[LDAP] Can't map LDAP groups to Gitea Orgs/Teams

[drequivalent]

Description

Trying to join Gitea into FreeIPA's LDAP.

Users work fine, but then I need to map the LDAP user groups to Gitea teams in order to manage access in a more centralized way.

The settings are as follows:

Group Search Base DN: cn=groups,cn=accounts,dc=autogramma,dc=lan
Group Attribute Containing List Of Users: member
User Attribute Listed In Group: uid
Map LDAP groups to Organization teams: {"cn=developers,cn=groups,cn=accounts,dc=autogramma,dc=lan":{"Autogramma":["Developers"]},"cn=engineers,cn=groups,cn=accounts,dc=autogramma,dc=lan":{"Autogramma":["Engineers"]}}

Organization is present:

Teams as well:

Updating external user information, though, is not joining anyone to any Teams.

What am I doing wrong?

Gitea Version

1.17.2

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Gitea binary build

Database

PostgreSQL

[kdumontnu]

Is this a duplicate of #19555?

In short, I don’t think this feature is supported.

[drequivalent]

Is this a duplicate of #19555?

In short, I don’t think this feature is supported.

No. The issue you referenced is about OIDC.

I'm talking about LDAP.

If it's not supported, why is it ("Map LDAP groups to Organization teams") present in settings?

Besides, it was confirmed to work at #21159

[drequivalent]

The log doesn't mention LDAP group sync: in any way.

(I would publish it, but it contains personal data)

[drequivalent]

Here's the abridged version:

сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 [6320e481] router: started   POST /admin for 192.168.94.11:52480
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...ices/auth/session.go:47:SessionUser() [T] [6320e481] Session Authorization: Found user[2]
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...ices/auth/session.go:63:SessionUser() [T] [6320e481] Session Authorization: Logged in user 2:<USERNAME TRUNCATED>
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...rvices/cron/tasks.go:141:GetTask() [I] [6320e481] Getting sync_external_users in &{{0 0} sync_external_users 0xc0037e63c0 0x1f9f600 finished  <USERNAME TRUNCATED> 12}
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...ervices/auth/sync.go:17:SyncExternalUsers() [T] [6320e481-2] Doing: SyncExternalUsers
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 [6320e481] router: completed POST /admin for 192.168.94.11:52480, 303 See Other in 3.4ms @ admin/admin.go:141(admin.DashboardPost)
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 .../ldap/source_sync.go:24:Sync() [T] [6320e481-2] Doing: SyncExternalUsers[Autogramma]
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...dap/source_search.go:115:dial() [T] [6320e481-2] Dialing LDAP with security protocol (Unencrypted) without verifying: false
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...dap/source_search.go:490:SearchEntries() [T] [6320e481-2] Bound as BindDN uid=gitea,cn=users,cn=accounts,dc=autogramma,dc=lan
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...dap/source_search.go:508:SearchEntries() [T] [6320e481-2] Fetching attributes 'uid', 'givenName', 'sn', 'mail', 'ipaSshPubKey', '' with filter (&(memberOf=cn=git,cn=groups,cn=accounts,dc=autogramma,dc=lan)(objectClass=posixAccount)(uid=*)) and base cn=users,cn=accounts,dc=autogramma,dc=lan
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...dap/source_search.go:156:checkAdmin() [T] [6320e481-2] Checking admin with filter (memberOf=cn=admins,cn=groups,cn=accounts,dc=autogramma,dc=lan) and base uid=<USERNAME TRUNCATED>,cn=users,cn=accounts,dc=autogramma,dc=lan
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...dap/source_search.go:167:checkAdmin() [T] [6320e481-2] LDAP Admin Search found no matching entries.
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...dap/source_search.go:156:checkAdmin() [T] [6320e481-2] Checking admin with filter (memberOf=cn=admins,cn=groups,cn=accounts,dc=autogramma,dc=lan) and base uid=<USERNAME TRUNCATED>,cn=users,cn=accounts,dc=autogramma,dc=lan
--+more lines like this, one or two for each user--
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 [6320e481-3] router: started   GET /admin for 192.168.94.11:52482
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...s/context/context.go:219:HTML() [D] [6320e481-3] Template: admin/dashboard
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 [6320e481-3] router: completed GET /admin for 192.168.94.11:52482, 200 OK in 3.7ms @ admin/admin.go:126(admin.Dashboard)
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...s/asymkey/ssh_key.go:394:SynchronizePublicKeys() [T] [6320e481-2] synchronizePublicKeys[Autogramma]: Handling Public SSH Key synchronization for user alexander.volnov
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...s/asymkey/ssh_key.go:421:SynchronizePublicKeys() [T] [6320e481-2] synchronizePublicKeys[Autogramma]: Public Keys are already in sync for <USERNAME TRUNCATED> (Source:0/DB:0)
--+more lines like this, one for each user--

[6543]

@drequivalent 1.17.12 does not exist do you mean 1.17.2 ?

[drequivalent]

@drequivalent 1.17.12 does not exist do you mean 1.17.2 ?

Yes, of course. Sorry for typo.

[drequivalent]

Please, help! I'm stuck!

[drequivalent]

I have put dn into User Attribute Listed In Group instead of uid, as suggested by @svenseeberg in private correspondence.

This seems to have worked, and now I have the teams populated.

I think, this needs a better explanation in documentation and settings UI.

Thanks, @svenseeberg, I really appreciate your help!

[dawivid]

Did this get resolved or changed? I am struggling with exactly the same thing

THis is the debug I get

4/04 14:30:12 ...dap/source_search.go:340:SearchEntry() [T] [642c3474] Fetching attributes '', '', '', 'mail', '', '', 'dn' with filter '(sAMAccountName=david.testing)' and base 'CN=david testing,OU=Internal,OU=Users,OU=Infra,DC=ocr,DC=cr14,DC=net'
gitea | 2023/04/04 14:30:12 ...dap/source_search.go:228:listLdapGroupMemberships() [E] [642c3474] Failed group search in LDAP with filter [(&()(member=CN=david testing,OU=Internal,OU=Users,OU=Infra,DC=ocr

FYI - from the screenshot remove the Verify Group Membership, when I confiugure this it doesn't search AD for my group memberships