Map LDAP groups to Organization teams

juewach · December 8, 2022, 1:10pm

Hello all,
I’m using Gitea 1.17.3 on Windows and have configured a “Authentification Source” to connect the Gitea to an MS Active Directory. All works fine (the user are imported from the AD) except the part “Enable LDAP Groups”.

Step1:
I created an organization “Org1” and 2 Teams inside this organization: Team1 and Team2 and created the Groups “cn=MyGroup1,cn=groups,dc=example,dc=org” and “cn=MyGroup2,cn=groups,dc=example,dc=org” on Active Directory.

Step2:
I enabled the functionallity “Enable Ldap Groups”.
I mapped the Ldap-group “cn=MyGroup1,cn=groups,dc=example,dc=org” to the Team1 with
“Map LDAP groups to Organization teams”: {“cn=MyGroup1,cn=groups,dc=example,dc=org”:{“Org1”:[“Team1”]}}
This works.

Step3:
i want to map the Second LDAP-Group “cn=MyGroup2,cn=groups,dc=example,dc=org” to the Team2 together with the mapping for Team1.
I tried to add the second mapping to the entry of step2, like
“Map LDAP groups to Organization teams”: {“cn=MyGroup1,cn=groups,dc=example,dc=org”:{“Org1”:[“Team1”]}}{“cn=MyGroup2,cn=groups,dc=example,dc=org”:{“Org1”:[“Team2”]}}
This doesnt work.

In the log i see an Error:
…dap/source_search.go:235:mapLdapGroupsToTeams() [E] [6391dcab-2] Failed to unmarshall LDAP teams map: Unmarshal: there are bytes left after unmarshal, error found in …

I tried some different separators between the 2 mappings, enclosing with {} and some more but nothing works.

Is that not possible to map more than ONE Ldap-group to one or more teams (in one Authentication Source)?

Thanks
Juergen

jake · December 26, 2022, 9:19pm

The error you are receiving is because you have supplied an invalid JSON string. The LDAP group mapping are JSON, so you want to do something like this:

{
    "cn=MyGroup1,cn=groups,dc=example,dc=org": {
        "Org1": ["Team1"]
    },
    "cn=MyGroup2,cn=groups,dc=example,dc=org": {
        "Org2": ["Team2"]
    }
}

You can use something like https://jsonformatter.curiousconcept.com/ to validate that your string is proper JSON. There’s also a ton of these websites out there, just search “JSON formatter” or “JSON validator”.

stephenlqn · September 13, 2023, 8:00pm

Hi,

I am trying to map a LDAP group to a Gitea team but it is not successful.

My instance is Gitea 1.20.4. Authentication Source is configured and the system is able to sync all LDAP (Windows AD server) users when I click “admin - dashboard - Synchronize external user data”. I am able to login with an AD account.

In the “Authentication Source”, I checked “Enable LDAP groups” and have the following settings:
Group Search Base DN: ou=Distribution Groups,ou=Root,dc=example,dc=com
Group Attribute Containing List Of Users: member
User Attribute Listed In Group: dn
Verify group membership in LDAP (leave the filter empty to skip): (&(objectCategory=Person)(sAMAccountName=%s))
Map LDAP groups to Organization teams (leave the field empty to skip):
{
“CN=DevOps,OU=Distribution Groups,OU=Mail,OU=Root,DC=example,DC=com”: {
“RD”: [“DevOps”]
}
}
Use paged search: checked
page size: 1000

In Gitea I have an Organization called “RD” and a Team underneath called “DevOps”.

I expect with the above configuration, the system should retrieve members of LDAP group “CN=DevOps,OU=Distribution Groups,OU=Mail,OU=Root,DC=example,DC=com” and put them into team RD:Devops. But it shows 0 members.

Is this expectation correct? If so, can somebody show a successful configuration that can map LDAP group members to a Gitea team ?

Thanks,
Stephen

Stanito · September 18, 2023, 8:53am

This is working example:
“antiq”, “applications”, “libraries”, etc - are created Organizations in Gitea
“ldap_leads”, “ldap_edt_devops”, etc - are manually created teams in Gitera Organizations.

{
  "CN=Leads,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "antiq": [
      "ldap_leads"
    ],
    "applications": [
      "ldap_leads"
    ],
    "libraries": [
      "ldap_leads"
    ],
    "x_archive": [
      "ldap_leads"
    ]
  },
  "CN=edt_devops,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "devops": [
      "ldap_edt_devops"
    ]
  },
  "CN=emb,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "emb_mirrors": [
      "ldap_embedded"
    ],
    "emb_tools": [
      "ldap_embedded"
    ],
    "sandbox": [
      "ldap_embedded"
    ],
    "x_archive": [
      "ldap_embedded"
    ]
  },
  "CN=emb_antiq,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "antiq": [
      "ldap_emb_antiq"
    ],
    "applications": [
      "ldap_emb_antiq"
    ],
    "libraries": [
      "ldap_emb_antiq"
    ],
    "hosts": [
      "ldap_emb_antiq"
    ],
    "emb_conan": [
      "ldap_emb_antiq"
    ],
    "emb_mirrors": [
      "ldap_emb_antiq"
    ]
  },
  "CN=emb_devops,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "antiq": [
      "ldap_emb_devops"
    ],
    "applications": [
      "ldap_emb_devops"
    ],
    "aurora": [
      "ldap_emb_devops"
    ],
    "libraries": [
      "ldap_emb_devops"
    ],
    "autoqa": [
      "ldap_emb_devops"
    ],
    "devops": [
      "ldap_emb_devops"
    ],
    "docker": [
      "ldap_emb_devops"
    ],
    "hosts": [
      "ldap_emb_devops"
    ],
    "emb_conan": [
      "ldap_emb_devops"
    ],
    "emb_tools": [
      "ldap_emb_devops"
    ],
    "emb_devsec": [
      "ldap_emb_devops"
    ],
    "emb_mirrors": [
      "ldap_emb_devops"
    ],
    "ports": [
      "ldap_emb_devops"
    ],
    "release_activity": [
      "ldap_emb_devops"
    ]
  },
  "CN=emb_devsec,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "antiq": [
      "ldap_emb_devsec"
    ],
    "applications": [
      "ldap_emb_devsec"
    ],
    "aurora": [
      "ldap_emb_devsec"
    ],
    "libraries": [
      "ldap_emb_devsec"
    ],
    "autoqa": [
      "ldap_emb_devsec"
    ],
    "devops": [
      "ldap_emb_devsec"
    ],
    "docker": [
      "ldap_emb_devsec"
    ],
    "hosts": [
      "ldap_emb_devsec"
    ],
    "emb_conan": [
      "ldap_emb_devsec"
    ],
    "emb_devsec": [
      "ldap_emb_devsec"
    ],
    "ports": [
      "ldap_emb_devsec"
    ],
    "emb_mirrors": [
      "ldap_emb_devsec"
    ],
    "release_activity": [
      "ldap_emb_devsec"
    ]
  },
  "CN=emb_mec,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "applications": [
      "ldap_emb_mec"
    ],
    "libraries": [
      "ldap_emb_mec"
    ],
    "autoqa": [
      "ldap_emb_mec"
    ],
    "hosts": [
      "ldap_emb_mec"
    ],
    "ports": [
      "ldap_emb_mec"
    ],
    "emb_conan": [
      "ldap_emb_mec"
    ],
    "emb_mirrors": [
      "ldap_emb_mec"
    ],
    "release_activity": [
      "ldap_emb_mec"
    ]
  },
  "CN=emb_focus,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "applications": [
      "ldap_emb_focus"
    ],
    "libraries": [
      "ldap_emb_focus"
    ],
    "autoqa": [
      "ldap_emb_focus"
    ],
    "hosts": [
      "ldap_emb_focus"
    ],
    "ports": [
      "ldap_emb_focus"
    ],
    "emb_conan": [
      "ldap_emb_focus"
    ],
    "emb_mirrors": [
      "ldap_emb_focus"
    ],
    "release_activity": [
      "ldap_emb_focus"
    ]
  },
  "CN=emb_kde_dev,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "applications": [
      "ldap_emb_mobiledocs"
    ],
    "aurora": [
      "ldap_emb_mobiledocs"
    ],
    "libraries": [
      "ldap_emb_mobiledocs"
    ],
    "hosts": [
      "ldap_emb_mobiledocs"
    ],
    "emb_conan": [
      "ldap_emb_mobiledocs"
    ],
    "ports": [
      "ldap_emb_mobiledocs"
    ],
    "emb_mirrors": [
      "ldap_emb_mobiledocs"
    ]
  },
  "CN=emb_kde_qa,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "applications": [
      "ldap_emb_mobiledocs_qa"
    ],
    "aurora": [
      "ldap_emb_mobiledocs_qa"
    ],
    "libraries": [
      "ldap_emb_mobiledocs_qa"
    ],
    "hosts": [
      "ldap_emb_mobiledocs_qa"
    ],
    "emb_conan": [
      "ldap_emb_mobiledocs_qa"
    ],
    "ports": [
      "ldap_emb_mobiledocs_qa"
    ],
    "emb_mirrors": [
      "ldap_emb_mobiledocs_qa"
    ]
  },
  "CN=emb_mail,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "applications": [
      "ldap_emb_mail"
    ],
    "libraries": [
      "ldap_emb_mail"
    ],
    "autoqa": [
      "ldap_emb_mail"
    ],
    "hosts": [
      "ldap_emb_mail"
    ],
    "emb_conan": [
      "ldap_emb_mail"
    ],
    "emb_mirrors": [
      "ldap_emb_mail"
    ],
    "ports": [
      "ldap_emb_mail"
    ],
    "release_activity": [
      "ldap_emb_mail"
    ]
  },
  "CN=emb_qa,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "applications": [
      "ldap_emb_qa"
    ],
    "libraries": [
      "ldap_emb_qa"
    ],
    "autoqa": [
      "ldap_emb_qa"
    ],
    "release_activity": [
      "ldap_emb_qa"
    ]
  },
  "CN=spb_team_kos,OU=Groups,OU=CO_Users,DC=mydomain,DC=com": {
    "applications": [
      "ldap_emb_kos"
    ],
    "libraries": [
      "ldap_emb_kos"
    ],
    "hosts": [
      "ldap_emb_kos"
    ],
    "emb_conan": [
      "ldap_emb_kos"
    ],
    "ports": [
      "ldap_emb_kos"
    ],
    "emb_mirrors": [
      "ldap_emb_kos"
    ]
  }
}

stephenlqn · September 19, 2023, 7:33pm

Thanks for the response.

Following the example I configured my ldap settings. It did not report any error. But when I checked the team in the organization (in your example it is team “ldap_leads” under organization “antiq”), it has zero member, while on the domain side it has members under “CN=Leads,OU=Groups,OU=CO_Users,DC=mydomain,DC=com”.

How to make domain group members show up in the Gitea team member list?

Thanks,
Stephen

goldenj · November 6, 2023, 5:34pm

Hello, I’m having the same issue.

Topic		Replies	Views
Active Directory - Enable LDAP Groups - Parameters Install/Maintain/Configure	2	2422	November 6, 2023
LDAP (via BindDN) - mapping LDAP groups to teams with nested Active Directory groups Install/Maintain/Configure	0	499	January 11, 2024
Verify Group Membership in LDAP filter in Gitea AD integration Install/Maintain/Configure	0	270	March 6, 2024
Add new user to multiple owner teams Gitea Usages	1	1971	October 7, 2023
LDAP via BindDN - Active Directory nested groups Install/Maintain/Configure	1	1831	June 11, 2023

Map LDAP groups to Organization teams

Related Topics