mirrors
/
gitblit
зеркало из https://github.com/gitblit/gitblit.git
Следить 1
В избранное 0
Форкнуть 0
Код Задачи 0 Релизы 43 Вики Активность
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.
3374 коммитов
11 Ветки
ветка: master
Ветки Теги
${ item.name }
Создать ветку ${ searchTerm }
из 'master'
${ noResults }
gitblit/src/site/setup_authentication.mkd

setup_authentication.mkd 8.7KB
Исходник Постоянная ссылка Normal View История

Documentation
11 лет назад
Added PAMUserService for local Linux/Unix/MacOSX account authentication
10 лет назад
Add an Apache htpasswd user service Add a new class, HtpasswdUserService, which performs authentication against a text file created with the Apache 'htpasswd' program. Added dependency on commons-codec:1.7
11 лет назад
add site documentation for HTTP header authentication
9 лет назад
Documentation
11 лет назад
Documentation
11 лет назад
Documentation
11 лет назад
Refactor user services and separate authentication (issue-281) Change-Id: I336e005e02623fc5e11a4f8b4408bea5465a43fd
10 лет назад
Documentation
11 лет назад
Refactor user services and separate authentication (issue-281) Change-Id: I336e005e02623fc5e11a4f8b4408bea5465a43fd
10 лет назад
Documentation
11 лет назад
Adjust path after moving from "gitblit" to "gitblit-org" on Github
1 год назад
Documentation
11 лет назад
Documentation
11 лет назад
Refactor user services and separate authentication (issue-281) Change-Id: I336e005e02623fc5e11a4f8b4408bea5465a43fd
10 лет назад
Documentation
11 лет назад
Added PAMUserService for local Linux/Unix/MacOSX account authentication
10 лет назад
Improve PAM documentation
9 лет назад
Added PAMUserService for local Linux/Unix/MacOSX account authentication
10 лет назад
Refactor user services and separate authentication (issue-281) Change-Id: I336e005e02623fc5e11a4f8b4408bea5465a43fd
10 лет назад
Improve PAM documentation
9 лет назад
Added PAMUserService for local Linux/Unix/MacOSX account authentication
10 лет назад
Add an Apache htpasswd user service Add a new class, HtpasswdUserService, which performs authentication against a text file created with the Apache 'htpasswd' program. Added dependency on commons-codec:1.7
11 лет назад
Refactor user services and separate authentication (issue-281) Change-Id: I336e005e02623fc5e11a4f8b4408bea5465a43fd
10 лет назад
Add an Apache htpasswd user service Add a new class, HtpasswdUserService, which performs authentication against a text file created with the Apache 'htpasswd' program. Added dependency on commons-codec:1.7
11 лет назад
add site documentation for HTTP header authentication
9 лет назад
Documentation
11 лет назад
Documentation
11 лет назад
Refactor user services and separate authentication (issue-281) Change-Id: I336e005e02623fc5e11a4f8b4408bea5465a43fd
10 лет назад
Documentation
11 лет назад
Documentation
11 лет назад
Documentation
11 лет назад
Refactor user services and separate authentication (issue-281) Change-Id: I336e005e02623fc5e11a4f8b4408bea5465a43fd
10 лет назад
Documentation
11 лет назад
Documentation
11 лет назад
Documentation
11 лет назад
Documentation
11 лет назад
Adjust path after moving from "gitblit" to "gitblit-org" on Github
1 год назад
Documentation
11 лет назад
Refactor user services and separate authentication (issue-281) Change-Id: I336e005e02623fc5e11a4f8b4408bea5465a43fd
10 лет назад
Documentation
11 лет назад
Documentation
11 лет назад
Documentation
11 лет назад
Adjust path after moving from "gitblit" to "gitblit-org" on Github
1 год назад
Documentation
11 лет назад
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154 
  1. ## Built-in Authentication

  2. 

  3. By default, Gitblit stores and authenticates all users against `users.conf`.  However, you may wish to integrate Gitblit into an existing user account infrastructure.

  4. 

  5. Gitblit supports additional authentication mechanisms aside from it's internal one.

  6. 

  7. * LDAP authentication

  8. * Windows authentication

  9. * PAM authentication

  10. * Htpasswd authentication

  11. * HTTP header authentication

  12. * Redmine auhentication

  13. * Salesforce.com authentication

  14. * Servlet container authentication

  15. 

  16. ### LDAP Authentication

  17. *SINCE 1.0.0*

  18. 

  19. LDAP can be used to authenticate Users and optionally control Team memberships.  When properly configured, Gitblit will delegate authentication to your LDAP server and will cache some user information in the usual users.conf file.

  20. 

  21. When using the LDAP User Service, new user accounts can not be manually created from Gitblit.  Gitblit user accounts are automatically created for new users on their first succesful authentication through Gitblit against the LDAP server.  It is also important to note that the LDAP User Service does not retrieve or store user passwords nor does it implement any LDAP-write functionality.

  22. 

  23. To use the *LdapUserService* set *realm.authenticationProviders=ldap* in your `gitblit.properties` file and then configure the *realm.ldap* settings appropriately for your LDAP environment.

  24. 

  25. #### Example LDAP Layout

  26. ![block diagram](ldapSample.png "LDAP Sample")

  27. 

  28. Please see [ldapUserServiceSampleData.ldif](https://github.com/gitblit-org/gitblit/blob/master/src/test/resources/ldap/sampledata.ldif) to see the data in LDAP that reflects the above picture.

  29. 

  30. #### Gitblit Settings for Example LDAP Layout

  31. The following are the settings required to configure Gitblit to authenticate against the example LDAP server with LDAP-controlled team memberships.

  32. 

  33. <table class="table">

  34. <thead>

  35. <tr><th>parameter</th><th>value</th><th>description</th></tr>

  36. </thead>

  37. <tbody>

  38. <tr>

  39.   <th>realm.ldap.server</th><td>ldap://localhost:389</td>

  40.   <td>Tells Gitblit to connect to the LDAP server on localhost port 389.  The URL Must be of form ldap(s)://&lt;server&gt;:&lt;port&gt; with port being optional (389 for ldap, 636 for ldaps).</td>

  41. </tr>

  42. <tr>

  43.   <th>realm.ldap.username</th><td>cn=Directory Manager</td>

  44.   <td>The credentials that will log into the LDAP server</td>

  45. </tr>

  46. <tr>

  47.   <th>realm.ldap.password</th><td>password</td>

  48.   <td>The credentials that will log into the LDAP server</td>

  49. </tr>

  50. <tr>

  51.   <th>realm.ldap.maintainTeams</th><td>true</td>

  52.   <td>Are team memberships maintained in LDAP (<em>true</em>) or manually in Gitblit (<em>false</em>).</td>

  53. </tr>

  54. <tr>

  55.   <th>realm.ldap.accountBase</th><td>OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain</td>

  56.   <td>What is the root node for all users in this LDAP system.  Subtree searches will start from this node.</td>

  57. </tr>

  58. <tr>

  59.   <th>realm.ldap.accountPattern</th><td>(&(objectClass=person)(sAMAccountName=${username}))</td><td>The LDAP search filter that will match a particular user in LDAP.  ${username} will be replaced with whatever the user enters as their username in the Gitblit login panel.</td>

  60. </tr>

  61. <tr>

  62.   <th>realm.ldap.groupBase</th><td>OU=Groups,OU=UserControl,OU=MyOrganization,DC=MyDomain</td>

  63.   <td>What is the root node for all teams in this LDAP system.  Subtree searches will start from this node.</td>

  64. </tr>

  65. <tr>

  66.   <th>realm.ldap.groupMemberPattern</th><td>(&(objectClass=group)(member=${dn}))</td><td>The LDAP search filter that will match all teams for the authenticating user.  ${username} will be replaced with whatever the user enters as their username in the Gitblit login panel.  Anything else in ${} will be replaced by Attributes from the User node.</td>

  67. </tr>

  68. <tr>

  69.   <th>realm.ldap.admins</th><td>@Git_Admins</td><td>A space-delimited list of usernames and/or teams that indicate admin status in Gitblit.  Teams are referenced with a leading <em>@</em> character.</td>

  70. </tr>

  71. </tbody>

  72. </table>

  73. 

  74. #### LDAP In-Memory Server

  75. 

  76. You can start Gitblit GO with an in-memory LDAP server by specifying the *--ldapLdifFile* command-line argument.  The LDAP server will listen on localhost of the port specified in *realm.ldap.url* of `gitblit.properties`.  Additionally, a root user record is automatically created for *realm.ldap.username* and *realm.ldap.password*.  Please note that the ldaps:// protocol is not supported for the in-memory server.

  77. 

  78. ### Windows Authentication

  79. 

  80. Windows authentication is based on the use of Waffle and JNA.  It is known to work properly for authenticating against the local Windows machine, but it is unclear if it works properly with a domain controller and Active Directory.  To use this service, your Gitblit server must be installed on a Windows machine.

  81. 

  82.     realm.authenticationProviders = windows

  83.     realm.windows.defaultDomain =

  84. 

  85. ### PAM Authentication

  86. 

  87. PAM authentication is based on the use of libpam4j and JNA.  To use this service, your Gitblit server must be installed on a Linux/Unix/MacOSX machine.

  88. 

  89.     realm.authenticationProviders = pam

  90.     realm.pam.serviceName = gitblit

  91.     

  92. Then define a gitblit authentication policy in `/etc/pam.d/gitblit`

  93. 

  94.     # PAM configuration for the gitblit service

  95.     # Standard Un*x authentication.

  96.     @include common-auth

  97. 

  98. ### Htpasswd Authentication

  99. 

  100. Htpasswd authentication allows you to maintain your user credentials in an Apache htpasswd file thay may be shared with other htpasswd-capable servers.

  101. 

  102.     realm.authenticationProviders = htpasswd

  103.     realm.htpasswd.userFile = /path/to/htpasswd

  104. 

  105. ### HTTP Header Authentication

  106. 

  107. HTTP header authentication allows you to use existing authentication performed by a trusted frontend, such as a reverse proxy. Ensure that when used, gitblit is ONLY availabe via the trusted frontend, otherwise it is vulnerable to a user adding the header explicitly.

  108. 

  109. By default, no user or team header is defined, which results in all authentication failing this mechanism. The user header can also be defined while leaving the team header undefined, which causes users to be authenticated from the headers, but team memberships to be maintained locally.

  110. 

  111.     realm.httpheader.userheader = REMOTE_USER

  112.     realm.httpheader.teamheader = X-GitblitExample-GroupNames

  113.     realm.httpheader.teamseparator = ,

  114.     realm.httpheader.autoCreateAccounts = false

  115. 

  116. ### Redmine Authentication

  117. 

  118. You may authenticate your users against a Redmine installation as long as your Redmine install has properly enabled [API authentication](http://www.redmine.org/projects/redmine/wiki/Rest_Api#Authentication).  This user service only supports user authentication; it does not support team creation based on Redmine groups.  Redmine administrators will also be Gitblit administrators.

  119. 

  120.     realm.authenticationProviders = redmine

  121.     realm.redmine.url = http://example.com/redmine

  122. 

  123. ### Salesforce.com Authentication

  124. 

  125. You may authenticate your users against Salesforce.com.  You can require that user's belong to a particular organization by specifying a non-zero organization id.

  126. 

  127.     realm.authenticationProviders = salesforce

  128.     realm.salesforce.orgId = 0

  129. 

  130. ### Container Authentication

  131. 

  132. If you are using the WAR variant and deploying into your own servlet container which has a pre-defined authentication mechanism protecting the Gitblit webapp, then you may instruct Gitblit to automatically create Gitblit accounts for container-authenticated user principals.

  133. 

  134.     realm.container.autoCreateAccounts = true

  135. 

  136. ## Custom Authentication

  137. 

  138. This is the simplest choice where you implement custom authentication and delegate all other standard user and team operations to one of Gitblit's user service implementations.  This choice insulates your customization from changes in User and Team model classes and additional API that may be added to IUserService.

  139. 

  140. Please subclass [com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider](https://github.com/gitblit-org/gitblit/blob/master/src/main/java/com/gitblit/auth/AuthenticationProvider.java).

  141. 

  142. You may use your subclass by specifying its fully qualified classname in the *realm.authenticationProviders* setting.

  143. 

  144. Your subclass must be on Gitblit's classpath and must have a public default constructor.  

  145. 

  146. ### Custom Everything

  147. 

  148. Instead of maintaining a `users.conf` file, you may want to integrate Gitblit into an existing environment.

  149. 

  150. You may use your own custom *com.gitblit.IUserService* implementation by specifying its fully qualified classname in the *realm.userService* setting.

  151. 

  152. Your user service class must be on Gitblit's classpath and must have a public default constructor.  

  153. Please see the following interface definition [com.gitblit.IUserService](https://github.com/gitblit-org/gitblit/blob/master/src/main/java/com/gitblit/IUserService.java).

  154.