LDAP group sync does not work with several LDAP Group mapping #9463

New Issue

GiteaMirror · 2025-11-02T08:39:42-06:00

GiteaMirror commented

2025-11-02 08:39:42 -06:00

Originally created by @gd197 on GitHub (Aug 25, 2022).

Description

With a valid working LDAP authentication source configured for AD.
By Checking enable LDAP Groups and filling group search base, group attribute and user attribute in the configuration form and checking the 'remove users from synchronized teams...'.
Adding one mapping in the json form:
{"CN=MY-Team-Usr,OU=PSL-SDE,OU=ApplicationsManagement,DC=my,DC=company,DC=corp":{"TOOLS":["developers"]}}
works fine , users are added or removed according to their membership of the ldap group.
But if we add a second mapping in the form:
{"CN=MY-Team-Usr,OU=PSL-SDE,OU=ApplicationsManagement,DC=my,DC=company,DC=corp":{"TOOLS":["developers"]},"CN=p-AppGit-Usr,OU=GIT,OU=PSL-SDE,OU=ApplicationsManagement,DC=my,DC=company,DC=corp":{"PROD": ["developers"]} }
the second mapping remove systematically users if they were manually added to the second team and they are not added at login phase despite their membership of the LDAP group p-AppGit-Usr .
Please note that a restart of gitea is required each time the LDAP auth source is changed/updated for taking into account the changes.
Please note the 2 teams have the same name in different organizations
Note also that logs are unclear as they mention adding user in the Organisation Name instead of the ORG/Team name
2022/08/25 11:43:20 ...source_group_sync.go:46:SyncLdapGroupsToTeams() [T] [63074437] LDAP group sync: adding user [axxxxxx] to team [TOOLS] <= that is the org name not the team name
Logs with expression 'ldap' and trace level does not show any significant information other tha "adding user to team" or "removing user from team"
Also no log errors about not finding teams or org.

Gitea Version

1.17.1

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

2.27.0

Operating System

RHEL 8

How are you running Gitea?

From Github release executable

Database

MySQL

Originally created by @gd197 on GitHub (Aug 25, 2022). ### Description With a valid working LDAP authentication source configured for AD. By Checking enable LDAP Groups and filling group search base, group attribute and user attribute in the configuration form and checking the 'remove users from synchronized teams...'. Adding one mapping in the json form: `{"CN=MY-Team-Usr,OU=PSL-SDE,OU=ApplicationsManagement,DC=my,DC=company,DC=corp":{"TOOLS":["developers"]}}` works fine , users are added or removed according to their membership of the ldap group. But if we add a second mapping in the form: `{"CN=MY-Team-Usr,OU=PSL-SDE,OU=ApplicationsManagement,DC=my,DC=company,DC=corp":{"TOOLS":["developers"]},"CN=p-AppGit-Usr,OU=GIT,OU=PSL-SDE,OU=ApplicationsManagement,DC=my,DC=company,DC=corp":{"PROD": ["developers"]} }` the second mapping remove systematically users if they were manually added to the second team and they are not added at login phase despite their membership of the LDAP group p-AppGit-Usr . Please note that a restart of gitea is required each time the LDAP auth source is changed/updated for taking into account the changes. Please note the 2 teams have the same name in different organizations Note also that logs are unclear as they mention adding user in the Organisation Name instead of the ORG/Team name `2022/08/25 11:43:20 ...source_group_sync.go:46:SyncLdapGroupsToTeams() [T] [63074437] LDAP group sync: adding user [axxxxxx] to team [TOOLS]` <= that is the org name not the team name Logs with expression 'ldap' and trace level does not show any significant information other tha "adding user to team" or "removing user from team" Also no log errors about not finding teams or org. ### Gitea Version 1.17.1 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version 2.27.0 ### Operating System RHEL 8 ### How are you running Gitea? From Github release executable ### Database MySQL

GiteaMirror added the issue/not-a-bug label 2025-11-02 08:39:42 -06:00

GiteaMirror closed this issue

2025-11-02 08:39:42 -06:00

GiteaMirror commented

2025-11-02 08:39:43 -06:00

@gd197 commented on GitHub (Aug 25, 2022):

after further testing, the second mapping in the example above does not work even alone.
There is anyway an issue with the logs and an issue with that group but I wonder what and no logs are available.
As far as the user is removed for the team group in gitea, the issue seems to come from the retrieval of the members of the ldap group. Member DN is containing escaped ',' characters ( '\,') and non escaped parenthesis '(' and ')'
here is the output of the ldapsearch command for the group

dn: CN=p-AppGit-Usr,OU=FunctionalProfiles,OU=GIT,OU=PSL-SDE,OU=ApplicationsManagement,DC=my,DC=company,DC=corp
objectClass: top
objectClass: group
cn: p-AppGit-c
member: CN=NAME1\, Surname,OU=MA,OU=Internal,OU=People,DC=my,DC=company,DC=corp
member: CN=NAME-2\, Surname2 (Additional info there),OU=MA,OU=External,OU=People,DC=my,DC=company,DC=corp
member: CN=NAME3\, Surname3 (Additional info there),OU=ED,OU=External,OU=People,DC=my,DC=company,DC=corp
distinguishedName: CN=p-AppGit-Usr,OU=FunctionalProfiles,OU=GIT,OU=PSL-SDE,OU=ApplicationsManagement,DC=my,DC=company,DC=corp
instanceType: 4
...

@gd197 commented on GitHub (Aug 25, 2022): after further testing, the second mapping in the example above does not work even alone. There is anyway an issue with the logs and an issue with that group but I wonder what and no logs are available. As far as the user is removed for the team group in gitea, the issue seems to come from the retrieval of the members of the ldap group. Member DN is containing escaped ',' characters ( '\\,') and non escaped parenthesis '(' and ')' here is the output of the ldapsearch command for the group dn: CN=p-AppGit-Usr,OU=FunctionalProfiles,OU=GIT,OU=PSL-SDE,OU=ApplicationsManagement,DC=my,DC=company,DC=corp objectClass: top objectClass: group cn: p-AppGit-c member: CN=NAME1\\, Surname,OU=MA,OU=Internal,OU=People,DC=my,DC=company,DC=corp member: CN=NAME-2\\, Surname2 (Additional info there),OU=MA,OU=External,OU=People,DC=my,DC=company,DC=corp member: CN=NAME3\\, Surname3 (Additional info there),OU=ED,OU=External,OU=People,DC=my,DC=company,DC=corp distinguishedName: CN=p-AppGit-Usr,OU=FunctionalProfiles,OU=GIT,OU=PSL-SDE,OU=ApplicationsManagement,DC=my,DC=company,DC=corp instanceType: 4 ...

GiteaMirror commented

2025-11-02 08:39:43 -06:00

@gd197 commented on GitHub (Aug 25, 2022):

finally, the only difference between working ldap groups and non-working ldap groups in my case looks to be the parenthesis in the user DN for the member attribute inside a group object.
If that is confirmed, that mean that the membership retrieval fail with some specific characters in the user DN field

@gd197 commented on GitHub (Aug 25, 2022): finally, the only difference between working ldap groups and non-working ldap groups in my case looks to be the parenthesis in the user DN for the member attribute inside a group object. If that is confirmed, that mean that the membership retrieval fail with some specific characters in the user DN field

GiteaMirror commented

2025-11-02 08:39:43 -06:00

@gd197 commented on GitHub (Aug 26, 2022):

My bad, found the issue in wrongly typing the DN Path in the mapping configuration entry.
Note that having a non existent ldap group in in config lead to removal of users in the team without error log.
Maybe that is expected in this case I can close the issue.
Note also that logs are anyway confusing as mentioned in the original post

@gd197 commented on GitHub (Aug 26, 2022): My bad, found the issue in wrongly typing the DN Path in the mapping configuration entry. Note that having a non existent ldap group in in config lead to removal of users in the team without error log. Maybe that is expected in this case I can close the issue. Note also that logs are anyway confusing as mentioned in the original post

GiteaMirror commented

2025-11-02 08:39:44 -06:00

@drequivalent commented on GitHub (Sep 13, 2022):

Having the same issue with FreeIPA. But this time, nothing works. Settings are as follows:

{"cn=developers,cn=groups,cn=accounts,dc=autogramma,dc=lan":{"Autogramma":["Developers"]},"cn=engineers,cn=groups,cn=accounts,dc=autogramma,dc=lan":{"Autogramma":["Engineers"]}}

Any help?

@drequivalent commented on GitHub (Sep 13, 2022): Having the same issue with FreeIPA. But this time, nothing works. Settings are as follows: ![Снимок экрана от 2022-09-13 18-45-01](https://user-images.githubusercontent.com/1463277/189955583-b1c7eb04-f981-4662-9e65-e74c6217666d.png) **{"cn=developers,cn=groups,cn=accounts,dc=autogramma,dc=lan":{"Autogramma":["Developers"]},"cn=engineers,cn=groups,cn=accounts,dc=autogramma,dc=lan":{"Autogramma":["Engineers"]}}** Any help?

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#9463