Enable LDAP support on Gitea #139
Labels
No Label
service
accounts
service
discourse
service
drone-ci
service
email
service
garage
service
gitea
service
ipfs
service
mastodon
service
postgres
service
remotestorage
service
wiki
service
xmpp
bug
design
dev environment
docs
duplicate
enhancement
feature
good first issue
idea
invalid
kredits-1
kredits-2
kredits-3
on hold
ops
question
release
major
release
minor
release
patch
security
ui/ux
wontfix
No Milestone
No project
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: kosmos/chef#139
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Update the GiteaThe setting to disable Gitea organization creation by default was already in our production configapp.ini
to disable Gitea organization creation by defaultNo need for a filtered role, all accounts should have access to Gitea.
Gitea authentication docs
I got LDAP authentication to add user accounts to a test Gitea setup (docker-compose).
I used the following settings:
Right now I cannot login through LDAP, I'm figuring out what is missing.Then I will add an attribute for Gitea admin users. By default the users created from LDAP can create Gitea organizations.I can now login in my test Gitea instance, the issue was missing ACIs on users that allow them to read and search their own attributes. The way Gitea has implemented LDAP support using BindDN requires it
Got admin users to work. Added
admin: true
to my user, created a user for Gitea and an admin roleRelevant ACIs for users to search and get their own attributes:
Relevant ACIs for the gitea user:
There is a cron job in Gitea to synchronize users from an external source such as Gitea. By default it runs every 24 hours, and does not run on startup. It only runs if the auth source has "User Synchronization" enabled on it: example config.
Alternatively, when a user successfully logs in for the first time from an LDAP account, the user is automatically created in the Gitea database if it did not exist already
I have renamed my own user (from the user settings page from gregkare to greg.
I have also performed a spring cleanup on the user accounts. Now we have 12 accounts in Gitea, all members of the Hackerhouse, Kosmos and/or Kredits organizations.
I have changed the email addresses for 3 users in Gitea, they had a different address than in LDAP
We need to turn that off, because we agreed that org creation requires a separate donation (or proof of Kosmos contributions).
BTW, I think the task list is out of date, from reading your comments from today...
I found the setting to disable organization creation by default (
8d2059a201/custom/conf/app.ini.sample (L548)
). It needs to be added to ourapp.ini
I have made a private list that sorts the users in three different categories:
I have updated the checklist. We have to write a different email for each category
We do not have to write an email for people who didn't have Gitea accounts yet. I think that email should be a single one to all users, when we have a page explaining their unified account and which services they have access to. (They should also know about the wiki for example.)
I created a pad for the emails: https://cryptpad.fr/code/#/2/code/edit/cLRIbvVL0lh7BWBG+Qxhpzsw/
Could I get some feedback or corrections?
I have edited the emails quite a bit. Looks good to me now.
Running in production, closing this one!
We ran into an issue and had to switch the existing user accounts to the LDAP auth source, with the "Authentication Sign-In Name" for each account being the username
Nice. Great work 👍
W00t w0000t!