Map LDAP groups to Organization teams

Hello all,
I’m using Gitea 1.17.3 on Windows and have configured a “Authentification Source” to connect the Gitea to an MS Active Directory. All works fine (the user are imported from the AD) except the part “Enable LDAP Groups”.

Step1:
I created an organization “Org1” and 2 Teams inside this organization: Team1 and Team2 and created the Groups “cn=MyGroup1,cn=groups,dc=example,dc=org” and “cn=MyGroup2,cn=groups,dc=example,dc=org” on Active Directory.

Step2:
I enabled the functionallity “Enable Ldap Groups”.
I mapped the Ldap-group “cn=MyGroup1,cn=groups,dc=example,dc=org” to the Team1 with
“Map LDAP groups to Organization teams”: {“cn=MyGroup1,cn=groups,dc=example,dc=org”:{“Org1”:[“Team1”]}}
This works.

Step3:
i want to map the Second LDAP-Group “cn=MyGroup2,cn=groups,dc=example,dc=org” to the Team2 together with the mapping for Team1.
I tried to add the second mapping to the entry of step2, like
“Map LDAP groups to Organization teams”: {“cn=MyGroup1,cn=groups,dc=example,dc=org”:{“Org1”:[“Team1”]}}{“cn=MyGroup2,cn=groups,dc=example,dc=org”:{“Org1”:[“Team2”]}}
This doesnt work.

In the log i see an Error:
…dap/source_search.go:235:mapLdapGroupsToTeams() [E] [6391dcab-2] Failed to unmarshall LDAP teams map: Unmarshal: there are bytes left after unmarshal, error found in …

I tried some different separators between the 2 mappings, enclosing with {} and some more but nothing works.

Is that not possible to map more than ONE Ldap-group to one or more teams (in one Authentication Source)?

Thanks
Juergen

The error you are receiving is because you have supplied an invalid JSON string. The LDAP group mapping are JSON, so you want to do something like this:

{
    "cn=MyGroup1,cn=groups,dc=example,dc=org": {
        "Org1": ["Team1"]
    },
    "cn=MyGroup2,cn=groups,dc=example,dc=org": {
        "Org2": ["Team2"]
    }
}

You can use something like https://jsonformatter.curiousconcept.com/ to validate that your string is proper JSON. There’s also a ton of these websites out there, just search “JSON formatter” or “JSON validator”.

Hi,

I am trying to map a LDAP group to a Gitea team but it is not successful.

My instance is Gitea 1.20.4. Authentication Source is configured and the system is able to sync all LDAP (Windows AD server) users when I click “admin - dashboard - Synchronize external user data”. I am able to login with an AD account.

In the “Authentication Source”, I checked “Enable LDAP groups” and have the following settings:
Group Search Base DN: ou=Distribution Groups,ou=Root,dc=example,dc=com
Group Attribute Containing List Of Users: member
User Attribute Listed In Group: dn
Verify group membership in LDAP (leave the filter empty to skip): (&(objectCategory=Person)(sAMAccountName=%s))
Map LDAP groups to Organization teams (leave the field empty to skip):
{
“CN=DevOps,OU=Distribution Groups,OU=Mail,OU=Root,DC=example,DC=com”: {
“RD”: [“DevOps”]
}
}
Use paged search: checked
page size: 1000

In Gitea I have an Organization called “RD” and a Team underneath called “DevOps”.

I expect with the above configuration, the system should retrieve members of LDAP group “CN=DevOps,OU=Distribution Groups,OU=Mail,OU=Root,DC=example,DC=com” and put them into team RD:Devops. But it shows 0 members.

Is this expectation correct? If so, can somebody show a successful configuration that can map LDAP group members to a Gitea team ?

Thanks,
Stephen

This is working example:
“antiq”, “applications”, “libraries”, etc - are created Organizations in Gitea
“ldap_leads”, “ldap_edt_devops”, etc - are manually created teams in Gitera Organizations.

{
  "CN=Leads,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "antiq": [
      "ldap_leads"
    ],
    "applications": [
      "ldap_leads"
    ],
    "libraries": [
      "ldap_leads"
    ],
    "x_archive": [
      "ldap_leads"
    ]
  },
  "CN=edt_devops,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "devops": [
      "ldap_edt_devops"
    ]
  },
  "CN=emb,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "emb_mirrors": [
      "ldap_embedded"
    ],
    "emb_tools": [
      "ldap_embedded"
    ],
    "sandbox": [
      "ldap_embedded"
    ],
    "x_archive": [
      "ldap_embedded"
    ]
  },
  "CN=emb_antiq,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "antiq": [
      "ldap_emb_antiq"
    ],
    "applications": [
      "ldap_emb_antiq"
    ],
    "libraries": [
      "ldap_emb_antiq"
    ],
    "hosts": [
      "ldap_emb_antiq"
    ],
    "emb_conan": [
      "ldap_emb_antiq"
    ],
    "emb_mirrors": [
      "ldap_emb_antiq"
    ]
  },
  "CN=emb_devops,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "antiq": [
      "ldap_emb_devops"
    ],
    "applications": [
      "ldap_emb_devops"
    ],
    "aurora": [
      "ldap_emb_devops"
    ],
    "libraries": [
      "ldap_emb_devops"
    ],
    "autoqa": [
      "ldap_emb_devops"
    ],
    "devops": [
      "ldap_emb_devops"
    ],
    "docker": [
      "ldap_emb_devops"
    ],
    "hosts": [
      "ldap_emb_devops"
    ],
    "emb_conan": [
      "ldap_emb_devops"
    ],
    "emb_tools": [
      "ldap_emb_devops"
    ],
    "emb_devsec": [
      "ldap_emb_devops"
    ],
    "emb_mirrors": [
      "ldap_emb_devops"
    ],
    "ports": [
      "ldap_emb_devops"
    ],
    "release_activity": [
      "ldap_emb_devops"
    ]
  },
  "CN=emb_devsec,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "antiq": [
      "ldap_emb_devsec"
    ],
    "applications": [
      "ldap_emb_devsec"
    ],
    "aurora": [
      "ldap_emb_devsec"
    ],
    "libraries": [
      "ldap_emb_devsec"
    ],
    "autoqa": [
      "ldap_emb_devsec"
    ],
    "devops": [
      "ldap_emb_devsec"
    ],
    "docker": [
      "ldap_emb_devsec"
    ],
    "hosts": [
      "ldap_emb_devsec"
    ],
    "emb_conan": [
      "ldap_emb_devsec"
    ],
    "emb_devsec": [
      "ldap_emb_devsec"
    ],
    "ports": [
      "ldap_emb_devsec"
    ],
    "emb_mirrors": [
      "ldap_emb_devsec"
    ],
    "release_activity": [
      "ldap_emb_devsec"
    ]
  },
  "CN=emb_mec,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "applications": [
      "ldap_emb_mec"
    ],
    "libraries": [
      "ldap_emb_mec"
    ],
    "autoqa": [
      "ldap_emb_mec"
    ],
    "hosts": [
      "ldap_emb_mec"
    ],
    "ports": [
      "ldap_emb_mec"
    ],
    "emb_conan": [
      "ldap_emb_mec"
    ],
    "emb_mirrors": [
      "ldap_emb_mec"
    ],
    "release_activity": [
      "ldap_emb_mec"
    ]
  },
  "CN=emb_focus,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "applications": [
      "ldap_emb_focus"
    ],
    "libraries": [
      "ldap_emb_focus"
    ],
    "autoqa": [
      "ldap_emb_focus"
    ],
    "hosts": [
      "ldap_emb_focus"
    ],
    "ports": [
      "ldap_emb_focus"
    ],
    "emb_conan": [
      "ldap_emb_focus"
    ],
    "emb_mirrors": [
      "ldap_emb_focus"
    ],
    "release_activity": [
      "ldap_emb_focus"
    ]
  },
  "CN=emb_kde_dev,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "applications": [
      "ldap_emb_mobiledocs"
    ],
    "aurora": [
      "ldap_emb_mobiledocs"
    ],
    "libraries": [
      "ldap_emb_mobiledocs"
    ],
    "hosts": [
      "ldap_emb_mobiledocs"
    ],
    "emb_conan": [
      "ldap_emb_mobiledocs"
    ],
    "ports": [
      "ldap_emb_mobiledocs"
    ],
    "emb_mirrors": [
      "ldap_emb_mobiledocs"
    ]
  },
  "CN=emb_kde_qa,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "applications": [
      "ldap_emb_mobiledocs_qa"
    ],
    "aurora": [
      "ldap_emb_mobiledocs_qa"
    ],
    "libraries": [
      "ldap_emb_mobiledocs_qa"
    ],
    "hosts": [
      "ldap_emb_mobiledocs_qa"
    ],
    "emb_conan": [
      "ldap_emb_mobiledocs_qa"
    ],
    "ports": [
      "ldap_emb_mobiledocs_qa"
    ],
    "emb_mirrors": [
      "ldap_emb_mobiledocs_qa"
    ]
  },
  "CN=emb_mail,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "applications": [
      "ldap_emb_mail"
    ],
    "libraries": [
      "ldap_emb_mail"
    ],
    "autoqa": [
      "ldap_emb_mail"
    ],
    "hosts": [
      "ldap_emb_mail"
    ],
    "emb_conan": [
      "ldap_emb_mail"
    ],
    "emb_mirrors": [
      "ldap_emb_mail"
    ],
    "ports": [
      "ldap_emb_mail"
    ],
    "release_activity": [
      "ldap_emb_mail"
    ]
  },
  "CN=emb_qa,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "applications": [
      "ldap_emb_qa"
    ],
    "libraries": [
      "ldap_emb_qa"
    ],
    "autoqa": [
      "ldap_emb_qa"
    ],
    "release_activity": [
      "ldap_emb_qa"
    ]
  },
  "CN=spb_team_kos,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "applications": [
      "ldap_emb_kos"
    ],
    "libraries": [
      "ldap_emb_kos"
    ],
    "hosts": [
      "ldap_emb_kos"
    ],
    "emb_conan": [
      "ldap_emb_kos"
    ],
    "ports": [
      "ldap_emb_kos"
    ],
    "emb_mirrors": [
      "ldap_emb_kos"
    ]
  }
}

Thanks for the response.

Following the example I configured my ldap settings. It did not report any error. But when I checked the team in the organization (in your example it is team “ldap_leads” under organization “antiq”), it has zero member, while on the domain side it has members under “CN=Leads,OU=Groups,OU=CO_Users,DC=mydomain,DC=com”.

How to make domain group members show up in the Gitea team member list?

Thanks,
Stephen