parent
631c85ba4f
commit
7d84d4a8f0
@ -1,43 +1,64 @@ |
|||||||
LDAP authentication |
Gogs LDAP Authentication Module |
||||||
=================== |
=============================== |
||||||
|
|
||||||
## Goal |
## About |
||||||
|
|
||||||
Authenticat user against LDAP directories |
This authentication module attempts to authorize and authenticate a user |
||||||
|
against an LDAP server. Like most LDAP authentication systems, this module does |
||||||
|
this in two steps. First, it queries the LDAP server using a Bind DN and |
||||||
|
searches for the user that is attempting to sign in. If the user is found, the |
||||||
|
module attempts to bind to the server using the user's supplied credentials. If |
||||||
|
this succeeds, the user has been authenticated, and his account information is |
||||||
|
retrieved and passed to the Gogs login infrastructure. |
||||||
|
|
||||||
It will bind with the user's login/pasword and query attributs ("mail" for instance) in a pool of directory servers |
## Usage |
||||||
|
|
||||||
The first OK wins. |
To use this module, add an LDAP authentication source via the Authentications |
||||||
|
section in the admin panel. The fields should be set as follows: |
||||||
|
|
||||||
If there's connection error, the server will be disabled and won't be checked again |
Authorization Name (required) |
||||||
|
A name to assign to the new method of authorization. |
||||||
|
|
||||||
## Usage |
Host (required) |
||||||
|
The address where the LDAP server can be reached. |
||||||
|
Example: mydomain.com |
||||||
|
|
||||||
|
Port (required) |
||||||
|
The port to use when connecting to the server. |
||||||
|
Example: 636 |
||||||
|
|
||||||
In the [security] section, set |
Enable TLS Encryption (optional) |
||||||
> LDAP_AUTH = true |
Whether to use TLS when connecting to the LDAP server. |
||||||
|
|
||||||
then for each LDAP source, set |
Bind DN (optional) |
||||||
|
The DN to bind to the LDAP server with when searching for the user. |
||||||
|
This may be left blank to perform an anonymous search. |
||||||
|
Example: cn=Search,dc=mydomain,dc=com |
||||||
|
|
||||||
> [LdapSource-someuniquename] |
Bind Password (optional) |
||||||
> name=canonicalName |
The password for the Bind DN specified above, if any. |
||||||
> host=hostname-or-ip |
|
||||||
> port=3268 # or regular LDAP port |
|
||||||
> # the following settings depend highly how you've configured your AD |
|
||||||
> basedn=dc=ACME,dc=COM |
|
||||||
> MSADSAFORMAT=%s@ACME.COM |
|
||||||
> filter=(&(objectClass=user)(sAMAccountName=%s)) |
|
||||||
|
|
||||||
### Limitation |
User Search Base (required) |
||||||
|
The LDAP base at which user accounts will be searched for. |
||||||
|
Example: ou=Users,dc=mydomain,dc=com |
||||||
|
|
||||||
Only tested on an MS 2008R2 DC, using global catalog (TCP/3268) |
User Filter (required) |
||||||
|
An LDAP filter declaring how to find the user record that is attempting |
||||||
|
to authenticate. The '%s' matching parameter will be substituted with |
||||||
|
the user's username. |
||||||
|
Example: (&(objectClass=posixAccount)(uid=%s)) |
||||||
|
|
||||||
This MSAD is a mess. |
First name attribute (optional) |
||||||
|
The attribute of the user's LDAP record containing the user's first |
||||||
|
name. This will be used to populate their account information. |
||||||
|
Example: givenName |
||||||
|
|
||||||
The way how one checks the directory (CN, DN etc...) may be highly depending local custom configuration |
Surname name attribute (optional) |
||||||
|
The attribute of the user's LDAP record containing the user's surname |
||||||
|
This will be used to populate their account information. |
||||||
|
Example: sn |
||||||
|
|
||||||
### Todo |
E-mail attribute (required) |
||||||
* Define a timeout per server |
The attribute of the user's LDAP record containing the user's email |
||||||
* Check servers marked as "Disabled" when they'll come back online |
address. This will be used to populate their account information. |
||||||
* Find a more flexible way to define filter/MSADSAFORMAT/Attributes etc... maybe text/template ? |
Example: mail |
||||||
* Check OpenLDAP server |
|
||||||
* SSL support ? |
|
||||||
|
@ -1,29 +0,0 @@ |
|||||||
package ldap |
|
||||||
|
|
||||||
// import (
|
|
||||||
// "fmt"
|
|
||||||
// "testing"
|
|
||||||
// )
|
|
||||||
|
|
||||||
// var ldapServer = "ldap.itd.umich.edu"
|
|
||||||
// var ldapPort = 389
|
|
||||||
// var baseDN = "dc=umich,dc=edu"
|
|
||||||
// var filter = []string{
|
|
||||||
// "(cn=cis-fac)",
|
|
||||||
// "(&(objectclass=rfc822mailgroup)(cn=*Computer*))",
|
|
||||||
// "(&(objectclass=rfc822mailgroup)(cn=*Mathematics*))"}
|
|
||||||
// var attributes = []string{
|
|
||||||
// "cn",
|
|
||||||
// "description"}
|
|
||||||
// var msadsaformat = ""
|
|
||||||
|
|
||||||
// func TestLDAP(t *testing.T) {
|
|
||||||
// AddSource("test", ldapServer, ldapPort, baseDN, attributes, filter, msadsaformat)
|
|
||||||
// user, err := LoginUserLdap("xiaolunwen", "")
|
|
||||||
// if err != nil {
|
|
||||||
// t.Error(err)
|
|
||||||
// return
|
|
||||||
// }
|
|
||||||
|
|
||||||
// fmt.Println(user)
|
|
||||||
// }
|
|
File diff suppressed because one or more lines are too long
Loading…
Reference in new issue