Downloads (PDF, HTML & XML formats)
[FishEye Knowledge Base]
Host-based authentication uses the user account mechanism of the underlying operating system on which FishEye is running.
FishEye currently supports PAM-based authentication on 32-bit Linux/Solaris/OS-X, and NT-based authentication on Windows. 64-bit operating Systems are not supported.
FishEye can be configured to check if a user belongs to a group (or groups) before allowing access.
You can list one group name, or join several group names into a boolean expression like group1 & (group2 | group3)
.
If your group name contains spaces or non-ASCII characters, then you need to use quotes. For example: "Power Users" | Administrators
.
If you are using Active Directory, you can configure FishEye to use LDAP as an alternative to host-based authentication.
If the computer FishEye is running on is not a member of a domain, then the Domain attribute is ignored.
When the computer is a member of a domain, you need to enter the full DNS name of the domain (e.g. corp.example.com
). If you enter the short version of the domain (e.g. corp
), then group-based restrictions may fail.
Once you have configured your settings, we recommend you use the 'Test' function to ensure your access control behaves correctly.
On Linux, Solaris and OS-X, host-based authentication uses PAM (Pluggable Authentication Modules) to check users' passwords.
FishEye needs to be configured with the service name to use when conversing with PAM. You can create a new service name in the PAM configuration (typically /etc/pam.conf
or /etc/pam.d/
), or configure FishEye to use an existing service name (such as other
, login
or xscreensaver
).
Some general operating-system specific tips are given below, but you should consult the PAM documentation for your operating system.
Once you have configured your settings, we recommend you use the 'Test' function to ensure your access control behaves correctly.
On many Linux distributions, you may need to create a /etc/pam.d/fisheye
file containing:
auth required pam_stack.so service=system-auth
On a default OS-X installation, you may need to create a /etc/pam.d/fisheye
file containing:
auth sufficient pam_securityserver.so auth required pam_deny.so
If you are using the default pam_unix_auth
PAM configuration on Solaris, then you may need to add a line like this to your /etc/pam.conf
file:
fisheye auth requisite pam_authtok_get.so.1 fisheye auth required pam_unix_auth.so.1
If you test this and it does not work, it is probably because when using pam_unix_auth
on Solaris, the process doing the password check needs read access to /etc/shadow
.
Giving the FishEye process read access to this file may solve this problem, but using permissions other than 0400
for /etc/shadow
is not recommended. You should discuss this with your system administrators first, and possibly change to a PAM module other than pam_unix_auth
.
Global settings are:
Domain/Service name | Windows: the name of the domain. Leave blank to use the local computer. |
Required group: | The group or groups a user must belong to in order for them to be able to log in. |
Cache TTL (positive) | How long FishEye should cache permission checks. Example values are: |
Auto-add | FishEye can automatically create a user it has not previously encountered if the user can successfully authenticate with the host. |
You can give FishEye a group restriction that will be used to check if a user has access to individual repositories. You can specify this per repository, or just specify it in the repository defaults:
Required Group | A group (or groups) used to check if a given user can access a given repository. For example: |