HgLab

Security

Last updated on July 2, 2015

Table of Contents

Access

Public Access
Public Access to HgLab allows unauthenticated users to be granted access to projects and repositories for specific read operations including cloning and browsing repositories. This is normally controlled by Project and Repository administrators but can be switched off globally.
Simplified Authorization
With Simplified Authorization enabled, unauthenticated users navigating to inaccessible projects will be redirected to Signin page instead of being shown a "Page Not Found" error.
Note that enabling Public Access just grants unauthenticated access to HgLab. You'll need to further enable Public Access to Projects.

Simplified Authorization

Up until version 1.9, HgLab was defaulting to displaying a 404 page whenever a user attempted to access an unaccessible project — that is, the one that he or she was not a member of. This was done to prevent unnecessary information disclosure and was particularly useful if a HgLab installation had Public Access enabled.

With Simplified Authorization enabled, unauthenticated users navigating to inaccessible projects will be redirected to Signin page instead of being shown a "Page Not Found" error.

Catalogs

This is where you can manage Catalogs.

When authenticating a User attempting to sign in to HgLab, each Catalog is given a chance to perform authentication and the first one that correctly authenticates a user, succeeds.

To change the order of Catalogs, drag them by the handle:

Reordering Catalogs in HgLab

Setting up LDAP Integration

HgLab can be configured to allow your users to sign in with their LDAP credentials to integrate with e.g. Active Directory.

The first time a user signs in with LDAP credentials, HgLab will create a new User associated with the LDAP Distinguished Name (DN) of the LDAP user.

To integrate HgLab with your LDAP Server, go to Catalogs section and click the "+" button:

Adding Catalog in HgLab
Name
A human-friendly name for the Catalog to be added
Type
Make sure to select "LDAP Catalog"

Up comes the most unpleasant part, because LDAP just can't be nice. You'll need to provide the following bits of information:

Server Address, Port
Server Address and Port of your LDAP Server or Domain Controller. These are the ones that your system administrators should know
Bind Login, Password
Credentials that are used to connect to the LDAP Server. These ones can be tricky, as different favors of LDAP Servers expect different forms of logins. Most of the time, the [DOMAIN]\[USERNAME] option will work for ActiveDirectory
Base Container
Essentially, this is a "Folder" from which your users will be retrieved. This setting is very environment-specific

After setting all this up, try to sign to HgLab using credentials of a domain user. If all goes well, the newly created user should end up in Users section in the Administration Area, plus all the LDAP groups this user is in should become visible in Groups section.

Remember that according to the Security Model, a User must be granted a "Collaboration" System-level permission. This means that initially none of your LDAP users will be able to sign in to HgLab. To grant them access, go to Groups and assign the "Collaboration" permission to the LDAP Groups you want to give access to HgLab.
comments powered by Disqus

Getting Started

Installation

Prerequisites
Installing HgLab
Upgrading HgLab
Uninstalling HgLab

User Guide

Dashboard
Projects
Repositories
Teams
Wiki
Mercurial Clients

Administrator Guide

Security Model
Security
Repositories
Extensibility
Settings
Licensing

Maintenance Guide

Backing Up HgLab
Restoring HgLab
Moving HgLab
Configuring Mercurial
Configuring Internet Information Services
Working with Large Repositories

Take HgLab for a Spin

Try HgLab now. Full-featured 45-day evaluation, no credit card required.
See HgLab Live  Try HgLab