-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP Sync Problems (is_admin, is_restricted and is_active) #13419
Comments
This is very interesting. Why is it that the ldap is giving different results for the same query?
There's something very odd going on here. Is there request limiting? Are we sending some whitespace by accident? |
Maybe I was not very clear, sorry for that: |
May be unrelated to the cause of issues others have had (I've seen at least one screenshot showing my fix would not help them on other related issues) but I was having issues with user deactivation after a sync. Turns out if you have, in my example a Hoping this helps someone. |
This issue is happening for me as well. I don't know if it is related to me leaving the "Username Attribute" field empty since out LDAP apparently doesn't support the UID attribute and the closest thing I can use "userPrincipalName" is effectively their domain email address. |
Is your user attribute |
From what I can tell by running queries, |
If you're directly referencing a user object in your LDAP structure how do you do so? For me it would be like |
I am using |
This is extremely helpful! I had left this option blank, because the "Leave empty to use the username entered in Gitea" guidance implies that all it is used for is to determine the Gitea-internal username for the user. Adding |
Hi! |
Same here! |
Hello, just find out that there is a solution that works for us here . You have to put a valid value username attribute. CN is an example in the post, I had to put 'uid' as the 'cn' is empty in our ldap. |
1.22.0, the issue still exist, while using LDAP (via BindDN) as authentication source, Gitea deactivates LDAP users almost once a day or when you run “Synchronize external user data”. |
[x]
):Synchronize external user data
: https://gist.github.com/lcnittl/60045a167285b50d72f0037f8a37cc2e#file-gitea-trace-0-logadmin
: https://gist.github.com/lcnittl/60045a167285b50d72f0037f8a37cc2e#file-gitea-trace-1-logadmin
: https://gist.github.com/lcnittl/60045a167285b50d72f0037f8a37cc2e#file-gitea-trace-2-logext
(restricted): https://gist.github.com/lcnittl/60045a167285b50d72f0037f8a37cc2e#file-gitea-trace-3-logDescription
We are encountering 2/3 main issues with LDAP authentication:
is_admin
is set correctly on account creation (fist login to Gitea) but is not updated anymore on subsequent loginsis_restricted
is not updated anymore on subsequent logins (have not tested on account creation yet, sry)"AllowDeactivateAll": false
is set ( Add option to prevent LDAP from deactivating everything on empty search #9879 ) each user'sis_active
attribute is set tofalse
(cf. https://gist.github.com/lcnittl/60045a167285b50d72f0037f8a37cc2e#file-gitea-trace-0-log-L177-L178 ff.) when usingSynchronize external user data
inadmin/monitor
in the web UI (and also on cron started synchronizations).This is our configuration of the authentication method:
This is the list of our users (probably important for the log gist):
The values after the user keys are the roles each user has (eg
user00
isadmin
and(memberOf=CN=admin,OU=roles,DC=our,DC=domain,DC=com)
evaluates to true).When the filters are run manually with
ldapsearch
they return the correct user entries.Issue 1)
Should theoretically be fixed already (cf. #10538 (comment) ) but is not working for me: Is my admin filter wrong? If yes, why is the attribute correct on creation?
On subsequent login, LDAP seems to correctly filter for
admin
as it is not logging[T] LDAP Admin Search found no matching entries
when theadmin
role is set:admin
role is set ( https://gist.github.com/lcnittl/60045a167285b50d72f0037f8a37cc2e#file-gitea-trace-1-log-L34-L35 )admin
role is not set ( https://gist.github.com/lcnittl/60045a167285b50d72f0037f8a37cc2e#file-gitea-trace-2-log-L14-L19 )Yet, the
is_admin
flag remains unaltered.Issue 2)
This was tested (for the log) by adding
ext
role touser08
.Here again, according to the log, LDAP seems to correctly apply the filter (No
[T] LDAP Restricted Search found no matching entries
login):ext
role is set ( https://gist.github.com/lcnittl/60045a167285b50d72f0037f8a37cc2e#file-gitea-trace-3-log-L16-L17 )Is
is_restricted
supposed to get updated on each login?Issue 3)
I think this -- deactivation of all users -- should not happen in our case because
AllowDeactivateAll
is set tofalse
(so it should never deactivate all users?)admin
andrestricted
filters are returning empty lists, for obvious reasonsBut probably there is a filter problem here as well?
Any input welcome! If there is further info needed, please let me know!
Related
The text was updated successfully, but these errors were encountered: