Hello to everyone!
I know that this topic was discussed in many other iterations, but I’m really feeling desperate about it. I’ll try to be as detailed as possible. Maybe some other people here had the same issues.
I have some troubles with configuring LDAP into app.ini file. After putting all the configuration attributes, I try to access with my username, which is into our LDAP directory, but with no success.
Here is the configuration I used (company name replaced with “ourcompany”)
[ldap]
NAME = LDAP
HOST = ldap.ourcompany.com
PORT = 389
SECURITY_PROTOCOL = unencrypted
SKIP_VERIFY = false
BIND_DN = cn=ldap,dc=ourcompany,dc=com
BIND_PASSWORD = ixVziIrc8T <--- Not the real one, randomly generated
USER_SEARCH_BASE = dc=users,dc=ourcompany,dc=com
USER_FILTER = (&(objectClass=inetOrgPerson)(uid=%[1]s))
ADMIN_FILTER = (memberOf=cn=admin,dc=ourcompany,dc=com)
ATTRIBUTE_USERNAME = uid
ATTRIBUTE_NAME = cn
ATTRIBUTE_MAIL = mail
SEARCH_PAGE_SIZE = 100
SEARCH_TIMEOUT = 60
ATTRIBUTE_IN_BIND = true
I tried to login on the Web UI without success.
So, I added the following sections:
[auth]
enable_ldap = true
[auth.ldap]
… as above, under the [ldap] declaration …
Again, no success.
For debugging purposes, I modified the logging section:
[log]
MODE = file,console,traceconsole
LEVEL = debug
[log.file]
LEVEL = debug
ROOT_PATH = /var/log/gitea
[log.traceconsole]
MODE = console
LEVEL = trace
EXPRESSION = ldap
This is the error I got while trying to login:
2024/09/13 08:36:07 .../context_response.go:70:HTML() [D] Template: user/auth/signin 2024/09/13 08:36:07 ...ers/web/auth/auth.go:231:SignInPost() [I] Failed authentication attempt for z.rossi from 10.10.11.64:8448: user does not exist [uid: 0, name: z.rossi] 2024/09/13 08:36:07 ...eb/routing/logger.go:102:func1() [I] router: completed POST /user/login for 10.10.11.64:8448, 200 OK in 15.0ms @ auth/auth.go:196(auth.SignInPost)
Gitea runs with an user created specifically for this, called git. The /etc/gitea/app.ini file has 664 as permissions, with git:git as owner.
The service file has git configured as user too:
[Unit]
Description=Gitea Ourcompany
After=network.target
[Service]
RestartSec=2s
Type=simple
User=git
Group=git
WorkingDirectory=$GITEA_WORK_DIR/
ExecStart=$GITEA_WORK_DIR/gitea web --config $GITEA_CONF_DIR/app.ini
Restart=always
Environment=USER=git HOME=$MY_HOME GITEA_WORK_DIR=$GITEA_WORK_DIR
[Install]
WantedBy=multi-user.target
(the $GITEA_CONF_DIR is /etc/gitea/)
I checked with the ldapsearch command, using all the filters I put in the ldap. It does return my user
ldapsearch -w -H ldap://ldap.ourcompany.com -w "ixVziIrc8T" -b "dc=users,dc=ourcompany,dc=com" -D "cn=ldap,dc=ourcompany,dc=com" "(uid=z.rossi)
(I replaced my real name with Zombie Rossi)
extended LDIF
#
# LDAPv3
# base <dc=users,dc=armundia,dc=com> with scope subtree
# filter: (uid=z.rossi)
# requesting: ALL
#
# z.rossi, users.ourcompany.com
dn: uid=z.rossi,dc=users,dc=ourcompany,dc=com
objectClass: person
objectClass: posixAccount
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
cn: Zombie Rossi
description: Zombie Rossi
sn: Zombie Rossi
uidNumber: 500
gidNumber: 500
homeDirectory: /home/z.rossi
mail: z.rossi@ourcompany.com
uid: z.rossi
loginShell: /bin/bash
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
I tried with the gitea admin command and it didn’t work (company name replaced with ‘ourcompany’ and password replaced with a random string, as previously done in this post):
gitea admin auth add-ldap --config "/etc/gitea/app.ini" --name "Our Company LDAP" --security-protocol "unencrypted" --host "ldap.ourcompany.com" --port 389 --user-search-base "dc=users,dc=ourcompany,dc=com" --bind-dn "cn=ldap,dc=ourcompany,dc=com" --bind-password "ixVziIrc8T" --user-filter "(&(objectClass=person)(uid=%s))" --email-attribute "mail"
the cn=ldap is necessary. It was created specifically and it works in our other platforms that make use of LDAP.
I had some success in logging in by adding the flag --attributes_in_bind "true" with update-ldap … But I don’t have administrative permissions, once inside.
What am I getting wrong?