Frecuentemente publicamos actualizaciones de nuestra documentación. Es posible que la traducción de esta página esté en curso. Para conocer la información más actual, visita la documentación en inglés. Si existe un problema con las traducciones en esta página, por favor infórmanos.
Versión del artículo: Enterprise Server 2.19

Using LDAP

LDAP lets you authenticate GitHub Enterprise Server against your existing accounts and centrally manage repository access. LDAP is a popular application protocol for accessing and maintaining directory information services, and is one of the most common protocols used to integrate third-party software with large company user directories.

En este artículo

Si quieres autenticar usuarios sin agregarlos a tu proveedor de identidad, puedes configurar la autenticación integrada. Para obtener más información, consulta "Permitir autenticación integrada para usuarios fuera de tu proveedor de identidad".

Supported LDAP services

GitHub Enterprise Server integrates with these LDAP services:

  • Active Directory
  • FreeIPA
  • Oracle Directory Server Enterprise Edition
  • OpenLDAP
  • Open Directory
  • 389-ds

Username considerations with LDAP

Los nombres de usuario del GitHub Enterprise Server únicamente pueden contener caracteres alfanuméricos y rayas (-). El GitHub Enterprise Server convertirá en raya cualquier caracter no alfanumérico en el nombre de tu cuenta de usuario. Por ejemplo, un nombre de usuario gregory.st.john se convertirá en gregory-st-john. Nota que los nombres de usuarios normalizados tampoco pueden comenzar o terminar con una raya. Tampoco pueden contener dos rayas seguidas.

Los nombres de usuarios creados a partir de direcciones de correo electrónico se crean con los caracteres normalizados que preceden al caracter @.

Si múltiples cuentas se normalizan en el mismo nombre de usuario de GitHub Enterprise Server, solo se crea la primera cuenta de usuario. Los siguientes usuarios con el mismo nombre de usuario no podrán registrarse.

Esta tabla brinda ejemplos de cómo se normalizan los nombres de usuarios en el GitHub Enterprise Server:

Nombre de usuarioNombre de usuario normalizadoResultado
Ms.Bubblesms-bubblesEl nombre de usuario se crea correctamente.
!Ms.Bubbles-ms-bubblesNo se crea este nombre de usuario debido a que comienza con una raya.
Ms.Bubbles!ms-bubbles-No se crea este nombre de usuario debido a que termina con una raya.
Ms!!Bubblesms--bubblesNo se crea este nombre de usuario debido a que contiene dos rayas seguidas.
Ms!Bubblesms-bubblesNo se crea este nombre de usuario. A pesar de que el nombre de usuario normalizado es válido, ya existía.
Ms.Bubbles@example.comms-bubblesNo se crea este nombre de usuario. A pesar de que el nombre de usuario normalizado es válido, ya existía.

Autenticación de dos factores

Cuando utilices LDAP o una autenticación integrada, la autenticación de dos factores será compatible. Los administradores de la organización le pueden solicitar a los miembros que tengan la autenticación de dos factores activada.

Configuring LDAP with tu instancia de servidor de GitHub Enterprise

After you configure LDAP, users will be able to sign into your instance with their LDAP credentials. When users sign in for the first time, their profile names, email addresses, and SSH keys will be set with the LDAP attributes from your directory.

When you configure LDAP access for users via the Consola de administración, your user licenses aren't used until the first time a user signs in to your instance. However, if you create an account manually using site admin settings, the user license is immediately accounted for.

Warning: Before configuring LDAP on tu instancia de servidor de GitHub Enterprise, make sure that your LDAP service supports paged results.

  1. En la esquina superior derecha de cualquier página, da clic en .
    Ícono de cohete para acceder a las configuraciones de administrador del sitio
  2. En la barra lateral izquierda, haz clic en Consola de administración.
    pestaña Consola de administración en la barra lateral izquierda
  3. En la barra lateral izquierda, da clic en Autenticación.
    Pestaña de autenticación en la barra lateral de configuración
  4. Under "Authentication", select LDAP.
    LDAP select
  5. Opcionalmente, selecciona Permitir autenticación integrada para invitar a los usuarios a utilizar la autenticación integrada si no pertenecen a el proveedor de identidad de tu instancia de servidor de GitHub Enterprise.
    Select LDAP built-in authentication checkbox
  6. Add your configuration settings.

LDAP attributes

Use these attributes to finish configuring LDAP for tu instancia de servidor de GitHub Enterprise.

Attribute nameTypeDescription
HostRequiredThe LDAP host, e.g. ldap.example.com or 10.0.0.30. If the hostname is only available from your internal network, you may need to configure tu instancia de servidor de GitHub Enterprise's DNS first so it can resolve the hostname using your internal nameservers.
PortRequiredThe port the host's LDAP services are listening on. Examples include: 389 and 636 (for LDAPS).
EncryptionRequiredThe encryption method used to secure communications to the LDAP server. Examples include plain (no encryption), SSL/LDAPS (encrypted from the start), and StartTLS (upgrade to encrypted communication once connected).
Domain search userOptionalThe LDAP user that performs user lookups to authenticate other users when they sign in. This is typically a service account created specifically for third-party integrations. Use a fully qualified name, such as cn=Administrator,cn=Users,dc=Example,dc=com. With Active Directory, you can also use the [DOMAIN]\[USERNAME] syntax (e.g. WINDOWS\Administrator) for the domain search user with Active Directory.
Domain search passwordOptionalThe password for the domain search user.
Administrators groupOptionalUsers in this group are promoted to site administrators when signing into your appliance. If you don't configure an LDAP Administrators group, the first LDAP user account that signs into your appliance will be automatically promoted to a site administrator.
Domain baseRequiredThe fully qualified Distinguished Name (DN) of an LDAP subtree you want to search for users and groups. You can add as many as you like; however, each group must be defined in the same domain base as the users that belong to it. If you specify restricted user groups, only users that belong to those groups will be in scope. We recommend that you specify the top level of your LDAP directory tree as your domain base and use restricted user groups to control access.
Restricted user groupsOptionalIf specified, only users in these groups will be allowed to log in. You only need to specify the common names (CNs) of the groups, and you can add as many groups as you like. If no groups are specified, all users within the scope of the specified domain base will be able to sign in to your GitHub Enterprise Server instance.
User IDRequiredThe LDAP attribute that identifies the LDAP user who attempts authentication. Once a mapping is established, users may change their GitHub Enterprise Server usernames. This field should be sAMAccountName for most Active Directory installations, but it may be uid for other LDAP solutions, such as OpenLDAP. The default value is uid.
Profile nameOptionalThe name that will appear on the user's GitHub Enterprise Server profile page. Unless LDAP Sync is enabled, users may change their profile names.
EmailsOptionalThe email addresses for a user's GitHub Enterprise Server account.
SSH keysOptionalThe public SSH keys attached to a user's GitHub Enterprise Server account. The keys must be in OpenSSH format.
GPG keysOptionalThe GPG keys attached to a user's GitHub Enterprise Server account.
Disable LDAP authentication for Git operationsOptionalIf selected, turns off users' ability to use LDAP passwords to authenticate Git operations.
Enable LDAP certificate verificationOptionalIf selected, turns on LDAP certificate verification.
SynchronizationOptionalIf selected, turns on LDAP Sync.

Disabling password authentication for Git operations

Select Disable username and password authentication for Git operations in your LDAP settings to enforce use of personal access tokens or SSH keys for Git access, which can help prevent your server from being overloaded by LDAP authentication requests. We recommend this setting because a slow-responding LDAP server, especially combined with a large number of requests due to polling, is a frequent source of performance issues and outages.

Disable LDAP password auth for Git check box

When this option is selected, if a user tries to use a password for Git operations via the command line, they will receive an error message that says, Password authentication is not allowed for Git operations. You must use a personal access token.

Enabling LDAP certificate verification

Select Enable LDAP certificate verification in your LDAP settings to validate the LDAP server certificate you use with TLS.

LDAP certificate verification box

When this option is selected, the certificate is validated to make sure:

  • If the certificate contains at least one Subject Alternative Name (SAN), one of the SANs matches the LDAP hostname. Otherwise, the Common Name (CN) matches the LDAP hostname.
  • The certificate is not expired.
  • The certificate is signed by a trusted certificate authority (CA).

Enabling LDAP Sync

LDAP Sync lets you synchronize GitHub Enterprise Server users and team membership against your established LDAP groups. This lets you establish role-based access control for users from your LDAP server instead of manually within GitHub Enterprise Server. For more information, see "Creating teams."

To enable LDAP Sync, in your LDAP settings, select Synchronize Emails, Synchronize SSH Keys, or Synchronize GPG Keys .

Synchronization check box

After you enable LDAP sync, a synchronization job will run at the specified time interval to perform the following operations on each user account:

  • If you've allowed built-in authentication for users outside your identity provider, and the user is using built-in authentication, move on to the next user.
  • If no LDAP mapping exists for the user, try to map the user to an LDAP entry in the directory. If the user cannot be mapped to an LDAP entry, suspend the user and move on to the next user.
  • If there is an LDAP mapping and the corresponding LDAP entry in the directory is missing, suspend the user and move on to the next user.
  • If the corresponding LDAP entry has been marked as disabled and the user is not already suspended, suspend the user and move on to the next user.
  • If the corresponding LDAP entry is not marked as disabled, and the user is suspended, and Reactivate suspended users is enabled in the Admin Center, unsuspend the user.
  • If the corresponding LDAP entry includes a name attribute, update the user's profile name.
  • If the corresponding LDAP entry is in the Administrators group, promote the user to site administrator.
  • If the corresponding LDAP entry is not in the Administrators group, demote the user to a normal account.
  • If an LDAP User field is defined for emails, synchronize the user's email settings with the LDAP entry. Set the first LDAP mail entry as the primary email.
  • If an LDAP User field is defined for SSH public keys, synchronize the user's public SSH keys with the LDAP entry.
  • If an LDAP User field is defined for GPG keys, synchronize the user's GPG keys with the LDAP entry.

Note: LDAP entries can only be marked as disabled if you use Active Directory and the userAccountControl attribute is present and flagged with ACCOUNTDISABLE.

A synchronization job will also run at the specified time interval to perform the following operations on each team that has been mapped to an LDAP group:

  • If a team's corresponding LDAP group has been removed, remove all members from the team.
  • If LDAP member entries have been removed from the LDAP group, remove the corresponding users from the team. If the user loses access to any repositories as a result, delete any private forks the user has of those repositories.
  • If LDAP member entries have been added to the LDAP group, add the corresponding users to the team. If the user regains access to any repositories as a result, restore any private forks of the repositories that were deleted because the user lost access in the past 90 days.

Como parte de su cofiguración de optimización, LDAP Sync no transferirá tu estructura de equipo anidada. Para crear relaciones entre equipos padre e hijo, deberás recrear manualmente la estructura de equipo anidada y sincronizarla con el grupo de LDAP correspondiente. Para obtener más información, consulta la sección "Crear equipos"

Security Warning:

When LDAP Sync is enabled, site admins and organization owners can search the LDAP directory for groups to map the team to.

This has the potential to disclose sensitive organizational information to contractors or other unprivileged users, including:

  • The existence of specific LDAP Groups visible to the Domain search user.
  • Members of the LDAP group who have GitHub Enterprise Server user accounts, which is disclosed when creating a team synced with that LDAP group.

If disclosing such information is not desired, your company or organization should restrict the permissions of the configured Domain search user in the admin console. If such restriction isn't possible, contact GitHub Enterprise Support](https://enterprise.githubsupport.com/hc/en-us) o GitHub Premium Support.

Supported LDAP group object classes

GitHub Enterprise Server supports these LDAP group object classes. Groups can be nested.

  • group
  • groupOfNames
  • groupOfUniqueNames
  • posixGroup

Viewing and creating LDAP users

You can view the full list of LDAP users who have access to your instance and provision new users.

  1. Ingresa en tu instancia de servidor de GitHub Enterprise a través de http(s)://HOSTNAME/login.
  2. En la esquina superior derecha de cualquier página, da clic en .
    Ícono de cohete para acceder a las configuraciones de administrador del sitio
  3. In the left sidebar, click LDAP users.
    LDAP users tab
  4. To search for a user, type a full or partial username and click Search. Existing users will be displayed in search results. If a user doesn’t exist, click Create to provision the new user account.
    LDAP search

Updating LDAP accounts

Unless LDAP Sync is enabled, changes to LDAP accounts are not automatically synchronized with GitHub Enterprise Server.

Manually syncing LDAP accounts

  1. Ingresa en tu instancia de servidor de GitHub Enterprise a través de http(s)://HOSTNAME/login.
  2. En la esquina superior derecha de cualquier página, da clic en .
    Ícono de cohete para acceder a las configuraciones de administrador del sitio
  3. En el campo de búsqueda, teclea el nombre de usuario y da clic en Buscar.
    Campo de búsqueda en la configuración de administrador del sitio
  4. En los resultados de búsqueda, da clic en el nombre del usuario.
    Opciones de búsqueda de la configuración de administrador para el sitio
  5. En la esquina superior derecha de la página, haga clic en Admin (Administrador).
    Herramientas de administrador
  6. En la barra lateral izquierda, haz clic en Admin (Administrador).
    Herramientas Admin
  7. Under "LDAP," click Sync now to manually update the account with data from your LDAP server.
    LDAP sync now button

You can also use the API to trigger a manual sync.

Revoking access to tu instancia de servidor de GitHub Enterprise

If LDAP Sync is enabled, removing a user's LDAP credentials will suspend their account after the next synchronization run.

If LDAP Sync is not enabled, you must manually suspend the GitHub Enterprise Server account after you remove the LDAP credentials. For more information, see "Suspending and unsuspending users".

Pregunta a una persona

¿No puedes encontrar lo que estás buscando?

Contáctanos