[LDAP] Can't map LDAP groups to Gitea Orgs/Teams

[drequivalent]

Description

Trying to join Gitea into FreeIPA's LDAP.

Users work fine, but then I need to map the LDAP user groups to Gitea teams in order to manage access in a more centralized way.

The settings are as follows:

Group Search Base DN: cn=groups,cn=accounts,dc=autogramma,dc=lan
Group Attribute Containing List Of Users: member
User Attribute Listed In Group: uid
Map LDAP groups to Organization teams: {"cn=developers,cn=groups,cn=accounts,dc=autogramma,dc=lan":{"Autogramma":["Developers"]},"cn=engineers,cn=groups,cn=accounts,dc=autogramma,dc=lan":{"Autogramma":["Engineers"]}}

Organization is present:

Teams as well:

Updating external user information, though, is not joining anyone to any Teams.

What am I doing wrong?

Gitea Version

1.17.2

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Gitea binary build

Database

PostgreSQL

[kdumontnu]

Is this a duplicate of #19555?

In short, I don’t think this feature is supported.

[drequivalent]

Is this a duplicate of #19555?

In short, I don’t think this feature is supported.

No. The issue you referenced is about OIDC.

I'm talking about LDAP.

If it's not supported, why is it ("Map LDAP groups to Organization teams") present in settings?

Besides, it was confirmed to work at #21159

[drequivalent]

The log doesn't mention LDAP group sync: in any way.

(I would publish it, but it contains personal data)

[drequivalent]

Here's the abridged version:

сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 [6320e481] router: started   POST /admin for 192.168.94.11:52480
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...ices/auth/session.go:47:SessionUser() [T] [6320e481] Session Authorization: Found user[2]
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...ices/auth/session.go:63:SessionUser() [T] [6320e481] Session Authorization: Logged in user 2:<USERNAME TRUNCATED>
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...rvices/cron/tasks.go:141:GetTask() [I] [6320e481] Getting sync_external_users in &{{0 0} sync_external_users 0xc0037e63c0 0x1f9f600 finished  <USERNAME TRUNCATED> 12}
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...ervices/auth/sync.go:17:SyncExternalUsers() [T] [6320e481-2] Doing: SyncExternalUsers
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 [6320e481] router: completed POST /admin for 192.168.94.11:52480, 303 See Other in 3.4ms @ admin/admin.go:141(admin.DashboardPost)
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 .../ldap/source_sync.go:24:Sync() [T] [6320e481-2] Doing: SyncExternalUsers[Autogramma]
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...dap/source_search.go:115:dial() [T] [6320e481-2] Dialing LDAP with security protocol (Unencrypted) without verifying: false
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...dap/source_search.go:490:SearchEntries() [T] [6320e481-2] Bound as BindDN uid=gitea,cn=users,cn=accounts,dc=autogramma,dc=lan
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...dap/source_search.go:508:SearchEntries() [T] [6320e481-2] Fetching attributes 'uid', 'givenName', 'sn', 'mail', 'ipaSshPubKey', '' with filter (&(memberOf=cn=git,cn=groups,cn=accounts,dc=autogramma,dc=lan)(objectClass=posixAccount)(uid=*)) and base cn=users,cn=accounts,dc=autogramma,dc=lan
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...dap/source_search.go:156:checkAdmin() [T] [6320e481-2] Checking admin with filter (memberOf=cn=admins,cn=groups,cn=accounts,dc=autogramma,dc=lan) and base uid=<USERNAME TRUNCATED>,cn=users,cn=accounts,dc=autogramma,dc=lan
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...dap/source_search.go:167:checkAdmin() [T] [6320e481-2] LDAP Admin Search found no matching entries.
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...dap/source_search.go:156:checkAdmin() [T] [6320e481-2] Checking admin with filter (memberOf=cn=admins,cn=groups,cn=accounts,dc=autogramma,dc=lan) and base uid=<USERNAME TRUNCATED>,cn=users,cn=accounts,dc=autogramma,dc=lan
--+more lines like this, one or two for each user--
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 [6320e481-3] router: started   GET /admin for 192.168.94.11:52482
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...s/context/context.go:219:HTML() [D] [6320e481-3] Template: admin/dashboard
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 [6320e481-3] router: completed GET /admin for 192.168.94.11:52482, 200 OK in 3.7ms @ admin/admin.go:126(admin.Dashboard)
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...s/asymkey/ssh_key.go:394:SynchronizePublicKeys() [T] [6320e481-2] synchronizePublicKeys[Autogramma]: Handling Public SSH Key synchronization for user alexander.volnov
сен 13 23:13:53 gitea gitea[12272]: 2022/09/13 23:13:53 ...s/asymkey/ssh_key.go:421:SynchronizePublicKeys() [T] [6320e481-2] synchronizePublicKeys[Autogramma]: Public Keys are already in sync for <USERNAME TRUNCATED> (Source:0/DB:0)
--+more lines like this, one for each user--

[6543]

@drequivalent 1.17.12 does not exist do you mean 1.17.2 ?

[drequivalent]

@drequivalent 1.17.12 does not exist do you mean 1.17.2 ?

Yes, of course. Sorry for typo.

[drequivalent]

Please, help! I'm stuck!

[drequivalent]

I have put dn into User Attribute Listed In Group instead of uid, as suggested by @svenseeberg in private correspondence.

This seems to have worked, and now I have the teams populated.

I think, this needs a better explanation in documentation and settings UI.

Thanks, @svenseeberg, I really appreciate your help!

[dawivid]

Did this get resolved or changed? I am struggling with exactly the same thing

THis is the debug I get

4/04 14:30:12 ...dap/source_search.go:340:SearchEntry() [T] [642c3474] Fetching attributes '', '', '', 'mail', '', '', 'dn' with filter '(sAMAccountName=david.testing)' and base 'CN=david testing,OU=Internal,OU=Users,OU=Infra,DC=ocr,DC=cr14,DC=net'
gitea | 2023/04/04 14:30:12 ...dap/source_search.go:228:listLdapGroupMemberships() [E] [642c3474] Failed group search in LDAP with filter [(&()(member=CN=david testing,OU=Internal,OU=Users,OU=Infra,DC=ocr

FYI - from the screenshot remove the Verify Group Membership, when I confiugure this it doesn't search AD for my group memberships

[dawivid]

sorry, I am running v1.19 and authenticating against Active Directory server 2016

[svenseeberg]

Can you look into your log files on your AD server and see if there are any problems with the queries? And can you provide examples of your group and user objects?

[dawivid]

THanks for getting back to me Sven. The Event viewer shows no errors, only mentions that I am working currently over LDAP and it woiuld like to move to LDAPS. When you say examples, what would you like to see? OUtput from ldapsearch, or Attribute editor or........?

[dawivid]

In the meantime I will give you this output:

here is the DN of my user
distinguishedName: CN=david testing,OU=Internal,OU=Users,OU=Infra,DC=ocr,DC=cr
14,DC=net

Here is an LDAPsearch output filtering for member
.# Re_Gitea_user, Gitea, Resources, Infra, ocr.cr14.net
dn: CN=Re_Gitea_user,OU=Gitea,OU=Resources,OU=Infra,DC=ocr,DC=cr14,DC=net
member: CN=david testing,OU=Internal,OU=Users,OU=Infra,DC=ocr,DC=cr14,DC=net

Here is the output from Gitea:
gitea | 2023/04/05 10:38:26 ...dap/source_search.go:145:bindUser() [T] [642d4fa2] Bound successfully with userDN: CN=david testing,OU=Internal,OU=Users,OU=Infra,DC=ocr,DC=cr14,DC=net
gitea | 2023/04/05 10:38:26 ...dap/source_search.go:340:SearchEntry() [T] [642d4fa2] Fetching attributes '', '', '', 'mail', '', '', 'dN' with filter '(sAMAccountName=david.testing)' and base 'CN=david testing,OU=Internal,OU=Users,OU=Infra,DC=ocr,DC=cr14,DC=net'
gitea | 2023/04/05 10:38:26 ...dap/source_search.go:228:listLdapGroupMemberships() [E] [642d4fa2] Failed group search in LDAP with filter [(&()(member=CN=david testing,OU=Internal,OU=Users,OU=Infra,DC=ocr,DC=cr14,DC=net))]: LDAP Result Code 201 "Filter Compile Error": ldap: error parsing filter
gitea | 2023/04/05 10:38:26 [642d4fa2] router: completed POST /user/login for 192.168.200.104:55457, 303 See Other in 11.3ms @ auth/auth.go:170(auth.SignInPost)

Gitea's search text is literally verbatom what I am getting out of ldapsearch.

[dawivid]

So, looking through this with chatGPT, it is telling me the problem is at the start of the search string [(&()...

This empty bracket is the issue and I can't work out how to get it populated.

[svenseeberg]

This empty bracket is the issue and I can't work out how to get it populated.

Looks like you're running into #23615

[dawivid]

This empty bracket is the issue and I can't work out how to get it populated.

Looks like you're running into #23615

Indeed! However, when I populate the 'Verify Group Memebership in LDAP' it stops searching all together.

my version is 1.19.0 built with GNU Make 4.3, go1.20.2 . I will update the other issue though