first-commit

2025-08-25 15:46:12 +08:00
commit f4d95dfff4
5665 changed files with 705359 additions and 0 deletions
--- a/services/auth/source/ldap/README.md
+++ b/services/auth/source/ldap/README.md
@@ -0,0 +1,131 @@
+# Gitea LDAP Authentication Module
+
+## About
+
+This authentication module attempts to authorize and authenticate a user
+against an LDAP server. It provides two methods of authentication: LDAP via
+BindDN, and LDAP simple authentication.
+
+LDAP via BindDN functions like most LDAP authentication systems. First, it
+queries the LDAP server using a Bind DN and searches for the user that is
+attempting to sign in. If the user is found, the module attempts to bind to the
+server using the user's supplied credentials. If this succeeds, the user has
+been authenticated, and his account information is retrieved and passed to the
+Gogs login infrastructure.
+
+LDAP simple authentication does not utilize a Bind DN. Instead, it binds
+directly with the LDAP server using the user's supplied credentials. If the bind
+succeeds and no filter rules out the user, the user is authenticated.
+
+LDAP via BindDN is recommended for most users. By using a Bind DN, the server
+can perform authorization by restricting which entries the Bind DN account can
+read. Further, using a Bind DN with reduced permissions can reduce security risk
+in the face of application bugs.
+
+## Usage
+
+To use this module, add an LDAP authentication source via the Authentications
+section in the admin panel. Both the LDAP via BindDN and the simple auth LDAP
+share the following fields:
+
+* Authorization Name **(required)**
+  * A name to assign to the new method of authorization.
+
+* Host **(required)**
+  * The address where the LDAP server can be reached.
+  * Example: mydomain.com
+
+* Port **(required)**
+  * The port to use when connecting to the server.
+  * Example: 636
+
+* Enable TLS Encryption (optional)
+  * Whether to use TLS when connecting to the LDAP server.
+
+* Admin Filter (optional)
+  * An LDAP filter specifying if a user should be given administrator
+      privileges. If a user accounts passes the filter, the user will be
+      privileged as an administrator.
+  * Example: (objectClass=adminAccount)
+
+* First name attribute (optional)
+  * The attribute of the user's LDAP record containing the user's first name.
+      This will be used to populate their account information.
+  * Example: givenName
+
+* Surname attribute (optional)
+  * The attribute of the user's LDAP record containing the user's surname This
+      will be used to populate their account information.
+  * Example: sn
+
+* E-mail attribute **(required)**
+  * The attribute of the user's LDAP record containing the user's email
+      address. This will be used to populate their account information.
+  * Example: mail
+
+**LDAP via BindDN** adds the following fields:
+
+* Bind DN (optional)
+  * The DN to bind to the LDAP server with when searching for the user. This
+      may be left blank to perform an anonymous search.
+  * Example: cn=Search,dc=mydomain,dc=com
+
+* Bind Password (optional)
+  * The password for the Bind DN specified above, if any. _Note: The password
+      is stored in plaintext at the server. As such, ensure that your Bind DN
+      has as few privileges as possible._
+
+* User Search Base **(required)**
+  * The LDAP base at which user accounts will be searched for.
+  * Example: ou=Users,dc=mydomain,dc=com
+
+* User Filter **(required)**
+  * An LDAP filter declaring how to find the user record that is attempting to
+      authenticate. The '%[1]s' matching parameter will be substituted with the
+      user's username.
+  * Example: (&(objectClass=posixAccount)(|(uid=%[1]s)(mail=%[1]s)))
+
+**LDAP using simple auth** adds the following fields:
+
+* User DN **(required)**
+  * A template to use as the user's DN. The `%s` matching parameter will be
+      substituted with the user's username.
+  * Example: cn=%s,ou=Users,dc=mydomain,dc=com
+  * Example: uid=%s,ou=Users,dc=mydomain,dc=com
+
+* User Search Base (optional)
+  * The LDAP base at which user accounts will be searched for.
+  * Example: ou=Users,dc=mydomain,dc=com
+
+* User Filter **(required)**
+  * An LDAP filter declaring when a user should be allowed to log in. The `%[1]s`
+      matching parameter will be substituted with the user's username.
+  * Example: (&(objectClass=posixAccount)(|(cn=%[1]s)(mail=%[1]s)))
+  * Example: (&(objectClass=posixAccount)(|(uid=%[1]s)(mail=%[1]s)))
+
+**Verify group membership in LDAP** uses the following fields:
+
+* Group Search Base (optional)
+  * The LDAP DN used for groups.
+  * Example: ou=group,dc=mydomain,dc=com
+
+* Group Name Filter (optional)
+  * An LDAP filter declaring how to find valid groups in the above DN.
+  * Example: (|(cn=gitea_users)(cn=admins))
+
+* User Attribute in Group (optional)
+  * The user attribute that is used to reference a user in the group object.
+  * Example: uid if the group objects contains a member: bender and the user object contains a uid: bender.
+  * Example: dn if the group object contains a member: uid=bender,ou=users,dc=planetexpress,dc=com.
+
+* Group Attribute for User (optional)
+  * The attribute of the group object that lists/contains the group members.
+  * Example: memberUid or member
+
+* Team group map (optional)
+  * Automatically add users to Organization teams, depending on LDAP group memberships.
+  * Note: this function only adds users to teams, it never removes users.
+  * Example: {"cn=MyGroup,cn=groups,dc=example,dc=org": {"MyGiteaOrganization": ["MyGiteaTeam1", "MyGiteaTeam2", ...], ...}, ...}
+
+* Team group map removal (optional)
+  * If set to true, users will be removed from teams if they are not members of the corresponding group.