Using OpenLDAP with gitea
Learn how to integrate OpenLDAP with gitea to centralize user authentication and authorization management for efficiency and security in your software development workflow.
Updated at July 27th, 2024
Table of Contents
In Gitea, go to Site Administration > Authentication Sources and click Add Authentication Source Select LDAP (via BindDN)
- Host: Your ldap server’s ip/hostname
- Port: Your ldap server’s port (389 by default)
- Bind DN:
uid=admin,ou=people,dc=example,dc=com - Bind Password: Your bind user’s password
- User Search Base:
ou=people,dc=example,dc=com - User Filter: If you want all users to be able to log in, use
(&(objectClass=person)(|(uid=%[1]s)(mail=%[1]s))).
To log in they can either use their email address or user name. If you only want members a specific group to be able to log in, in this case the groupgit_user, use(&(memberof=cn=git_user,ou=groups,dc=example,dc=com)(|(uid=%[1]s)(mail=%[1]s)))
For more info on the user filter, see: https://docs.gitea.io/en-us/authentication/#ldap-via-binddn - Admin Filter: Use
(memberof=cn=ldap_admin,ou=groups,dc=example,dc=com)if you want ldap admins to become Gitea admins. Leave empty otherwise. - Username Attribute:
uid - First Name Attribute:
givenName - Surname Attribute:
sn - Email Attribute:
mail - Avatar Attribute:
jpegPhoto - Check
Enable User Synchronization
Replace every instance of dc=example,dc=com with your configured domain.
After applying the above settings, users should be able to log in with either their user name or email address.
Syncronizing LDAP groups with existing teams in organisations
Groups in OpenLDAP can be syncronized with teams in organisations. Organisations and teams must be created manually in Gitea. It is possible to syncronize one LDAP group with multiple teams in a Gitea organization.
Check Enable LDAP Groups
- Group Search Base DN:
ou=groups,dc=example,dc=com - Group Attribute Containing List Of Users:
member - User Attribute Listed In Group:
dn - Map LDAP groups to Organization teams:
{"cn=Groupname1,ou=groups,dc=example,dc=com":{"Organization1": ["Teamname"]},"cn=Groupname2,ou=groups,dc=example,dc=com": {"Organization2": ["Teamname1", "Teamname2"]}}
Check Remove Users from syncronised teams...
The Map LDAP groups to Organization teams config is JSON formatted and can be extended to as many groups as needed.
Replace every instance of dc=example,dc=com with your configured domain.
Configuration for Gitea in simple auth mode
- The configuration method is the same as
BindDNmode. -
BindDNandpasswordare not required - Gitea will not be able to pre-sync users, user account will be created at login time.