FishEye 1.4 : Host-Based Authentication
This page last changed on Oct 24, 2007 by rosie@atlassian.com.
Host-based authentication uses the user account mechanism of the underlying operating system on which FishEye is running. FishEye currently supports PAM-based authentication on Linux/Solaris/OS-X, and NT-based authentication on Windows. Group RestrictionsFishEye can be configured to check if a user belongs to a group (or groups) before allowing access. You can list one group name, or join several group names into a boolean expression like group1 & (group2 | group3). If your group name contains spaces or non-ASCII characters, then you need to use quotes. For example: "Power Users" | Administrators. Windows
If the computer FishEye is running on is not a member of a domain, then the Domain attribute is ignored. When the computer is a member of a domain, you need to enter the full DNS name of the domain (e.g. corp.example.com). If you enter the short version of the domain (e.g. corp), then group-based restrictions may fail. Once you have configured your settings, we recommend you use the 'Test' function to ensure your access control behaves correctly. PAMOn Linux, Solaris and OS-X, host-based authentication uses PAM (Pluggable Authentication Modules) to check users' passwords. FishEye needs to be configured with the service name to use when conversing with PAM. You can create a new service name in the PAM configuration (typically /etc/pam.conf or /etc/pam.d/), or configure FishEye to use an existing service name (such as other, login or xscreensaver). Some general operating-system specific tips are given below, but you should consult the PAM documentation for your operating system. Once you have configured your settings, we recommend you use the 'Test' function to ensure your access control behaves correctly. LinuxOn many Linux distributions, you may need to create a /etc/pam.d/fisheye file containing: auth required pam_stack.so service=system-auth Mac OS-XOn a default OS-X installation, you may need to create a /etc/pam.d/fisheye file containing: auth sufficient pam_securityserver.so auth required pam_deny.so SolarisIf you are using the default pam_unix_auth PAM configuration on Solaris, then you may need to add a line like this to your /etc/pam.conf file: fisheye auth requisite pam_authtok_get.so.1 fisheye auth required pam_unix_auth.so.1 If you test this and it does not work, it is probably because when using pam_unix_auth on Solaris, the process doing the password check needs read access to /etc/shadow. Giving the FishEye process read access to this file may solve this problem, but using permissions other than 0400 for /etc/shadow is not recommended. You should discuss this with your system administrators first, and possibly change to a PAM module other than pam_unix_auth. Global SettingsGlobal settings are:
Per-Repository SettingsYou can give FishEye a group restriction that will be used to check if a user has access to individual repositories. You can specify this per repository, or just specify it in the repository defaults:
|
![]() |
Document generated by Confluence on Dec 09, 2007 17:50 |