Host-based authentication uses the user account mechanism of the underlying operating system on which FishEye is running.
Group Restrictions
FishEye can be configured to check if a user belongs to a group (or groups) before allowing access.
You can list one group name, or join several group names into a boolean expression like group1 & (group2 | group3)
.
If your group name contains spaces or non-ASCII characters, then you need to use quotes. For example: "Power Users" | Administrators
.
Windows
If the computer FishEye is running on is not a member of a domain, then the Domain attribute is ignored.
When the computer is a member of a domain, you need to enter the full DNS name of the domain (e.g. corp.example.com
). If you enter the short version of the domain (e.g. corp
), then group-based restrictions may fail.
Once you have configured your settings, we recommend you use the 'Test' function to ensure your access control behaves correctly.
PAM
On Linux, Solaris and OS-X, host-based authentication uses PAM (Pluggable Authentication Modules) to check users' passwords.
FishEye needs to be configured with the service name to use when conversing with PAM. You can create a new service name in the PAM configuration (typically /etc/pam.conf
or /etc/pam.d/
), or configure FishEye to use an existing service name (such as other
, login
or xscreensaver
).
Some general operating-system specific tips are given below, but you should consult the PAM documentation for your operating system.
Once you have configured your settings, we recommend you use the 'Test' function to ensure your access control behaves correctly.
Linux
On many Linux distributions, you may need to create a /etc/pam.d/fisheye
file containing:
auth required pam_stack.so service=system-auth
Mac OS-X
On a default OS-X installation, you may need to create a /etc/pam.d/fisheye
file containing:
auth sufficient pam_securityserver.so auth required pam_deny.so
Solaris
If you are using the default pam_unix_auth
PAM configuration on Solaris, then you may need to add a line like this to your /etc/pam.conf
file:
fisheye auth requisite pam_authtok_get.so.1 fisheye auth required pam_unix_auth.so.1
If you test this and it does not work, it is probably because when using pam_unix_auth
on Solaris, the process doing the password check needs read access to /etc/shadow
.
Giving the FishEye process read access to this file may solve this problem, but using permissions other than 0400
for /etc/shadow
is not recommended. You should discuss this with your system administrators first, and possibly change to a PAM module other than pam_unix_auth
.
Global Settings
Global settings are:
Domain/Service name | Windows: the name of the domain. Leave blank to use the local computer. |
Required group: | The group or groups a user must belong to in order for them to be able to log in. |
Cache TTL (positive) | How long FishEye should cache permission checks. Example values are: |
Auto-add | FishEye can automatically create a user it has not previously encountered if the user can successfully authenticate with the host. |
Per-Repository Settings
You can give FishEye a group restriction that will be used to check if a user has access to individual repositories. You can specify this per repository, or just specify it in the repository defaults:
Required Group | A group (or groups) used to check if a given user can access a given repository. For example: |