Connecting to an existing LDAP directory
You can connect Fisheye to an existing LDAP user directory, so that your existing users and groups in an enterprise directory can be used in Fisheye. The LDAP directory is used for both user authentication and account management.
Fisheye is able to connect to the following LDAP directory servers:
- Microsoft Active Directory
- Apache Directory Server (ApacheDS) 1.0.x and 1.5.x
- Apple Open Directory (Read-Only)
- Fedora Directory Server (Read-Only Posix Schema)
- Novell eDirectory Server
- OpenLDAP (Read-Only Posix Schema)
- Generic Posix/RFC2307 Directory (Read-Only)
- Sun Directory Server Enterprise Edition (DSEE)
- Any generic LDAP directory server
On this page:
Connecting Fisheye to your external directory is not sufficient to allow your users to log in to Fisheye. You must explicitly grant them access to Fisheye in the global permission screen.
Synchronization when Fisheye is first connected to the LDAP directory
When you first connect Fisheye to an existing LDAP directory, the Fisheye internal directory is synchronized with the LDAP directory. User information, including groups and group memberships, is copied across to the Fisheye directory.
Note that when Fisheye is connected to an LDAP directory, you cannot update user details in Fisheye. Updates must be done directly on the LDAP directory, perhaps using a LDAP browser tool such as Apache Directory Studio.
Option - Use LDAP filters to restrict the number of users and groups that are synchronized
You can use LDAP filters to restrict the users and groups that are synchronized with the Fisheye internal directory. You may wish to do this in order to limit the users or groups that can access Fisheye, or if you are concerned that synchronization performance may be poor.
For example, to limit synchronization to just the groups named "fisheye_user" or "red_team", enter the following into the Group Object Filter field (see Group Schema Settings below):
For further discussion about filters, with examples, please see How to write LDAP search filters. Note that you need to know the names for the various containers, attributes and object classes in your particular directory tree, rather than simply copying these examples. You can discover these container names by using a tool such as Apache Directory Studio.
Authentication when a user attempts to log in
When a user attempts to log in to Fisheye, the username and password are passed to the LDAP directory for confirmation. If the password matches that stored for the user, LDAP passes a confirmation back to Fisheye, and Fisheye logs in the user. During the user's session, all authorizations (i.e. access to Fisheye resources such as repositories, reviews and administration screens) are handled by Fisheye, based on permissions maintained by Fisheye.
To connect Fisheye to an LDAP directory:
- Log in as a user with 'Admin' permission.
- In the Fisheye administration area, click User Directories (under 'Accounts').
- Click Add Directory and select either Microsoft Active Directory or LDAP as the directory type.
- Configure the directory settings, as described in the tables below.
- Save the directory settings.
- Define the directory order by clicking the arrows next to each directory on the 'User Directories' screen. The directory order has the following effects:
- The order of the directories is the order in which they will be searched for users and groups.
- Changes to users and groups will be made only in the first directory where the application has permission to make changes.
User schema settings