GitHub Enterprise Server integrates with these LDAP services:
- Active Directory
- Oracle Directory Server Enterprise Edition
- Open Directory
GitHub Enterprise Server 用户名只能包含字母数字和短划线 (
-)。 GitHub Enterprise Server 会将帐户用户名中的所有非字母数字字符标准化为短划线。 例如，用户名
gregory-st-john。 请注意，标准化的用户名也不能以短划线开头或结尾。 它们还不能包含两个连续的短划线。
如果多个帐户标准化为同一个 GitHub Enterprise Server 用户名，则只创建第一个用户帐户。 使用相同用户名的后续用户无法登录。
此表格举例说明 GitHub Enterprise Server 中如何标准化用户名：
使用 LDAP 或内置身份验证时，支持双重身份验证。 组织管理员可以要求成员启用双重身份验证。
After you configure LDAP, users will be able to sign into your instance with their LDAP credentials. When users sign in for the first time, their profile names, email addresses, and SSH keys will be set with the LDAP attributes from your directory.
When you configure LDAP access for users via the 管理控制台, your user licenses aren't used until the first time a user signs in to your instance. However, if you create an account manually using site admin settings, the user license is immediately accounted for.
Warning: Before configuring LDAP on 您的 GitHub Enterprise Server 实例, make sure that your LDAP service supports paged results.
- 在任何页面的右上角，单击 。
- 在左侧边栏中，单击 管理控制台。
- 在左侧边栏中，单击 Authentication（身份验证）。
- Under "Authentication", select LDAP.
- （可选）选择 Allow built-in authentication（允许内置身份验证）以邀请用户使用内置身份验证（如果他们不属于 您的 GitHub Enterprise Server 实例 的身份提供程序）。
- Add your configuration settings.
Use these attributes to finish configuring LDAP for 您的 GitHub Enterprise Server 实例.
|Required||The LDAP host, e.g. |
|Required||The port the host's LDAP services are listening on. Examples include: 389 and 636 (for LDAPS).|
|Required||The encryption method used to secure communications to the LDAP server. Examples include plain (no encryption), SSL/LDAPS (encrypted from the start), and StartTLS (upgrade to encrypted communication once connected).|
|Optional||The LDAP user that performs user lookups to authenticate other users when they sign in. This is typically a service account created specifically for third-party integrations. Use a fully qualified name, such as |
|Optional||The password for the domain search user.|
|Optional||Users in this group are promoted to site administrators when signing into your appliance. If you don't configure an LDAP Administrators group, the first LDAP user account that signs into your appliance will be automatically promoted to a site administrator.|
|Required||The fully qualified |
|Optional||If specified, only users in these groups will be allowed to log in. You only need to specify the common names (CNs) of the groups, and you can add as many groups as you like. If no groups are specified, all users within the scope of the specified domain base will be able to sign in to your GitHub Enterprise Server instance.|
|Required||The LDAP attribute that identifies the LDAP user who attempts authentication. Once a mapping is established, users may change their GitHub Enterprise Server usernames. This field should be |
|Optional||The name that will appear on the user's GitHub Enterprise Server profile page. Unless LDAP Sync is enabled, users may change their profile names.|
|Optional||The email addresses for a user's GitHub Enterprise Server account.|
|Optional||The public SSH keys attached to a user's GitHub Enterprise Server account. The keys must be in OpenSSH format.|
|Optional||The GPG keys attached to a user's GitHub Enterprise Server account.|
|Optional||If selected, turns off users' ability to use LDAP passwords to authenticate Git operations.|
|Optional||If selected, turns on LDAP certificate verification.|
|Optional||If selected, turns on LDAP Sync.|
Select Disable username and password authentication for Git operations in your LDAP settings to enforce use of personal access tokens or SSH keys for Git access, which can help prevent your server from being overloaded by LDAP authentication requests. We recommend this setting because a slow-responding LDAP server, especially combined with a large number of requests due to polling, is a frequent source of performance issues and outages.
When this option is selected, if a user tries to use a password for Git operations via the command line, they will receive an error message that says,
Password authentication is not allowed for Git operations. You must use a personal access token.
Select Enable LDAP certificate verification in your LDAP settings to validate the LDAP server certificate you use with TLS.
When this option is selected, the certificate is validated to make sure:
- If the certificate contains at least one Subject Alternative Name (SAN), one of the SANs matches the LDAP hostname. Otherwise, the Common Name (CN) matches the LDAP hostname.
- The certificate is not expired.
- The certificate is signed by a trusted certificate authority (CA).
LDAP Sync lets you synchronize GitHub Enterprise Server users and team membership against your established LDAP groups. This lets you establish role-based access control for users from your LDAP server instead of manually within GitHub Enterprise Server. For more information, see "Creating teams."
To enable LDAP Sync, in your LDAP settings, select Synchronize Emails, Synchronize SSH Keys, or Synchronize GPG Keys .
After you enable LDAP sync, a synchronization job will run at the specified time interval to perform the following operations on each user account:
- If you've allowed built-in authentication for users outside your identity provider, and the user is using built-in authentication, move on to the next user.
- If no LDAP mapping exists for the user, try to map the user to an LDAP entry in the directory. If the user cannot be mapped to an LDAP entry, suspend the user and move on to the next user.
- If there is an LDAP mapping and the corresponding LDAP entry in the directory is missing, suspend the user and move on to the next user.
- If the corresponding LDAP entry has been marked as disabled and the user is not already suspended, suspend the user and move on to the next user.
- If the corresponding LDAP entry is not marked as disabled, and the user is suspended, and Reactivate suspended users is enabled in the Admin Center, unsuspend the user.
- If the corresponding LDAP entry includes a
nameattribute, update the user's profile name.
- If the corresponding LDAP entry is in the Administrators group, promote the user to site administrator.
- If the corresponding LDAP entry is not in the Administrators group, demote the user to a normal account.
- If an LDAP User field is defined for emails, synchronize the user's email settings with the LDAP entry. Set the first LDAP
- If an LDAP User field is defined for SSH public keys, synchronize the user's public SSH keys with the LDAP entry.
- If an LDAP User field is defined for GPG keys, synchronize the user's GPG keys with the LDAP entry.
Note: LDAP entries can only be marked as disabled if you use Active Directory and the
userAccountControl attribute is present and flagged with
A synchronization job will also run at the specified time interval to perform the following operations on each team that has been mapped to an LDAP group:
- If a team's corresponding LDAP group has been removed, remove all members from the team.
- If LDAP member entries have been removed from the LDAP group, remove the corresponding users from the team. If the user loses access to any repositories as a result, delete any private forks the user has of those repositories.
- If LDAP member entries have been added to the LDAP group, add the corresponding users to the team. If the user regains access to any repositories as a result, restore any private forks of the repositories that were deleted because the user lost access in the past 90 days.
作为优化配置的一部分，LDAP 同步不会传输您的嵌套团队结构。 要创建子团队与父团队的关系，必须手动重新创建嵌套团队结构并将其与相应的 LDAP 组同步。 更多信息请参阅“创建团队”。
When LDAP Sync is enabled, site admins and organization owners can search the LDAP directory for groups to map the team to.
This has the potential to disclose sensitive organizational information to contractors or other unprivileged users, including:
- The existence of specific LDAP Groups visible to the Domain search user.
- Members of the LDAP group who have GitHub Enterprise Server user accounts, which is disclosed when creating a team synced with that LDAP group.
If disclosing such information is not desired, your company or organization should restrict the permissions of the configured Domain search user in the admin console. If such restriction isn't possible, contact GitHub Enterprise 支持 或 GitHub 高级支持.
GitHub Enterprise Server supports these LDAP group object classes. Groups can be nested.
You can view the full list of LDAP users who have access to your instance and provision new users.
http(s)://HOSTNAME/login上的 您的 GitHub Enterprise Server 实例。
- 在任何页面的右上角，单击 。
- In the left sidebar, click LDAP users.
- To search for a user, type a full or partial username and click Search. Existing users will be displayed in search results. If a user doesn’t exist, click Create to provision the new user account.
Unless LDAP Sync is enabled, changes to LDAP accounts are not automatically synchronized with GitHub Enterprise Server.
- To use a new LDAP admin group, users must be manually promoted and demoted on GitHub Enterprise Server to reflect changes in LDAP.
- To add or remove LDAP accounts in LDAP admin groups, promote or demote the accounts on GitHub Enterprise Server.
- To remove LDAP accounts, suspend the GitHub Enterprise Server accounts.
http(s)://HOSTNAME/login上的 您的 GitHub Enterprise Server 实例。
- 在任何页面的右上角，单击 。
- 在搜索字段中，输入用户的名称，然后单击 Search（搜索）。
- 在页面的右上角，单击 Admin（管理员）。
- 在左侧边栏中，单击 Admin（管理员）。
- Under "LDAP," click Sync now to manually update the account with data from your LDAP server.
You can also use the API to trigger a manual sync.
If LDAP Sync is enabled, removing a user's LDAP credentials will suspend their account after the next synchronization run.
If LDAP Sync is not enabled, you must manually suspend the GitHub Enterprise Server account after you remove the LDAP credentials. For more information, see "Suspending and unsuspending users".