dfefe86045
Backport #25278 by @Zettat123
Fix #21072
- A name to assign to the new method of authorization.
-
Host (required)
- The address where the LDAP server can be reached.
- Example: mydomain.com
-
Port (required)
- The port to use when connecting to the server.
- Example: 636
-
Enable TLS Encryption (optional)
- Whether to use TLS when connecting to the LDAP server.
-
Admin Filter (optional)
- An LDAP filter specifying if a user should be given administrator privileges. If a user accounts passes the filter, the user will be privileged as an administrator.
- Example: (objectClass=adminAccount)
-
First name attribute (optional)
- The attribute of the user's LDAP record containing the user's first name. This will be used to populate their account information.
- Example: givenName
-
Surname attribute (optional)
- The attribute of the user's LDAP record containing the user's surname This will be used to populate their account information.
- Example: sn
-
E-mail attribute (required)
- The attribute of the user's LDAP record containing the user's email address. This will be used to populate their account information.
- Example: mail
LDAP via BindDN adds the following fields:
-
Bind DN (optional)
- The DN to bind to the LDAP server with when searching for the user. This may be left blank to perform an anonymous search.
- Example: cn=Search,dc=mydomain,dc=com
-
Bind Password (optional)
- The password for the Bind DN specified above, if any. Note: The password is stored in plaintext at the server. As such, ensure that your Bind DN has as few privileges as possible.
-
User Search Base (required)
- The LDAP base at which user accounts will be searched for.
- Example: ou=Users,dc=mydomain,dc=com
-
User Filter (required)
- An LDAP filter declaring how to find the user record that is attempting to authenticate. The '%[1]s' matching parameter will be substituted with the user's username.
- Example: (&(objectClass=posixAccount)(|(uid=%[1]s)(mail=%[1]s)))
LDAP using simple auth adds the following fields:
-
User DN (required)
- A template to use as the user's DN. The
%smatching parameter will be substituted with the user's username. - Example: cn=%s,ou=Users,dc=mydomain,dc=com
- Example: uid=%s,ou=Users,dc=mydomain,dc=com
- A template to use as the user's DN. The
-
User Search Base (optional)
- The LDAP base at which user accounts will be searched for.
- Example: ou=Users,dc=mydomain,dc=com
-
User Filter (required)
- An LDAP filter declaring when a user should be allowed to log in. The
%[1]smatching parameter will be substituted with the user's username. - Example: (&(objectClass=posixAccount)(|(cn=%[1]s)(mail=%[1]s)))
- Example: (&(objectClass=posixAccount)(|(uid=%[1]s)(mail=%[1]s)))
- An LDAP filter declaring when a user should be allowed to log in. The
Verify group membership in LDAP uses the following fields:
-
Group Search Base (optional)
- The LDAP DN used for groups.
- Example: ou=group,dc=mydomain,dc=com
-
Group Name Filter (optional)
- An LDAP filter declaring how to find valid groups in the above DN.
- Example: (|(cn=gitea_users)(cn=admins))
-
User Attribute in Group (optional)
- Which user LDAP attribute is listed in the group.
- Example: uid
-
Group Attribute for User (optional)
- Which group LDAP attribute contains an array above user attribute names.
- Example: memberUid
-
Team group map (optional)
- Automatically add users to Organization teams, depending on LDAP group memberships.
- Note: this function only adds users to teams, it never removes users.
- Example: {"cn=MyGroup,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2", ...], ...}, ...}
-
Team group map removal (optional)
- If set to true, users will be removed from teams if they are not members of the corresponding group.