ᴜɴᴋɴᴡᴏɴ 3af91d7cfd auth: decouple types and functions from db (#6320) | 4 лет назад | |
---|---|---|
.. | ||
README.md | 5 лет назад | |
config.go | 4 лет назад | |
provider.go | 4 лет назад |
This authentication module attempts to authorize and authenticate a user against an LDAP server. It provides two methods of authentication: LDAP via BindDN, and LDAP simple authentication.
LDAP via BindDN functions like most LDAP authentication systems. First, it queries the LDAP server using a Bind DN and searches for the user that is attempting to sign in. If the user is found, the module attempts to bind to the server using the user's supplied credentials. If this succeeds, the user has been authenticated, and their account information is retrieved and passed to the Gogs login infrastructure.
LDAP simple authentication does not utilize a Bind DN. Instead, it binds directly with the LDAP server using the user's supplied credentials. If the bind succeeds and no filter rules out the user, the user is authenticated.
LDAP via BindDN is recommended for most users. By using a Bind DN, the server can perform authorization by restricting which entries the Bind DN account can read. Furthermore, using a Bind DN with reduced permissions can reduce security risk in the face of application bugs.
To use this module, add an LDAP authentication source via the Authentications section in the admin panel. Both the LDAP via BindDN and the simple auth LDAP share the following fields:
Authorization Name (required)
Host (required)
Port (required)
Enable TLS Encryption (optional)
Admin Filter (optional)
First name attribute (optional)
Surname attribute (optional)
E-mail attribute (required)
LDAP via BindDN adds the following fields:
Bind DN (optional)
Bind Password (optional)
User Search Base (required)
User Filter (required)
LDAP using simple auth adds the following fields:
User DN (required)
%s
matching parameter will be
substituted with the user's username.User Filter (required)
%s
matching parameter will be substituted with the user's username.Verify group membership in LDAP uses the following fields:
Group Search Base (optional)
Group Name Filter (optional)
User Attribute in Group (optional)
Group Attribute for User (optional)