@@ -13,6 +13,182 @@ menu:
1313 identifier : " authentication"
1414---
1515
16+ ---
17+ name: Authentication
18+ ---
19+
1620# Authentication
1721
18- ## TBD
22+ ## LDAP
23+
24+ Both the LDAP via BindDN and the simple auth LDAP share the following fields:
25+
26+ - Authorization Name ** (required)**
27+ - A name to assign to the new method of authorization.
28+
29+ - Host ** (required)**
30+ - The address where the LDAP server can be reached.
31+ - Example: ` mydomain.com `
32+
33+ - Port ** (required)**
34+ - The port to use when connecting to the server.
35+ - Example: ` 389 ` for LDAP or ` 636 ` for LDAP SSL
36+
37+ - Enable TLS Encryption (optional)
38+ - Whether to use TLS when connecting to the LDAP server.
39+
40+ - Admin Filter (optional)
41+ - An LDAP filter specifying if a user should be given administrator
42+ privileges. If a user accounts passes the filter, the user will be
43+ privileged as an administrator.
44+ - Example: ` (objectClass=adminAccount) `
45+ - Example for Microsoft AD: ` (memberOf=CN=admin-group,OU=example,DC=example,DC=org) `
46+
47+ - Username attribute (optional)
48+ - The attribute of the user's LDAP record containing the user name. Given
49+ attribute value will be used for new Gitea account user name after first
50+ successful sign-in. Leave empty to use login name given on sign-in form.
51+ - This is useful when supplied login name is matched against multiple
52+ attributes, but only single specific attribute should be used for Gitea
53+ account name, see "User Filter".
54+ - Example: ` uid `
55+ - Example for Microsoft AD: ` sAMAccountName `
56+
57+ - First name attribute (optional)
58+ - The attribute of the user's LDAP record containing the user's first name.
59+ This will be used to populate their account information.
60+ - Example: ` givenName `
61+
62+ - Surname attribute (optional)
63+ - The attribute of the user's LDAP record containing the user's surname.
64+ This will be used to populate their account information.
65+ - Example: ` sn `
66+
67+ - E-mail attribute ** (required)**
68+ - The attribute of the user's LDAP record containing the user's email
69+ address. This will be used to populate their account information.
70+ - Example: ` mail `
71+
72+ ** LDAP via BindDN** adds the following fields:
73+
74+ - Bind DN (optional)
75+ - The DN to bind to the LDAP server with when searching for the user. This
76+ may be left blank to perform an anonymous search.
77+ - Example: ` cn=Search,dc=mydomain,dc=com `
78+
79+ - Bind Password (optional)
80+ - The password for the Bind DN specified above, if any. _ Note: The password
81+ is stored in plaintext at the server. As such, ensure that your Bind DN
82+ has as few privileges as possible._
83+
84+ - User Search Base ** (required)**
85+ - The LDAP base at which user accounts will be searched for.
86+ - Example: ` ou=Users,dc=mydomain,dc=com `
87+
88+ - User Filter ** (required)**
89+ - An LDAP filter declaring how to find the user record that is attempting to
90+ authenticate. The ` %s ` matching parameter will be substituted with login
91+ name given on sign-in form.
92+ - Example: ` (&(objectClass=posixAccount)(uid=%s)) `
93+ - Example for Microsoft AD: ` (&(objectCategory=Person)(memberOf=CN=user-group,OU=example,DC=example,DC=org)(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) `
94+ - To substitute more than once ` %[1]s ` should be used instead, eg. when
95+ matching supplied login name against multiple attributes such as user
96+ identifier, email or even phone number.
97+ - Example: ` (&(objectClass=Person)(|(uid=%[1]s)(mail=%[1]s)(mobile=%[1]s))) `
98+
99+ ** LDAP using simple auth** adds the following fields:
100+
101+ - User DN ** (required)**
102+ - A template to use as the user's DN. The ` %s ` matching parameter will be substituted with login name given on sign-in form.
103+ - Example: ` cn=%s,ou=Users,dc=mydomain,dc=com `
104+ - Example: ` uid=%s,ou=Users,dc=mydomain,dc=com `
105+
106+ - User Filter ** (required)**
107+ - An LDAP filter declaring when a user should be allowed to log in. The ` %s `
108+ matching parameter will be substituted with login name given on sign-in
109+ form.
110+ - Example: ` (&(objectClass=posixAccount)(cn=%s)) `
111+ - Example: ` (&(objectClass=posixAccount)(uid=%s)) `
112+
113+ ** Verify group membership in LDAP** uses the following fields:
114+
115+ * Group Search Base (optional)
116+ * The LDAP DN used for groups.
117+ * Example: ` ou=group,dc=mydomain,dc=com `
118+
119+ * Group Name Filter (optional)
120+ * An LDAP filter declaring how to find valid groups in the above DN.
121+ * Example: ` (|(cn=gitea_users)(cn=admins)) `
122+
123+ * User Attribute in Group (optional)
124+ * Which user LDAP attribute is listed in the group.
125+ * Example: ` uid `
126+
127+ * Group Attribute for User (optional)
128+ * Which group LDAP attribute contains an array above user attribute names.
129+ * Example: ` memberUid `
130+
131+ ## PAM
132+
133+ To configure this you just need to set the 'PAM Service Name' to a filename in ` /etc/pam.d/ ` .
134+ If you want it to work with normal Linux passwords, the user running Gitea must have read access to ` /etc/shadow ` .
135+
136+ ## SMTP
137+
138+ This option allows Gitea to log in to your SMTP host as a Gitea user. To configure this, simply set the fields below:
139+
140+ - Authentication Name ** (required)**
141+ - A name to assign to the new method of authorization.
142+
143+ - SMTP Authentication Type ** (required)**
144+ - Type of authentication for use on your SMTP host, PLAIN or LOGIN.
145+
146+ - Host ** (required)**
147+ - The address where the SMTP host can be reached.
148+ - Example: ` smtp.mydomain.com `
149+
150+ - Port ** (required)**
151+ - The port to use when connecting to the server.
152+ - Example: ` 587 `
153+
154+ - Allowed Domains
155+ - Restrict what domains can log in if you're using public SMTP host or SMTP host with multiple domains.
156+ - Example: ` gitea.io,mydomain.com,mydomain2.com `
157+
158+ - Enable TLS Encryption
159+ - Enable TLS encryption on authentication.
160+
161+ - Skip TLS Verify
162+ - Disable TLS verify on authentication.
163+
164+ - This authentication is activate
165+ - Enable or disable this auth.
166+
167+ ## FreeIPA
168+
169+ - In order to login to Gitea using FreeIPA credentials, you need to create a bind account for Gitea to use:
170+
171+ - On the FreeIPA server, create a ` gitea.ldif ` file, replacing ` dc=example,dc=com ` with your DN, and providing an appropriately secure password:
172+ ```
173+ dn: uid=gitea,cn=sysaccounts,cn=etc,dc=example,dc=com
174+ changetype: add
175+ objectclass: account
176+ objectclass: simplesecurityobject
177+ uid: gitea
178+ userPassword: secure password
179+ passwordExpirationTime: 20380119031407Z
180+ nsIdleTimeout: 0
181+ ```
182+
183+ - Import the LDIF (change localhost to an IPA server if needed), you’ll be prompted for your Directory Manager password:
184+ ```
185+ ldapmodify -h localhost -p 389 -x -D \
186+ "cn=Directory Manager" -W -f gitea.ldif
187+ ```
188+ - Add an IPA group for gitea_users :
189+ ```
190+ ipa group-add --desc="Gitea Users" gitea_users
191+ ```
192+ - Note! if you get error about ipa credentials please run kinit admin and give your admin accound password.
193+
194+ - Now login to the Gitea as an Admin, click on “Authentication” under Admin Panel. Then click ` New LDAP Source ` and fill in the details, changing all where appropriate to your own domain
0 commit comments