Hey folks, using Gitea 1.22.6 with LDAP (specifically lldap) and am having some issues. I’m wondering if I’m setting things up incorrectly?
My goal is to set up an instance where users can both authenticate through LDAP for accounts I want to provision automatically/maintain over time, but can also sign up for drive-by contributions and such. I’m using NixOS–doubt it’s relevant but including that for completeness.
First I created an instance, enabled registration, created my “nolan” admin user, then set up lldap as per these instructions. Next I went into my user account under the admin screen and changed its auth source to LDAP. My username/email matches what’s set in lldap.
Once this happens I can’t log in. If I push to a git repo, I see the following cryptic message in my terminal:
Username for 'https://dev.example.com': nolan
Password for 'https://nolan@dev.example.com':
remote: Verify
fatal: Authentication failed for 'https://dev.example.com/nolan/nixos.git/'
I’m also unable to log into Gitea anymore. The only fix is to switch my user back to the local auth source where everything works fine.
Here are the relevant logs from gitea:
Jan 03 09:16:03 dev gitea[329]: 2025/01/03 09:16:03 ...eb/routing/logger.go:102:func1() [I] router: completed GET /nolan/nixos.git/info/refs?service=git-receive-pack for 37.27.142.10:0, 401 Unauthorized in 0.7ms @ repo/githttp.go:518(repo.GetInfoRefs)
Jan 03 09:16:10 dev gitea[329]: 2025/01/03 09:16:10 ...rvices/auth/basic.go:139:Verify() [E] UserSignIn: can not delete the last admin user [uid: 1]
Jan 03 09:16:10 dev gitea[329]: 2025/01/03 09:16:10 routers/web/web.go:121:func9() [E] Failed to verify user: can not delete the last admin user [uid: 1]
Jan 03 09:16:10 dev gitea[329]: 2025/01/03 09:16:10 ...eb/routing/logger.go:102:func1() [I] router: completed GET /nolan/nixos.git/info/refs?service=git-receive-pack for 37.27.142.10:0, 401 Unauthorized in 251.8ms @ web/web.go:118(web.Routes.webAuth)
Jan 03 09:16:10 dev gitea[329]: 2025/01/03 09:16:10 ...rvices/auth/basic.go:139:Verify() [E] UserSignIn: can not delete the last admin user [uid: 1]
Jan 03 09:16:10 dev gitea[329]: 2025/01/03 09:16:10 routers/web/web.go:121:func9() [E] Failed to verify user: can not delete the last admin user [uid: 1]
Jan 03 09:16:10 dev gitea[329]: 2025/01/03 09:16:10 ...eb/routing/logger.go:102:func1() [I] router: completed GET /nolan/nixos.git/info/refs?service=git-receive-pack for 37.27.142.10:0, 401 Unauthorized in 251.7ms @ web/web.go:118(web.Routes.webAuth)
I get why deleting the last admin user isn’t ideal, I just don’t get why Gitea is attempting to do that when pushing to a repo.
And lldap:
Jan 03 09:16:10 thewordnerd lldap-start[3165]: 2025-01-03T15:16:10.084170075+00:00 INFO │ ┕━ i [info]: Login attempt for "service"
Jan 03 09:16:10 thewordnerd lldap-start[3165]: 2025-01-03T15:16:10.137136911+00:00 INFO ┝━ LDAP request [ 257µs | 0.25% ]
Jan 03 09:16:10 thewordnerd lldap-start[3165]: 2025-01-03T15:16:10.180172628+00:00 INFO ┝━ LDAP request [ 48.1ms | 45.91% ]
Jan 03 09:16:10 thewordnerd lldap-start[3165]: 2025-01-03T15:16:10.181286139+00:00 INFO │ ┕━ i [info]: Login attempt for "nolan"
Jan 03 09:16:10 thewordnerd lldap-start[3165]: 2025-01-03T15:16:10.229441783+00:00 INFO ┝━ LDAP request [ 263µs | 0.25% ]
Jan 03 09:16:10 thewordnerd lldap-start[3165]: 2025-01-03T15:16:10.229444932+00:00 INFO │ ┕━ i [info]: Unprivileged search, limiting results
Jan 03 09:16:10 thewordnerd lldap-start[3165]: 2025-01-03T15:16:10.272173660+00:00 INFO ┝━ LDAP request [ 1.97ms | 1.88% ]
Jan 03 09:16:10 thewordnerd lldap-start[3165]: 2025-01-03T15:16:10.272182879+00:00 INFO │ ┕━ i [info]: Unprivileged search, limiting results
Jan 03 09:16:10 thewordnerd lldap-start[3165]: 2025-01-03T15:16:10.280036378+00:00 INFO ┕━ LDAP request [ 1.17ms | 1.12% ]
Jan 03 09:16:10 thewordnerd lldap-start[3165]: 2025-01-03T15:16:10.280043467+00:00 INFO ┕━ i [info]: Unprivileged search, limiting results
Jan 03 09:16:10 thewordnerd lldap-start[3165]: 2025-01-03T15:16:10.339795540+00:00 INFO LDAP session [ 106ms | 0.29% / 100.00% ]
Jan 03 09:16:10 thewordnerd lldap-start[3165]: 2025-01-03T15:16:10.339910821+00:00 INFO ┝━ LDAP request [ 52.6ms | 49.65% ]
Jan 03 09:16:10 thewordnerd lldap-start[3165]: 2025-01-03T15:16:10.340637811+00:00 INFO │ ┕━ i [info]: Login attempt for "service"
Jan 03 09:16:10 thewordnerd lldap-start[3165]: 2025-01-03T15:16:10.393454292+00:00 INFO ┝━ LDAP request [ 311µs | 0.29% ]
Jan 03 09:16:10 thewordnerd lldap-start[3165]: 2025-01-03T15:16:10.436024795+00:00 INFO ┝━ LDAP request [ 49.2ms | 46.41% ]
Jan 03 09:16:10 thewordnerd lldap-start[3165]: 2025-01-03T15:16:10.437121078+00:00 INFO │ ┕━ i [info]: Login attempt for "nolan"
Jan 03 09:16:10 thewordnerd lldap-start[3165]: 2025-01-03T15:16:10.486419334+00:00 INFO ┝━ LDAP request [ 258µs | 0.24% ]
Jan 03 09:16:10 thewordnerd lldap-start[3165]: 2025-01-03T15:16:10.486421774+00:00 INFO │ ┕━ i [info]: Unprivileged search, limiting results
Jan 03 09:16:10 thewordnerd lldap-start[3165]: 2025-01-03T15:16:10.528922339+00:00 INFO ┝━ LDAP request [ 2.00ms | 1.88% ]
Jan 03 09:16:10 thewordnerd lldap-start[3165]: 2025-01-03T15:16:10.528931590+00:00 INFO │ ┕━ i [info]: Unprivileged search, limiting results
Jan 03 09:16:10 thewordnerd lldap-start[3165]: 2025-01-03T15:16:10.536423186+00:00 INFO ┕━ LDAP request [ 1.30ms | 1.23% ]
Jan 03 09:16:10 thewordnerd lldap-start[3165]: 2025-01-03T15:16:10.536431524+00:00 INFO ┕━ i [info]: Unprivileged search, limiting results
What does this mean? Also, am I doing this wrong? My “nolan” user is an admin in lldap, I have sync enabled, and I set up Gitea so all lldap admins are also Gitea admins. My hope was to not need a separate Gitea-specific account for administrative functions and just sync everything from lldap, but I can’t make sense of these odd errors.
Thanks for any help.