Home | Forums

LDAP Authentication

Global Settings

Global LDAP settings are:

URL The URL of the ldap server, e.g. ldap://localhost:389.
Base DN The base search space for users, e.g. dc=example,dc=com
User Filter The LDAP search for locating users, e.g. uid=${USERNAME}. The ${USERNAME} variable is expanded to the username of the individual being authenticated. You can use a more complicated LDAP filter to only allow a subset of users, such as: (&(uid=${USERNAME})(group=fisheye)).
UID Attribute The name of the username attribute in objects matching the filter.
Email attribute (optional) The name of an attribute giving the user's email address.
Cache TTL (positive) How long FishEye should cache permission checks. Example values are: 0 secs, 5 mins.
Auto-add FishEye can automatically create a user it has not previously encountered if the user can successfully authenticate against LDAP.
Initial bind DN and password (optional) If your LDAP server does not allow anonymous bind, then you need to specify a user FishEye can use to do its initial bind.

Per-repository Settings

You can give FishEye an LDAP filter that will be used to check if a user has access to individual repositories. You can specify this per-repository, or just specify it in the repository-defaults:

LDAP restriction An LDAP filter used to check if a given user can access a given repository, e.g. (&(uid=${USERNAME})(group=${REP})). The ${REP} variable is replaced with the name of the repository in question.
Match Type

One of 'user' (default) or 'any'. This setting modifies the meaning of LDAP restriction.

If set to 'user', then FishEye expects the filter to match the exact DN of the current user. If it does match, then the user has access to the repository. Commonly, if your user object contains the list of groups the user has access to, then you would use a 'user' match.

If set to 'any', then the filter just needs to match one result for the user to have access to the repository. Commonly, if your group object contains the list of uid members, then you would use an 'any' match. In such a case, your LDAP restriction filter may look like: (&(uniquemember=${USERNAME})(dn=${REP},ou=groups,ou=com)(objectClass=groupofuniquenames)) . That is, return the group of which the current user is a member.

Active Directory

To have FishEye connect to an Active Directory server, use settings such as the following:

URL ldap://HOSTNAME:389
Base DN DC=corp,DC=example,DC=com
User Filter sAMAccountName=${USERNAME}
UID Attribute sAMAccountName
Email attribute mail
Initial bind DN corp.example.com/Users/SomeUser