date: “2016-12-01T16:00:00+02:00” title: “Authentication” slug: “authentication” weight: 10 toc: true draft: false menu: sidebar:
parent: "features"
name: "Authentication"
weight: 10
identifier: "authentication"
Both the LDAP via BindDN and the simple auth LDAP share the following fields:
Authorization Name (required)
Host (required)
mydomain.com
Port (required)
389
for LDAP or 636
for LDAP SSLEnable TLS Encryption (optional)
Admin Filter (optional)
(objectClass=adminAccount)
(memberOf=CN=admin-group,OU=example,DC=example,DC=org)
Username attribute (optional)
uid
sAMAccountName
First name attribute (optional)
givenName
Surname attribute (optional)
sn
E-mail attribute (required)
mail
LDAP via BindDN adds the following fields:
Bind DN (optional)
cn=Search,dc=mydomain,dc=com
Bind Password (optional)
User Search Base (required)
ou=Users,dc=mydomain,dc=com
User Filter (required)
%s
matching parameter will be substituted with login
name given on sign-in form.(&(objectClass=posixAccount)(uid=%s))
(&(objectCategory=Person)(memberOf=CN=user-group,OU=example,DC=example,DC=org)(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
%[1]s
should be used instead, e.g. when
matching supplied login name against multiple attributes such as user
identifier, email or even phone number.(&(objectClass=Person)(|(uid=%[1]s)(mail=%[1]s)(mobile=%[1]s)))
Enable user synchronization
LDAP using simple auth adds the following fields:
User DN (required)
%s
matching parameter will be substituted with login name given on sign-in form.cn=%s,ou=Users,dc=mydomain,dc=com
uid=%s,ou=Users,dc=mydomain,dc=com
User Filter (required)
%s
matching parameter will be substituted with login name given on sign-in
form.(&(objectClass=posixAccount)(cn=%s))
(&(objectClass=posixAccount)(uid=%s))
Verify group membership in LDAP uses the following fields:
Group Search Base (optional)
ou=group,dc=mydomain,dc=com
Group Name Filter (optional)
(|(cn=gitea_users)(cn=admins))
User Attribute in Group (optional)
uid
Group Attribute for User (optional)
memberUid
To configure this you just need to set the ‘PAM Service Name’ to a filename in /etc/pam.d/
.
If you want it to work with normal Linux passwords, the user running Gitea must have read access to /etc/shadow
.
This option allows Gitea to log in to your SMTP host as a Gitea user. To configure this, simply set the fields below:
Authentication Name (required)
SMTP Authentication Type (required)
Host (required)
smtp.mydomain.com
Port (required)
587
Allowed Domains
gitea.io,mydomain.com,mydomain2.com
Enable TLS Encryption
Skip TLS Verify
This authentication is activate
In order to log in to Gitea using FreeIPA credentials, you need to create a bind account for Gitea to use:
On the FreeIPA server, create a gitea.ldif
file, replacing dc=example,dc=com
with your DN, and providing an appropriately secure password:
dn: uid=gitea,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: gitea
userPassword: secure password
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0
Import the LDIF (change localhost to an IPA server if needed), you’ll be prompted for your Directory Manager password:
ldapmodify -h localhost -p 389 -x -D \
"cn=Directory Manager" -W -f gitea.ldif
Add an IPA group for gitea_users :
ipa group-add --desc="Gitea Users" gitea_users
Note: If you get an error about IPA credentials, please run kinit admin
and give your admin account password.
Now login to the Gitea as an Administrator, click on “Authentication” under Admin Panel. Then click Add New Source
and fill in the details, changing all where appropriate to your own domain.