Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/doc/administration/auth
diff options
context:
space:
mode:
Diffstat (limited to 'doc/administration/auth')
-rw-r--r--doc/administration/auth/crowd.md22
-rw-r--r--doc/administration/auth/ldap/img/multi_login.pngbin12689 -> 0 bytes
-rw-r--r--doc/administration/auth/ldap/index.md141
-rw-r--r--doc/administration/auth/ldap/ldap-troubleshooting.md20
-rw-r--r--doc/administration/auth/ldap/ldap_synchronization.md2
-rw-r--r--doc/administration/auth/oidc.md10
6 files changed, 98 insertions, 97 deletions
diff --git a/doc/administration/auth/crowd.md b/doc/administration/auth/crowd.md
index 8dfa832a103..ced7cdb7119 100644
--- a/doc/administration/auth/crowd.md
+++ b/doc/administration/auth/crowd.md
@@ -5,7 +5,11 @@ group: Authentication and Authorization
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
-# Atlassian Crowd OmniAuth Provider **(FREE SELF)**
+# Atlassian Crowd OmniAuth provider (deprecated) **(FREE SELF)**
+
+WARNING:
+This feature was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/369117) in GitLab 15.3 and is planned for
+removal in 16.0.
Authenticate to GitLab using the Atlassian Crowd OmniAuth provider. Enabling
this provider also allows Crowd authentication for Git-over-https requests.
@@ -68,24 +72,24 @@ this provider also allows Crowd authentication for Git-over-https requests.
application_password: 'YOUR_APP_PASSWORD' } }
```
-1. Change `CROWD_SERVER_URL` to the URL of your Crowd server.
+1. Change `CROWD_SERVER_URL` to the [base URL of your Crowd server](https://confluence.atlassian.com/crowdkb/how-to-change-the-crowd-base-url-245827278.html).
1. Change `YOUR_APP_NAME` to the application name from Crowd applications page.
1. Change `YOUR_APP_PASSWORD` to the application password you've set.
1. Save the configuration file.
-1. [Reconfigure](../restart_gitlab.md#omnibus-gitlab-reconfigure) or [restart](../restart_gitlab.md#installations-from-source) for the changes to take effect if you
- installed GitLab via Omnibus or from source respectively.
+1. [Reconfigure](../restart_gitlab.md#omnibus-gitlab-reconfigure) (Omnibus GitLab) or [restart](../restart_gitlab.md#installations-from-source) (source installations) for
+ the changes to take effect.
On the sign in page there should now be a Crowd tab in the sign in form.
## Troubleshooting
-If you see an error message like the one below when you sign in after Crowd authentication is configured, you may want to consult the Crowd administrator for the Crowd log file to know the exact cause:
+### Error: "could not authorize you from Crowd because invalid credentials"
-```plaintext
-could not authorize you from Crowd because invalid credentials
-```
+This error sometimes occurs when a user attempts to authenticate with Crowd. The
+Crowd administrator should consult the Crowd log file to know the exact cause of
+this error message.
-Ensure the Crowd users who need to sign in to GitLab are authorized to the
+Ensure the Crowd users who must sign in to GitLab are authorized to the
[application](#configure-a-new-crowd-application) in the **Authorization** step.
This could be verified by trying "Authentication test" for Crowd (as of 2.11).
diff --git a/doc/administration/auth/ldap/img/multi_login.png b/doc/administration/auth/ldap/img/multi_login.png
deleted file mode 100644
index 512f403a442..00000000000
--- a/doc/administration/auth/ldap/img/multi_login.png
+++ /dev/null
Binary files differ
diff --git a/doc/administration/auth/ldap/index.md b/doc/administration/auth/ldap/index.md
index 05eee338e64..2f0a0db9d6f 100644
--- a/doc/administration/auth/ldap/index.md
+++ b/doc/administration/auth/ldap/index.md
@@ -75,7 +75,7 @@ To configure LDAP integration, add your LDAP server settings in:
- `/home/git/gitlab/config/gitlab.yml` for source install instances.
After configuring LDAP, to test the configuration, use the
-[LDAP check Rake task](../../raketasks/check.md#ldap-check).
+[LDAP check Rake task](../../raketasks/ldap.md#check).
NOTE:
The `encryption` value `simple_tls` corresponds to 'Simple TLS' in the LDAP
@@ -95,42 +95,42 @@ This example shows configuration for Omnibus GitLab instances:
gitlab_rails['ldap_enabled'] = true
gitlab_rails['prevent_ldap_sign_in'] = false
gitlab_rails['ldap_servers'] = {
-'main' => {
- 'label' => 'LDAP',
- 'host' => 'ldap.mydomain.com',
- 'port' => 389,
- 'uid' => 'sAMAccountName',
- 'encryption' => 'simple_tls',
- 'verify_certificates' => true,
- 'bind_dn' => '_the_full_dn_of_the_user_you_will_bind_with',
- 'password' => '_the_password_of_the_bind_user',
- 'tls_options' => {
- 'ca_file' => '',
- 'ssl_version' => '',
- 'ciphers' => '',
- 'cert' => '',
- 'key' => ''
- },
- 'timeout' => 10,
- 'active_directory' => true,
- 'allow_username_or_email_login' => false,
- 'block_auto_created_users' => false,
- 'base' => 'dc=example,dc=com',
- 'user_filter' => '',
- 'attributes' => {
- 'username' => ['uid', 'userid', 'sAMAccountName'],
- 'email' => ['mail', 'email', 'userPrincipalName'],
- 'name' => 'cn',
- 'first_name' => 'givenName',
- 'last_name' => 'sn'
- },
- 'lowercase_usernames' => false,
-
- # EE Only
- 'group_base' => '',
- 'admin_group' => '',
- 'external_groups' => [],
- 'sync_ssh_keys' => false
+ 'main' => {
+ 'label' => 'LDAP',
+ 'host' => 'ldap.mydomain.com',
+ 'port' => 389,
+ 'uid' => 'sAMAccountName',
+ 'encryption' => 'simple_tls',
+ 'verify_certificates' => true,
+ 'bind_dn' => '_the_full_dn_of_the_user_you_will_bind_with',
+ 'password' => '_the_password_of_the_bind_user',
+ 'tls_options' => {
+ 'ca_file' => '',
+ 'ssl_version' => '',
+ 'ciphers' => '',
+ 'cert' => '',
+ 'key' => ''
+ },
+ 'timeout' => 10,
+ 'active_directory' => true,
+ 'allow_username_or_email_login' => false,
+ 'block_auto_created_users' => false,
+ 'base' => 'dc=example,dc=com',
+ 'user_filter' => '',
+ 'attributes' => {
+ 'username' => ['uid', 'userid', 'sAMAccountName'],
+ 'email' => ['mail', 'email', 'userPrincipalName'],
+ 'name' => 'cn',
+ 'first_name' => 'givenName',
+ 'last_name' => 'sn'
+ },
+ 'lowercase_usernames' => false,
+
+ # EE Only
+ 'group_base' => '',
+ 'admin_group' => '',
+ 'external_groups' => [],
+ 'sync_ssh_keys' => false
}
}
```
@@ -248,33 +248,34 @@ The following example shows how to configure three LDAP servers in `gitlab.rb`:
```ruby
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = {
-'main' => {
- 'label' => 'GitLab AD',
- 'host' => 'ad.example.org',
- 'port' => 636,
- ...
+ 'main' => {
+ 'label' => 'GitLab AD',
+ 'host' => 'ad.example.org',
+ 'port' => 636,
+ ...
},
-'secondary' => {
- 'label' => 'GitLab Secondary AD',
- 'host' => 'ad-secondary.example.net',
- 'port' => 636,
- ...
+ 'secondary' => {
+ 'label' => 'GitLab Secondary AD',
+ 'host' => 'ad-secondary.example.net',
+ 'port' => 636,
+ ...
},
-'tertiary' => {
- 'label' => 'GitLab Tertiary AD',
- 'host' => 'ad-tertiary.example.net',
- 'port' => 636,
- ...
+ 'tertiary' => {
+ 'label' => 'GitLab Tertiary AD',
+ 'host' => 'ad-tertiary.example.net',
+ 'port' => 636,
+ ...
}
-
}
```
-This example results in the following sign-in page:
+This example results in a sign-in page with the following tabs:
-![Multiple LDAP servers sign in](img/multi_login.png)
+- **GitLab AD**.
+- **GitLab Secondary AD**.
+- **GitLab Tertiary AD**.
### Set up LDAP user filter
@@ -286,9 +287,9 @@ necessary, you can set up an LDAP user filter. The filter must comply with [RFC
```ruby
gitlab_rails['ldap_servers'] = {
- 'main' => {
- # snip...
- 'user_filter' => '(employeeType=developer)'
+ 'main' => {
+ # snip...
+ 'user_filter' => '(employeeType=developer)'
}
}
```
@@ -363,9 +364,9 @@ the configuration option `lowercase_usernames`. By default, this configuration o
```ruby
gitlab_rails['ldap_servers'] = {
- 'main' => {
- # snip...
- 'lowercase_usernames' => true
+ 'main' => {
+ # snip...
+ 'lowercase_usernames' => true
}
}
```
@@ -444,15 +445,15 @@ If initially your LDAP configuration looked like:
1. In `/etc/gitlab/gitlab.rb`:
- ```ruby
- gitlab_rails['ldap_servers'] = {
- 'main' => {
- # snip...
- 'bind_dn' => 'admin',
- 'password' => '123'
- }
- }
- ```
+ ```ruby
+ gitlab_rails['ldap_servers'] = {
+ 'main' => {
+ # snip...
+ 'bind_dn' => 'admin',
+ 'password' => '123'
+ }
+ }
+ ```
1. Edit the encrypted secret:
diff --git a/doc/administration/auth/ldap/ldap-troubleshooting.md b/doc/administration/auth/ldap/ldap-troubleshooting.md
index c7572ec0a18..64ef27cbf51 100644
--- a/doc/administration/auth/ldap/ldap-troubleshooting.md
+++ b/doc/administration/auth/ldap/ldap-troubleshooting.md
@@ -181,7 +181,7 @@ The user should now be able to sign in.
#### Email has already been taken
A user tries to sign in with the correct LDAP credentials, is denied access,
-and the [production.log](../../logs.md#productionlog) shows an error that looks like this:
+and the [production.log](../../logs/index.md#productionlog) shows an error that looks like this:
```plaintext
(LDAP) Error saving user <USER DN> (email@example.com): ["Email has already been taken"]
@@ -210,8 +210,8 @@ This shows you which user has this email address. One of two steps must be taken
remove this email as a secondary email and make it a primary one so GitLab
associates this profile to the LDAP identity.
-The user can do either of these steps [in their
-profile](../../../user/profile/index.md#access-your-user-profile) or an administrator can do it.
+The user can do either of these steps
+[in their profile](../../../user/profile/index.md#access-your-user-profile) or an administrator can do it.
#### Projects limit errors
@@ -426,13 +426,12 @@ Rails.logger.level = Logger::DEBUG
LdapAllGroupsSyncWorker.new.perform
```
-Next, [learn how to read the
-output](#example-console-output-after-a-group-sync).
+Next, [learn how to read the output](#example-console-output-after-a-group-sync).
##### Example console output after a group sync
-Like the output from the user sync, the output from the [manual group
-sync](#sync-all-groups) is also very verbose. However, it contains lots
+Like the output from the user sync, the output from the
+[manual group sync](#sync-all-groups) is also very verbose. However, it contains lots
of helpful information.
Indicates the point where syncing actually begins:
@@ -644,10 +643,10 @@ users, [see what to do when no users are found](#no-users-are-found).
### GitLab logs
If a user account is blocked or unblocked due to the LDAP configuration, a
-message is [logged to `application.log`](../../logs.md#applicationlog).
+message is [logged to `application.log`](../../logs/index.md#applicationlog).
If there is an unexpected error during an LDAP lookup (configuration error,
-timeout), the sign-in is rejected and a message is [logged to `production.log`](../../logs.md#productionlog).
+timeout), the sign-in is rejected and a message is [logged to `production.log`](../../logs/index.md#productionlog).
### ldapsearch
@@ -743,8 +742,7 @@ For instructions about how to use the rails console, refer to this
This provides debug output that shows what GitLab is doing and with what.
This value is not persisted, and is only enabled for this session in the Rails console.
-To enable debug output in the rails console, [enter the rails
-console](#rails-console) and run:
+To enable debug output in the rails console, [enter the rails console](#rails-console) and run:
```ruby
Rails.logger.level = Logger::DEBUG
diff --git a/doc/administration/auth/ldap/ldap_synchronization.md b/doc/administration/auth/ldap/ldap_synchronization.md
index b0ada1c11dd..62706a9e3b9 100644
--- a/doc/administration/auth/ldap/ldap_synchronization.md
+++ b/doc/administration/auth/ldap/ldap_synchronization.md
@@ -128,7 +128,7 @@ To take advantage of group sync, group Owners or users with the [Maintainer role
### Add group links
For information on adding group links by using CNs and filters, refer to the
-[GitLab groups documentation](../../../user/group/index.md#manage-group-memberships-via-ldap).
+[GitLab groups documentation](../../../user/group/access_and_permissions.md#manage-group-memberships-via-ldap).
### Administrator sync
diff --git a/doc/administration/auth/oidc.md b/doc/administration/auth/oidc.md
index 60a4cc8706f..8c5bf96e99e 100644
--- a/doc/administration/auth/oidc.md
+++ b/doc/administration/auth/oidc.md
@@ -250,8 +250,8 @@ but `LocalAccounts` works for authenticating against local, Active Directory acc
<OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" />
```
-1. For OIDC discovery to work with B2C, the policy must be configured with an issuer compatible with the [OIDC
- specification](https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.4.3).
+1. For OIDC discovery to work with B2C, the policy must be configured with an issuer compatible with the
+ [OIDC specification](https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.4.3).
See the [token compatibility settings](https://docs.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-custom-policy#token-compatibility-settings).
In `TrustFrameworkBase.xml` under `JwtIssuer`, set `IssuanceClaimPattern` to `AuthorityWithTfp`:
@@ -529,8 +529,7 @@ If you're having trouble, here are some tips:
1. Check your system clock to ensure the time is synchronized properly.
-1. As mentioned in [the
- documentation](https://github.com/m0n9oose/omniauth_openid_connect),
+1. As mentioned in [the documentation](https://github.com/m0n9oose/omniauth_openid_connect),
make sure `issuer` corresponds to the base URL of the Discovery URL. For
example, `https://accounts.google.com` is used for the URL
`https://accounts.google.com/.well-known/openid-configuration`.
@@ -540,5 +539,4 @@ If you're having trouble, here are some tips:
If you are seeing 401 errors upon retrieving the `userinfo` endpoint, you may
want to check your OpenID Web server configuration. For example, for
[`oauth2-server-php`](https://github.com/bshaffer/oauth2-server-php), you
- may need to [add a configuration parameter to
- Apache](https://github.com/bshaffer/oauth2-server-php/issues/926#issuecomment-387502778).
+ may need to [add a configuration parameter to Apache](https://github.com/bshaffer/oauth2-server-php/issues/926#issuecomment-387502778).
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-13 04:17:52 +0300