This documentation relates to an earlier version of FishEye.
View

Unknown macro: {spacejump}

or visit the current documentation home.

This page explains the settings for LDAP authentication and their parameters.

On this page:

Global Settings

Global LDAP settings are:

URL

The URL of the LDAP server, e.g. ldap://localhost:389.

Base DN

The base search space for users, e.g. dc=example,dc=com

User Filter

The LDAP search for locating users, e.g. uid=${USERNAME}. The ${USERNAME} variable is expanded to the username of the individual being authenticated. You can use a more complicated LDAP filter to allow only a subset of users, such as: (&(uid=${USERNAME})(group=fisheye)).

UID Attribute

The name of the username attribute in objects matching the filter.

Email attribute

Optional. The name of an attribute giving the user's email address.

Cache TTL (positive)

How long FishEye should cache permission checks. Example values are: 0 secs, 5 mins.

Auto-add

FishEye can automatically create a user it has not previously encountered if the user can successfully authenticate against LDAP.

Initial bind DN and password

Optional. If your LDAP server does not allow anonymous bind, then you need to specify a user FishEye can use to do its initial bind.

Synchronise users with Crowd

Optional. Sets whether users will be loaded from an external directory.

Per-Repository Settings

You can give FishEye an LDAP filter that will be used to check if a user has access to individual repositories.

To specify this filter for a repository, open the Permission settings of the repository, and check the Apply LDAP restriction option. Then just below the checkbox, type the filter string:

LDAP restriction

An LDAP filter used to check if a given user can access a given repository, e.g. (&(uid=${USERNAME})(group=${REP})). The ${REP} variable is replaced with the name of the repository in question.

Match Type

One of 'user' (default) or 'any'. This setting modifies the meaning of LDAP restriction.
If set to 'user', then FishEye expects the filter to match the exact DN of the current user. If it does match, then the user has access to the repository. Commonly, if your user object contains the list of groups the user has access to, then you would use a 'user' match.
If set to 'any', then the filter just needs to match one result for the user to have access to the repository. Commonly, if your group object contains the list of UID members, then you would use an 'any' match. In such a case, your LDAP restriction filter may look like this: (&(uniquemember=${USERNAME})(cn=${REP},ou=groups,ou=com)(objectClass=groupofuniquenames)). That is, return the group of which the current user is a member.

Active Directory

To have FishEye connect to an Active Directory server, use settings such as the following:

URL

ldap://HOSTNAME:389

Base DN

DC=corp,DC=example,DC=com

User Filter

(sAMAccountName=${USERNAME})

UID Attribute

sAMAccountName

Email attribute

mail

Initial bind DN

corp.example.com/Users/SomeUser



Log a request with our support team.



Raise an issue for our developers.



See answers from the community.



Blog and update our documentation.

Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.