Verify group membership in LDAP


#1

I successfully got Gitea to work with OpenLDAP authentication, but now I want to only have users that are members of a certain PosixGroup allowed to log into Gitea. In my case, the group contains an array of memberUids (it is not the main group for a user).

It looks like what I need is on https://docs.gitea.io/en-us/authentication/ under “Verify group membership in LDAP”, but I don’t see where to enter the settings such as Group Name Filter and User Attribute in Group.

Can anyone point me towards where I would go about enabling “Verify group membership in LDAP” and where I can find the fields to enter the Group Name Filter, etc.?

Thanks in advance!


#2

I was able to work around this by enabling the memberOf overlay. I made the group “cloud” as a groupOfUniqueNames and I add the users that I want to have access to Nextcloud to this group.

I modified the User Filter in Gitea to look something like this:
(&(objectClass=posixAccount)(memberOf=cn=cloud,ou=groups,dc=example,dc=com)(uid=%s))

Hope this helps someone. It would still be nice to do it without the memberOf overlay.


#3

In Addition to the memberOf attribute, which is a quite cool one:
how to set it up on OpenLDAP, first it is an overlay Attribute, if you try to use it in an existing LDAP you have to rejoin your groupmembers, but it wount break anything, because it will be delivered on request.

Here is how i set it up:

cat << EOF > memberof_add.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: memberof
EOF

cat << EOF > memberof_config.ldif
dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
EOF

ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memberof_add.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memberof_config.ldif

When you watch your logs you will get a warning about something is not indexed, then you CAN index the memberOf attribute like:

cat << EOF > memberof_index.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: memberOf eq
EOF

ldapadd -Y EXTERNAL -H ldapi:/// -f memberof_index.ldif