ldap

README

Gogs LDAP Authentication Module

About

This authentication module attempts to authorize and authenticate a user against an LDAP server. It provides two methods of authentication: LDAP via BindDN, and LDAP simple authentication.

LDAP via BindDN functions like most LDAP authentication systems. First, it queries the LDAP server using a Bind DN and searches for the user that is attempting to sign in. If the user is found, the module attempts to bind to the server using the user's supplied credentials. If this succeeds, the user has been authenticated, and their account information is retrieved and passed to the Gogs login infrastructure.

LDAP simple authentication does not utilize a Bind DN. Instead, it binds directly with the LDAP server using the user's supplied credentials. If the bind succeeds and no filter rules out the user, the user is authenticated.

LDAP via BindDN is recommended for most users. By using a Bind DN, the server can perform authorization by restricting which entries the Bind DN account can read. Furthermore, using a Bind DN with reduced permissions can reduce security risk in the face of application bugs.

Usage

To use this module, add an LDAP authentication source via the Authentications section in the admin panel. Both the LDAP via BindDN and the simple auth LDAP share the following fields:

• Authorization Name (required)

  • A name to assign to the new method of authorization.

• Host (required)

  • The address where the LDAP server can be reached.
  • Example: mydomain.com

• Port (required)

  • The port to use when connecting to the server.
  • Example: 636

• Enable TLS Encryption (optional)

  • Whether to use TLS when connecting to the LDAP server.

• Admin Filter (optional)

  • An LDAP filter specifying if a user should be given administrator privileges. If a user accounts passes the filter, the user will be privileged as an administrator.
  • Example: (objectClass=adminAccount)

• First name attribute (optional)

  • The attribute of the user's LDAP record containing the user's first name. This will be used to populate their account information.
  • Example: givenName

• Surname attribute (optional)

  • The attribute of the user's LDAP record containing the user's surname This will be used to populate their account information.
  • Example: sn

• E-mail attribute (required)

  • The attribute of the user's LDAP record containing the user's email address. This will be used to populate their account information.
  • Example: mail

LDAP via BindDN adds the following fields:

• Bind DN (optional)

  • The DN to bind to the LDAP server with when searching for the user. This may be left blank to perform an anonymous search.
  • Example: cn=Search,dc=mydomain,dc=com

• Bind Password (optional)

  • The password for the Bind DN specified above, if any. Note: The password is stored in plaintext at the server. As such, ensure that your Bind DN has as few privileges as possible.

• User Search Base (required)

  • The LDAP base at which user accounts will be searched for.
  • Example: ou=Users,dc=mydomain,dc=com

• User Filter (required)

  • An LDAP filter declaring how to find the user record that is attempting to authenticate. The '%s' matching parameter will be substituted with the user's username.
  • Example: (&(objectClass=posixAccount)(uid=%s))

LDAP using simple auth adds the following fields:

• User DN (required)

  • A template to use as the user's DN. The %s matching parameter will be substituted with the user's username.
  • Example: cn=%s,ou=Users,dc=mydomain,dc=com
  • Example: uid=%s,ou=Users,dc=mydomain,dc=com

• User Filter (required)

  • An LDAP filter declaring when a user should be allowed to log in. The %s matching parameter will be substituted with the user's username.
  • Example: (&(objectClass=posixAccount)(cn=%s))
  • Example: (&(objectClass=posixAccount)(uid=%s))

Verify group membership in LDAP uses the following fields:

• Group Search Base (optional)

  • The LDAP DN used for groups.
  • Example: ou=group,dc=mydomain,dc=com

• Group Name Filter (optional)

  • An LDAP filter declaring how to find valid groups in the above DN.
  • Example: (|(cn=gogs_users)(cn=admins))

• User Attribute in Group (optional)

  • Which user LDAP attribute is listed in the group.
  • Example: uid

• Group Attribute for User (optional)

  • Which group LDAP attribute contains an array above user attribute names.
  • Example: memberUid

Documentation

Overview

Package ldap provide functions & structure to query a LDAP ldap directory. For now, it's mainly tested again an MS Active Directory service, see README.md for more information.

Index

• func NewProvider(directBind bool, cfg *Config) auth.Provider
• func SecurityProtocolName(protocol SecurityProtocol) string
• type Config
  • func (c *Config) SecurityProtocolName() string
• type Provider
  • func (p *Provider) Authenticate(login, password string) (*auth.ExternalAccount, error)
  • func (p *Provider) Config() any
  • func (p *Provider) HasTLS() bool
  • func (p *Provider) SkipTLSVerify() bool
  • func (p *Provider) UseTLS() bool
• type SecurityProtocol

Functions

func NewProvider

func NewProvider(directBind bool, cfg *Config) auth.Provider

NewProvider creates a new LDAP authentication provider.

func SecurityProtocolName

func SecurityProtocolName(protocol SecurityProtocol) string

SecurityProtocolName returns the human-readable name for given security protocol.

Types

type Config

type Config struct {
	Host              string // LDAP host
	Port              int    // Port number
	SecurityProtocol  SecurityProtocol
	SkipVerify        bool
	BindDN            string `ini:"bind_dn,omitempty"` // DN to bind with
	BindPassword      string `ini:",omitempty"`        // Bind DN password
	UserBase          string `ini:",omitempty"`        // Base search path for users
	UserDN            string `ini:"user_dn,omitempty"` // Template for the DN of the user for simple auth
	AttributeUsername string // Username attribute
	AttributeName     string // First name attribute
	AttributeSurname  string // Surname attribute
	AttributeMail     string // Email attribute
	AttributesInBind  bool   // Fetch attributes in bind context (not user)
	Filter            string // Query filter to validate entry
	AdminFilter       string // Query filter to check if user is admin
	GroupEnabled      bool   // Whether the group checking is enabled
	GroupDN           string `ini:"group_dn"` // Group search base
	GroupFilter       string // Group name filter
	GroupMemberUID    string `ini:"group_member_uid"` // Group Attribute containing array of UserUID
	UserUID           string `ini:"user_uid"`         // User Attribute listed in group
}

Config contains configuration for LDAP authentication.

⚠️ WARNING: Change to the field name must preserve the INI key name for backward compatibility.

func (*Config) SecurityProtocolName

func (c *Config) SecurityProtocolName() string

type Provider

type Provider struct {
	// contains filtered or unexported fields
}

Provider contains configuration of an LDAP authentication provider.

func (*Provider) Authenticate

func (p *Provider) Authenticate(login, password string) (*auth.ExternalAccount, error)

Authenticate queries if login/password is valid against the LDAP directory pool, and returns queried information when succeeded.

func (*Provider) Config

func (p *Provider) Config() any

func (*Provider) HasTLS

func (p *Provider) HasTLS() bool

func (*Provider) SkipTLSVerify

func (p *Provider) SkipTLSVerify() bool

func (*Provider) UseTLS

func (p *Provider) UseTLS() bool

type SecurityProtocol

type SecurityProtocol int

SecurityProtocol is the security protocol when the authenticate provider talks to LDAP directory.

const (
	SecurityProtocolUnencrypted SecurityProtocol = iota
	SecurityProtocolLDAPS
	SecurityProtocolStartTLS
)

⚠️ WARNING: new type must be added at the end of list to maintain compatibility.