LDAP Config find no users

I have installed Gitea version 1.15.2 on a Debian 11 server. Now I want to integrate our AD so that the users are created automatically. Unfortunately, this does not work.

I have made the following settings:

User Search Base
CN=users,DC=dev,DC=local

User filter
(&(objectCategory=Person)(memberOf=CN=_DEV_GIT_USERS,OU=DEV_GROUPS,DC=dev,DC=local)(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

Admin Filter
(memberOf=CN=_DEV_GIT_ADMINS,OU=DEV_GROUPS,DC=dev,DC=local)

Restricted filter
(memberOf=CN=_DEV_GIT_USERS,OU=DEV_GROUPS,DC=dev,DC=local)

In the LDAP Browser tool from Softerra, the query works perfectly. However, the Gitea server does not find any users. The log says the following:

2021/09/23 09:06:30 …es/auth/ldap/ldap.go:451:SearchEntries() [T] Fetching attributes ‘sAMAccountName’, ‘givenName’, ‘sn’, ‘mail’, ‘’ with filter (&(objectCategory=Person)(memberOf=CN=_DEV_GIT_USERS,OU=DEV_GROUPS,DC=dev,DC=local)(sAMAccountName=*)(! (UserAccountControl:1.2.840.113556.1.4.803:=2)) and base CN=users,DC=dev,DC=local
2021/09/23 09:06:30 models/user.go:1916:SyncExternalUsers() [E] LDAP search found no entries but did not report an error. Refusing to deactivate all users

I also had this issue and found this post during my research. In my case the root cause was related to missing permissions for the Bind DN user account. The account I used there was only member of the default “Domain Users” group in my Active Directory. But that is not enough to read all attributes in AD (at least not anymore in newer versions of Windows Server OS - see here for more information: Understanding the Risks of Pre-Windows 2000 Compatibility Settings in Windows 2022 | Semperis)

To solve the issue in my case: I granted the Bind DN user account “Read all attributes” permission in the domain for “this object and all child objects”.
Instead for the whole domain, it should be enought to grant permissions on the OU and subtree where all required user accounts are in.