate checks level
Base DN cn=users,cn=accounts,dc=localdomain,dc=tld              # Set the Base DN
LDAP Search Filter (objectClass=person)                         # Set the LDAP search filter
LDAP Search Scope SUBTREE                                       # Set the LDAP search scope level
Login Attribute uid                                             # Set the LDAP user ID
First Name Attribute givenname                                  # Set the user first name
Last Name Attribute surname                                     # Set the user surname
Email Attribute mail                                            # set the user email

Create your own LDAP plugin

Use the following example to create your own LDAP plugin.

  1. Copy the auth_ldap.py file.
  2. Change the logic to assign static groups to each user
  3. Set the user attributes
{
 "active": true,
 "active_from_extern": null,
 "admin": false,
 "email": "c.name@company.net",
 "extern_name": "CN=John Doe,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=nc,DC=local",
 "extern_type": "ldap",
 "firstname": "Brian",
 "groups": [
     "test1",
     "test2",
     "test3",
     "test4"
 ],
 "lastname": "Butler",
 "username": "Brian"
 }

Active Directory

RhodeCode Enterprise can use Microsoft Active Directory for user authentication. This is done through an LDAP or LDAPS connection to Active Directory. Use the following example LDAP configuration setting to set your Active Directory authentication.

# Set the Base DN
Base DN = OU=SBSUsers,OU=Users,OU=MyBusiness,DC=v3sys,DC=local
# Set the Active Directory SAM-Account-Name
Login Attribute      = sAMAccountName
# Set the Active Directory user name
First Name Attribute = usernameame
# Set the Active Directory user surname
Last Name Attribute  = user_surname
# Set the Active Directory user email
E-mail Attribute     = userEmail

LDAP / Active Directory Glossary

This topic aims to give you a concise overview of the different settings and requirements that enabling LDAP / Active Directory on RhodeCode Enterprise requires.

Required settings

The following settings are required when enabling LDAP / Active Directory on RhodeCode Enterprise.

  • An LDAP hostname or IP Address is required. A comma separated list of servers can be specified to support failover configuration.

  • The LDAP first name attribute must be set.

  • The LDAP last name attribute must be set.

  • The LDAP email attribute must be set.

  • An LDAP port must be specified. Port 389 for unencrypted LDAP or port 636 for SSL-encrypted LDAP (LDAPS).

  • The Base DN (Distinguished Name) must be set. The Distinguished Name (DN) is how searches for users will be performed, and these searches can be controlled by using an LDAP Filter or LDAP Search Scope. A DN is a sequence of relative distinguished names (RDN) connected by commas. For example,

    DN: cn=Monty Python,ou=people,dc=example,dc=com

  • The LDAP connection security level must be defined. The following security levels are available with LDAP.

    • No encryption: This connection type uses a plain non-encrypted connection.

    • LDAPS connection: This connection type uses end to end SSL. To enable an LDAPS connection you must set the following requirements:

      • You must specify port 636
      • Certificate checks are required.
      • To enable START_TLS on LDAP connection, set the path to the SSL certificate in the default LDAP configuration file. The default ldap.conf file is located in /etc/openldap/ldap.conf.
      TLS_CACERT     /etc/ssl/certs/ca.crt

  • The LDAP username or account used to connect to RhodeCode Enterprise. This will be added to the LDAP filter for locating the user object.

    • For example, if an LDAP filter is specified as LDAPFILTER, the login attribute is specified as uid, and the user connects as jsmith, then the LDAP Filter will be like the following example.

      (&(LDAPFILTER)(uid=jsmith))

  • The LDAP search scope must be set. This limits how far LDAP will search for a matching object.

    • BASE Only allows searching of the Base DN.

    • ONELEVEL Searches all entries under the Base DN, but not the Base DN itself.

    • SUBTREE Searches all entries below the Base DN, but not Base DN itself.

      Note

      When using SUBTREE LDAP filtering it is useful to limit object location.

Optional settings

The following are optional when enabling LDAP on RhodeCode Enterprise.

  • An LDAP account is only required if the LDAP server does not allow anonymous browsing of records.

  • An LDAP password is only required if the LDAP server does not allow anonymous browsing of records

  • Certificate Checks are only required if you need to use LDAPS. SSL certificates can be installed in the following directory:<br> /etc/openldap/cacerts <br>This enables the DEMAND or HARD LDAPS connection options to be used with self-signed certificates or certificates that do not have traceable certificates of authority. <br>You can use the following levels of LDAP service with RhodeCode Enterprise:

    • NEVER : A serve certificate will never be requested or checked.

    • ALLOW : A server certificate is requested. Failure to provide a certificate or providing a bad certificate will not terminate the session.

    • TRY : A server certificate is requested. Failure to provide a certificate does not halt the session; providing a bad certificate halts the session.

    • DEMAND : A server certificate is requested and must be provided and authenticated for the session to proceed.

    • HARD : The same as DEMAND.

      Note

      Only DEMAND or HARD offer full SSL security while the other options are vulnerable to man-in-the-middle attacks.
      RhodeCode Enterprise Enterprise uses OPENLDAP libraries. This allows DEMAND or HARD LDAPS connections to use
      self-signed certificates or certificates that do not have traceable certificates of authority. To enable
      this functionality install the SSL certificates in the following directory: /etc/openldap/cacerts

  • Using an LDAP filter is optional. An LDAP filter defined by RFC 2254. This is more useful that the LDAP Search Scope if set to SUBTREE. The filter is useful for limiting which LDAP objects are identified as representing Users for authentication. The filter is augmented by Login Attribute below. This can commonly be left blank.

RhodeCode announces the release of RhodeCode Enterprise 2.2.8 Download it from the RhodeCode website download