github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-05-22 13:55:07 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

LDAP Improve suggestions #916

New Issue
Open
opened 2025-11-02 03:41:19 -06:00 by GiteaMirror · 19 comments
GiteaMirror commented 2025-11-02 03:41:19 -06:00
Owner
Copy Link

Originally created by @wenerme on GitHub (Jul 25, 2017).

  • Allowed use custom dn for user filter

  • Allowed use custom dn for admin filter

    • Current ldap use userDn as baseDn, it's impossible to filter by group

  • Fetch membership from ldap

    • Use group as user's org
    • Attribute used to match org name is configurable

  • Add connection check and auth check

    • Currently have to open another browser to verify settings

  • Support alias

  • Use pubkey from ldap

  • Releate issues

  • Reference

Originally created by @wenerme on GitHub (Jul 25, 2017). * [ ] Allowed use custom dn for user filter * [ ] Allowed use custom dn for admin filter * Current ldap use userDn as baseDn, it's impossible to filter by group * [ ] Fetch membership from ldap * Use group as user's org * Attribute used to match org name is configurable * [ ] Add connection check and auth check * Currently have to open another browser to verify settings * [ ] Support alias * [x] Use pubkey from ldap * Releate issues * https://github.com/go-gitea/gitea/issues/2121 * Reference * [Jenkins LDAP Plugin](https://wiki.jenkins.io/display/JENKINS/LDAP+Plugin)
GiteaMirror added the issue/confirmedtype/enhancementtopic/authentication labels 2025-11-02 03:41:19 -06:00
GiteaMirror commented 2025-11-02 03:41:19 -06:00
Author
Owner
Copy Link

@lafriks commented on GitHub (Jul 25, 2017):

Actually userDn is baseDn and you can use custom filter for users and admins, including filter by group. For example:

userDn = OU=company,DC=company,DC=com
userFilter = (&(objectCategory=Person)(memberOf=CN=user-group,OU=company,DC=company,DC=com)(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
adminFilter = (memberOf=CN=admin-group,OU=company,DC=company,DC=com)
@lafriks commented on GitHub (Jul 25, 2017): Actually userDn is baseDn and you can use custom filter for users and admins, including filter by group. For example: ``` userDn = OU=company,DC=company,DC=com userFilter = (&(objectCategory=Person)(memberOf=CN=user-group,OU=company,DC=company,DC=com)(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) adminFilter = (memberOf=CN=admin-group,OU=company,DC=company,DC=com) ```
GiteaMirror commented 2025-11-02 03:41:20 -06:00
Author
Owner
Copy Link

@lafriks commented on GitHub (Jul 25, 2017):

Fetching membership is already described in #2121 so that leaves only auth check that is missing or not requested already

@lafriks commented on GitHub (Jul 25, 2017): Fetching membership is already described in #2121 so that leaves only auth check that is missing or not requested already
GiteaMirror commented 2025-11-02 03:41:20 -06:00
Author
Owner
Copy Link

@wenerme commented on GitHub (Jul 25, 2017):

I use apacheds group instead of ad group, the ldap tree like this

image

userFilter use userDN as base dn (code here), so, this is impossible, to check is user in group need

base <cn=developer,ou=group,dc=example,dc=com>
filter: (member=%s)

same for admin.

@wenerme commented on GitHub (Jul 25, 2017): I use apacheds group instead of ad group, the ldap tree like this ![image](https://user-images.githubusercontent.com/1777211/28558914-b4245c70-7146-11e7-9f7a-f0d7f1024a60.png) userFilter use userDN as base dn (code [here](https://github.com/go-gitea/gitea/blob/524885dd6502570dddf5c83f171ee74890dba5c4/modules/auth/ldap/ldap.go#L230)), so, this is impossible, to check is user in group need ``` base <cn=developer,ou=group,dc=example,dc=com> filter: (member=%s) ``` same for admin.
GiteaMirror commented 2025-11-02 03:41:20 -06:00
Author
Owner
Copy Link

@lafriks commented on GitHub (Jul 25, 2017):

Problem is that filter must return user record not group record as attributes (name, email etc) are fetched from returned query record. In your provided settings it will return group record that is not correct and can not possibly work. I have not used ApacheDS but what I looked up if there is no attribute under user record that links to groups than it is not possible to query users by group at least I don't know how to do it using single ldap query that means that this would require complete LDAP rewrite to support this. Can you give example what attributes are present under ou=Users -> uid=xxx?

@lafriks commented on GitHub (Jul 25, 2017): Problem is that filter must return user record not group record as attributes (name, email etc) are fetched from returned query record. In your provided settings it will return group record that is not correct and can not possibly work. I have not used ApacheDS but what I looked up if there is no attribute under user record that links to groups than it is not possible to query users by group at least I don't know how to do it using single ldap query that means that this would require complete LDAP rewrite to support this. Can you give example what attributes are present under `ou=Users` -> `uid=xxx`?
GiteaMirror commented 2025-11-02 03:41:20 -06:00
Author
Owner
Copy Link

@wenerme commented on GitHub (Jul 25, 2017):

Current user filter is another request, just change first argument to UserFilterDN, checkAdmin also send another request, just make first arguments configurable, result is not important for check, just check count is enough like how current ldap filter check do.

image

image

@wenerme commented on GitHub (Jul 25, 2017): Current user filter is another request, just change first argument to UserFilterDN, checkAdmin also send another request, just make first arguments configurable, result is not important for check, just check count is enough like how current ldap filter check do. ![image](https://user-images.githubusercontent.com/1777211/28561192-fb381a08-714f-11e7-84ac-4a1c610a0eb3.png) ![image](https://user-images.githubusercontent.com/1777211/28561201-0380fc34-7150-11e7-9d2d-3b9d2574436e.png)
GiteaMirror commented 2025-11-02 03:41:21 -06:00
Author
Owner
Copy Link

@lafriks commented on GitHub (Jul 25, 2017):

Yes, just as I thought there is no way to support that and for this to work most probably new authentication type must be added or need complete rewrite of current one...

@lafriks commented on GitHub (Jul 25, 2017): Yes, just as I thought there is no way to support that and for this to work most probably new authentication type must be added or need complete rewrite of current one...
GiteaMirror commented 2025-11-02 03:41:21 -06:00
Author
Owner
Copy Link

@BhaaLseN commented on GitHub (Oct 28, 2018):

+1 to testing the LDAP connection from the admin panel. Was about to create a new issue before I found this one.
Had the user filter wrong (didn't include the placeholder, just a filter that returns a list of users that should be allowed to log in) and had to log out - try the login - log in as local admin again - change settings - redo, which is tedious to do (especially when you don't have another browser available, or at least a private browsing mode that ignores the other active sessions).

@BhaaLseN commented on GitHub (Oct 28, 2018): +1 to testing the LDAP connection from the admin panel. Was about to create a new issue before I found this one. Had the user filter wrong (didn't include the placeholder, just a filter that returns a list of users that should be allowed to log in) and had to log out - try the login - log in as local admin again - change settings - redo, which is tedious to do (especially when you don't have another browser available, or at least a private browsing mode that ignores the other active sessions).
GiteaMirror commented 2025-11-02 03:41:21 -06:00
Author
Owner
Copy Link

@tcs-ulli commented on GitHub (Nov 21, 2018):

I don't know how to do it using single ldap query that means that this would require complete LDAP rewrite to support this.
Gogs knows an separate Query with an separate "Group" Filter. Maybe its possible to copy the actual LDAP Support from Gogs

@tcs-ulli commented on GitHub (Nov 21, 2018): > I don't know how to do it using single ldap query that means that this would require complete LDAP rewrite to support this. Gogs knows an separate Query with an separate "Group" Filter. Maybe its possible to copy the actual LDAP Support from Gogs
GiteaMirror commented 2025-11-02 03:41:21 -06:00
Author
Owner
Copy Link

@tcs-ulli commented on GitHub (Nov 29, 2018):

Is someone aroud who can drop an comment, if thats possible ?

@tcs-ulli commented on GitHub (Nov 29, 2018): Is someone aroud who can drop an comment, if thats possible ?
GiteaMirror commented 2025-11-02 03:41:22 -06:00
Author
Owner
Copy Link

@lafriks commented on GitHub (Nov 29, 2018):

There is plan to implement server global user groups (that could be than used for assigning to teams) and than we could do proper user ldap group implementation

@lafriks commented on GitHub (Nov 29, 2018): There is plan to implement server global user groups (that could be than used for assigning to teams) and than we could do proper user ldap group implementation
GiteaMirror commented 2025-11-02 03:41:22 -06:00
Author
Owner
Copy Link

@stale[bot] commented on GitHub (Jan 28, 2019):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

@stale[bot] commented on GitHub (Jan 28, 2019): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.
GiteaMirror commented 2025-11-02 03:41:22 -06:00
Author
Owner
Copy Link

@ptman commented on GitHub (Jan 31, 2019):

pubkeys are taken from ldap now, are they not?

@ptman commented on GitHub (Jan 31, 2019): pubkeys are taken from ldap now, are they not?
GiteaMirror commented 2025-11-02 03:41:22 -06:00
Author
Owner
Copy Link

@lafriks commented on GitHub (Feb 1, 2019):

@ptman yes if you enable that

@lafriks commented on GitHub (Feb 1, 2019): @ptman yes if you enable that
GiteaMirror commented 2025-11-02 03:41:23 -06:00
Author
Owner
Copy Link

@ptman commented on GitHub (Feb 3, 2019):

@lafriks my point was that it should maybe be checked in the checkboxes, and maybe something else is already implemented as well

@ptman commented on GitHub (Feb 3, 2019): @lafriks my point was that it should maybe be checked in the checkboxes, and maybe something else is already implemented as well
GiteaMirror commented 2025-11-02 03:41:23 -06:00
Author
Owner
Copy Link

@stale[bot] commented on GitHub (Apr 4, 2019):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

@stale[bot] commented on GitHub (Apr 4, 2019): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.
GiteaMirror commented 2025-11-02 03:41:23 -06:00
Author
Owner
Copy Link

@deoren commented on GitHub (Apr 15, 2019):

I don't know how to do it using single ldap query that means that this would require complete LDAP rewrite to support this.
Gogs knows an separate Query with an separate "Group" Filter. Maybe its possible to copy the actual LDAP Support from Gogs

@lafriks I found this open issue after searching for Verify group membership to match what is shown on the docs:

https://docs.gitea.io/en-us/authentication/

Verify group membership in LDAP uses the following fields:

Group Search Base (optional)

The LDAP DN used for groups.
Example: ou=group,dc=mydomain,dc=com
Group Name Filter (optional)

An LDAP filter declaring how to find valid groups in the above DN.
Example: (|(cn=gitea_users)(cn=admins))
User Attribute in Group (optional)

Which user LDAP attribute is listed in the group.
Example: uid
Group Attribute for User (optional)

Which group LDAP attribute contains an array above user attribute names.
Example: memberUid

Should an issue be opened against the docs to have that portion removed until support is added to match what Gogs has? Serious question (no snark, etc intended).

@deoren commented on GitHub (Apr 15, 2019): > I don't know how to do it using single ldap query that means that this would require complete LDAP rewrite to support this. > Gogs knows an separate Query with an separate "Group" Filter. Maybe its possible to copy the actual LDAP Support from Gogs @lafriks I found this open issue after searching for `Verify group membership` to match what is shown on the docs: https://docs.gitea.io/en-us/authentication/ > Verify group membership in LDAP uses the following fields: > > Group Search Base (optional) > > The LDAP DN used for groups. > Example: ou=group,dc=mydomain,dc=com > Group Name Filter (optional) > > An LDAP filter declaring how to find valid groups in the above DN. > Example: (|(cn=gitea_users)(cn=admins)) > User Attribute in Group (optional) > > Which user LDAP attribute is listed in the group. > Example: uid > Group Attribute for User (optional) > > Which group LDAP attribute contains an array above user attribute names. > Example: memberUid Should an issue be opened against the docs to have that portion removed until support is added to match what Gogs has? Serious question (no snark, etc intended).
GiteaMirror commented 2025-11-02 03:41:23 -06:00
Author
Owner
Copy Link

@lafriks commented on GitHub (Apr 18, 2019):

Yeah, it should not be there.. :)

@lafriks commented on GitHub (Apr 18, 2019): Yeah, it should not be there.. :)
GiteaMirror commented 2025-11-02 03:41:23 -06:00
Author
Owner
Copy Link

@zeripath commented on GitHub (Apr 18, 2019):

Or you could preferably open a PR to implement this for us.

@zeripath commented on GitHub (Apr 18, 2019): Or you could preferably open a PR to implement this for us.
GiteaMirror commented 2025-11-02 03:41:24 -06:00
Author
Owner
Copy Link

@stertingen commented on GitHub (Jun 27, 2019):

There is plan to implement server global user groups (that could be than used for assigning to teams) and than we could do proper user ldap group implementation

Are there any more specific ideas or plans on the design of these server global user groups? I will use this as my personal go starter project.

There may be multiple ways to add some sort of group support to Gitea, but not each might be suitable. (And once implemented, it's hard to change some decisions due to backwards compatibility)

A few questions:

  • Will these groups be public visible?
  • Will there be default groups?
  • How will the relations between groups and organizations/teams be? (group membership provides org/team membership vs. group membership is necessary for org/team membership)
  • Group providers? (LDAP: group search base, group filter, group membership filter? Mail: Regex?)
  • Special admin group vs. extension of existing LDAP admin filter
  • Option do disallow login if user is not in a group? (additional user filter on groups)

There may be ways to implement this without adding global user groups.

  • Simplest solution: Just add two additional filters. One for general gitea access, one for admin permissions.
  • Slightly more complex: Add single group filter for each org/team. Still not generic, but kind of usable in most cases.

Both options above require:

  • group search base (ou=groups,dc=...)
  • user attribute in group (cn like (cn=Hermes Conrad,ou=people,dc=planetexpress,dc=com))
  • Additional filter for general access, admin permissions, org/team membership (%s will be the value of above attribute for the queried user): (&(class=posixGroup)(member=%s)(cn=admingroup))

These kind of filters might be added for other authentication providers.

@stertingen commented on GitHub (Jun 27, 2019): > There is plan to implement server global user groups (that could be than used for assigning to teams) and than we could do proper user ldap group implementation Are there any more specific ideas or plans on the design of these _server global user groups_? I will use this as my personal go starter project. There may be multiple ways to add some sort of group support to Gitea, but not each might be suitable. (And once implemented, it's hard to change some decisions due to backwards compatibility) A few questions: - Will these groups be public visible? - Will there be default groups? - How will the relations between groups and organizations/teams be? (group membership provides org/team membership vs. group membership is necessary for org/team membership) - Group providers? (LDAP: group search base, group filter, group membership filter? Mail: Regex?) - Special admin group vs. extension of existing LDAP admin filter - Option do disallow login if user is not in a group? (additional user filter on groups) There may be ways to implement this without adding global user groups. - Simplest solution: Just add two additional filters. One for general gitea access, one for admin permissions. - Slightly more complex: Add single group filter for each org/team. Still not generic, but kind of usable in most cases. Both options above require: - group search base (`ou=groups,dc=...`) - user attribute in group (`cn` like `(cn=Hermes Conrad,ou=people,dc=planetexpress,dc=com)`) - Additional filter for general access, admin permissions, org/team membership (%s will be the value of above attribute for the queried user): `(&(class=posixGroup)(member=%s)(cn=admingroup))` These kind of filters might be added for other authentication providers.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label issue/confirmed topic/authentication type/enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#916
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?