From 260b545a54d6ecd41e2cdd5ae4fdd50c0cf407f8 Mon Sep 17 00:00:00 2001 From: poVoq Date: Mon, 9 Jan 2023 15:53:44 -0100 Subject: [PATCH] example_configs,gitea: add additional attributes and group sync Not extensively tested, but group/team sync seems to work in Forgejo. --- example_configs/gitea.md | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/example_configs/gitea.md b/example_configs/gitea.md index b2c8a54..654d76e 100644 --- a/example_configs/gitea.md +++ b/example_configs/gitea.md @@ -1,4 +1,4 @@ -# Configuration for Gitea +# Configuration for Gitea (& Forgejo) In Gitea, go to `Site Administration > Authentication Sources` and click `Add Authentication Source` Select `LDAP (via BindDN)` @@ -14,9 +14,30 @@ To log in they can either use their email address or user name. If you only want For more info on the user filter, see: https://docs.gitea.io/en-us/authentication/#ldap-via-binddn * Admin Filter: Use `(memberof=cn=lldap_admin,ou=groups,dc=example,dc=com)` if you want lldap admins to become Gitea admins. Leave empty otherwise. * Username Attribute: `uid` +* First Name Attribute: `givenName` +* Surname Attribute: `sn` * Email Attribute: `mail` +* Avatar Attribute: `jpegPhoto` * Check `Enable User Synchronization` Replace every instance of `dc=example,dc=com` with your configured domain. -After applying the above settings, users should be able to log in with either their user name or email address. \ No newline at end of file +After applying the above settings, users should be able to log in with either their user name or email address. + +## Syncronizing LDAP groups with existing teams in organisations + +Groups in LLDAP can be syncronized with teams in organisations. Organisations and teams must be created manually in Gitea. +It is possible to syncronize one LDAP group with multiple teams in a Gitea organization. + +Check `Enable LDAP Groups` + +* Group Search Base DN: `ou=groups,dc=example,dc=com` +* Group Attribute Containing List Of Users: `member` +* User Attribute Listed In Group: `dn` +* Map LDAP groups to Organization teams: `{"cn=Groupname1,ou=groups,dc=example,dc=com":{"Organization1": ["Teamname"]},"cn=Groupname2,ou=groups,dc=example,dc=com": {"Organization2": ["Teamname1", "Teamname2"]}}` + +Check `Remove Users from syncronised teams...` + +The `Map LDAP groups to Organization teams` config is JSON formatted and can be extended to as many groups as needed. + +Replace every instance of `dc=example,dc=com` with your configured domain.