summaryrefslogtreecommitdiffstats
path: root/services/auth/source/ldap/README.md
diff options
context:
space:
mode:
authorDaniel Baumann <daniel@debian.org>2024-10-18 20:33:49 +0200
committerDaniel Baumann <daniel@debian.org>2024-12-12 23:57:56 +0100
commite68b9d00a6e05b3a941f63ffb696f91e554ac5ec (patch)
tree97775d6c13b0f416af55314eb6a89ef792474615 /services/auth/source/ldap/README.md
parentInitial commit. (diff)
downloadforgejo-e68b9d00a6e05b3a941f63ffb696f91e554ac5ec.tar.xz
forgejo-e68b9d00a6e05b3a941f63ffb696f91e554ac5ec.zip
Adding upstream version 9.0.3.
Signed-off-by: Daniel Baumann <daniel@debian.org>
Diffstat (limited to 'services/auth/source/ldap/README.md')
-rw-r--r--services/auth/source/ldap/README.md131
1 files changed, 131 insertions, 0 deletions
diff --git a/services/auth/source/ldap/README.md b/services/auth/source/ldap/README.md
new file mode 100644
index 0000000..34c8117
--- /dev/null
+++ b/services/auth/source/ldap/README.md
@@ -0,0 +1,131 @@
+# Gitea LDAP Authentication Module
+
+## About
+
+This authentication module attempts to authorize and authenticate a user
+against an LDAP server. It provides two methods of authentication: LDAP via
+BindDN, and LDAP simple authentication.
+
+LDAP via BindDN functions like most LDAP authentication systems. First, it
+queries the LDAP server using a Bind DN and searches for the user that is
+attempting to sign in. If the user is found, the module attempts to bind to the
+server using the user's supplied credentials. If this succeeds, the user has
+been authenticated, and his account information is retrieved and passed to the
+Gogs login infrastructure.
+
+LDAP simple authentication does not utilize a Bind DN. Instead, it binds
+directly with the LDAP server using the user's supplied credentials. If the bind
+succeeds and no filter rules out the user, the user is authenticated.
+
+LDAP via BindDN is recommended for most users. By using a Bind DN, the server
+can perform authorization by restricting which entries the Bind DN account can
+read. Further, using a Bind DN with reduced permissions can reduce security risk
+in the face of application bugs.
+
+## Usage
+
+To use this module, add an LDAP authentication source via the Authentications
+section in the admin panel. Both the LDAP via BindDN and the simple auth LDAP
+share the following fields:
+
+* Authorization Name **(required)**
+ * A name to assign to the new method of authorization.
+
+* Host **(required)**
+ * The address where the LDAP server can be reached.
+ * Example: mydomain.com
+
+* Port **(required)**
+ * The port to use when connecting to the server.
+ * Example: 636
+
+* Enable TLS Encryption (optional)
+ * Whether to use TLS when connecting to the LDAP server.
+
+* Admin Filter (optional)
+ * An LDAP filter specifying if a user should be given administrator
+ privileges. If a user accounts passes the filter, the user will be
+ privileged as an administrator.
+ * Example: (objectClass=adminAccount)
+
+* First name attribute (optional)
+ * The attribute of the user's LDAP record containing the user's first name.
+ This will be used to populate their account information.
+ * Example: givenName
+
+* Surname attribute (optional)
+ * The attribute of the user's LDAP record containing the user's surname This
+ will be used to populate their account information.
+ * Example: sn
+
+* E-mail attribute **(required)**
+ * The attribute of the user's LDAP record containing the user's email
+ address. This will be used to populate their account information.
+ * Example: mail
+
+**LDAP via BindDN** adds the following fields:
+
+* Bind DN (optional)
+ * The DN to bind to the LDAP server with when searching for the user. This
+ may be left blank to perform an anonymous search.
+ * Example: cn=Search,dc=mydomain,dc=com
+
+* Bind Password (optional)
+ * The password for the Bind DN specified above, if any. _Note: The password
+ is stored in plaintext at the server. As such, ensure that your Bind DN
+ has as few privileges as possible._
+
+* User Search Base **(required)**
+ * The LDAP base at which user accounts will be searched for.
+ * Example: ou=Users,dc=mydomain,dc=com
+
+* User Filter **(required)**
+ * An LDAP filter declaring how to find the user record that is attempting to
+ authenticate. The '%[1]s' matching parameter will be substituted with the
+ user's username.
+ * Example: (&(objectClass=posixAccount)(|(uid=%[1]s)(mail=%[1]s)))
+
+**LDAP using simple auth** adds the following fields:
+
+* User DN **(required)**
+ * A template to use as the user's DN. The `%s` matching parameter will be
+ substituted with the user's username.
+ * Example: cn=%s,ou=Users,dc=mydomain,dc=com
+ * Example: uid=%s,ou=Users,dc=mydomain,dc=com
+
+* User Search Base (optional)
+ * The LDAP base at which user accounts will be searched for.
+ * Example: ou=Users,dc=mydomain,dc=com
+
+* User Filter **(required)**
+ * An LDAP filter declaring when a user should be allowed to log in. The `%[1]s`
+ matching parameter will be substituted with the user's username.
+ * Example: (&(objectClass=posixAccount)(|(cn=%[1]s)(mail=%[1]s)))
+ * Example: (&(objectClass=posixAccount)(|(uid=%[1]s)(mail=%[1]s)))
+
+**Verify group membership in LDAP** uses the following fields:
+
+* Group Search Base (optional)
+ * The LDAP DN used for groups.
+ * Example: ou=group,dc=mydomain,dc=com
+
+* Group Name Filter (optional)
+ * An LDAP filter declaring how to find valid groups in the above DN.
+ * Example: (|(cn=gitea_users)(cn=admins))
+
+* User Attribute in Group (optional)
+ * The user attribute that is used to reference a user in the group object.
+ * Example: uid if the group objects contains a member: bender and the user object contains a uid: bender.
+ * Example: dn if the group object contains a member: uid=bender,ou=users,dc=planetexpress,dc=com.
+
+* Group Attribute for User (optional)
+ * The attribute of the group object that lists/contains the group members.
+ * Example: memberUid or member
+
+* Team group map (optional)
+ * Automatically add users to Organization teams, depending on LDAP group memberships.
+ * Note: this function only adds users to teams, it never removes users.
+ * Example: {"cn=MyGroup,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2", ...], ...}, ...}
+
+* Team group map removal (optional)
+ * If set to true, users will be removed from teams if they are not members of the corresponding group.