Configure authentication for Gitea


#1

Hi,

I’m currently in the process of migrating our repositories to a selfhosted Gitea instance and I’m a bit unsure on how to set up the authentication and authorization to fit our needs.

What we’d like to do is organize different projects and tech in organisations, this is what we’ve done in the past and that way we won’t break our current git remotes.

For the authentication I’m using LDAP, which I already configured successfully with the help of the GItea documentation.

However I’m a bit lost on how to do the repository and organization settings correctly.

What we’d like to achieve is the following:

  • Unauthenticated (aka anonymous)/Unauthorized users can’t browse, clone, pull or push any repositories (Gitea itself should be private and locked behind a login).

  • Every user that can correctly authenticate against LDAP should have all the above permissions for all repositories.

I’m not if REQUIRE_SIGNIN_VIEW in conjunction with public repositories would be enough, e.g. if git commands would not allow anonymous clones.

The other possible way is to have all repositories set up with a selfmade script that uses the Gitea API to configure access the right way, but I think there could be a better way that I don’t see yet.

When doing fine grained configuration of organizations I’ve found that there is the default Owner team, which has access to change the organization, which I wouldn’t want all members to be in, just 2-3 admins.
Then I have to create a new team per organization, e.g. developers, which I can set the access according to my plan.
But then I can’t create a repository as a member of the Owner team, without having to manually add that repository to the developers team later on for them to have access.

I hope you can help me a bit on how to tackle this down correctly :slight_smile:


#2

It is planned to add global teams/groups for ldap in future but that will not happen soon, currently this is not supported