You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Gogs supports authentication by various external sources. Currently supported are: LDAP, SMTP, PAM, and GitHub. Sources can be configured in **Admin Panel - Authentication Sources**, or (starting from `0.11.45.0412`) using configuration files in `custom/conf/auth.d`.
Starting from `0.11.45.0412`, you can define the authentication source in local files to help better automate setup process.
Files with the suffix `.conf` under `conf/auth.d` of the custom directory will be recognized as authentication sources. For example, `custom/conf/auth.d/my_auth_source.conf`. As long as the file name ends with `.conf`, you can name it anything memorable. You can find examples of all supported types [here](https://github.com/gogs/gogs/tree/f2ecfdc96a338815ffb2be898b3114031f0da48c/conf/auth.d).
Since version `0.11.45.0412`, files with the suffix `.conf` under `custom/conf/auth.d` will be recognized as authentication sources. An example for each of the supported sources can be found [here](https://github.com/gogs/gogs/tree/master/conf/auth.d).
Once files are loaded, they will appear in the **Admin Panel - Authentication Sources** page as before. They also work nicely with authentication sources defined in the database.
Authentication sources defined via configuration files appear in the **Admin Panel - Authentication Sources** just like sources created via the web interface.
However, do not try to edit the file directly. Rather, edit it via the web interface because files are only read once when Gogs starts.
Configuration files are read once when Gogs starts. To edit them while Gogs is running, use the web interface.
## Configuration
### LDAP
Both the LDAP via BindDN and the simple auth LDAP share the following fields:
There are two variants for LDAP authentication: with or without a separate Bind DN. In both cases authentication is performed by attempting to bind to the LDAP with the User DN and password. The difference is that with the Bind DN, a query is first performed (by the Bind DN) to find the User DN.
- Authorization Name **(required)**
- A name to assign to the new method of authorization.
The Bind DN mechanism has these advantages:
- It may be more secure than blindy attempting to bind with a possibly non-existent User DN
- It supports login with e.g. email address or phone number. The preliminary search could look up the User DN using their `mail` or `mobile` attribute (but see the FreeIPA section further down: features in Gogs may have obsoleted the need for this)
- A Bind DN is required when the LDAP does not allow the User DN to query its own attributes or group memberships
The downside to the Bind DN mechanism is that, unless the LDAP allows anonymous queries, it requires a bind DN to be defined in the LDAP, and Gogs needs to store its credentials. Gogs currently does not encrypt these.
In the ideal situation, the LDAP allows anonymous queries (at least in the "user container") and the Bind DN mechanism can be used without a Bind DN and password. The options available to you depend on how the LDAP in your organisation has been configured.
**Shared configuration fields** between _Bind DN_ and _Simple Auth_ authentication
- Authentication Name **(required)**
- A friendly name to assign to the new authentication source
- Security Protocol **(required)**
- Unencrypted (0), LDAPS (1), StartTLS (2)
- Host **(required)**
- The address where the LDAP server can be reached.
- Example: `mydomain.com`
- Example: `ldap.mydomain.com`
- Port **(required)**
- The port to use when connecting to the server.
- Example: `636`
- Usually `389` for the LDAP and StartTLS protocols, `636` for LDAPS protocol.
- Enable TLS Encryption (optional)
- Whether to use TLS when connecting to the LDAP server.
- User Filter **(required)**
- An LDAP filter declaring which users should be allowed to log in. Used as the
initial search query in the Bind DN authenticator. Applied "on top of" the
authenticated user context in Simple Authentication. The `%s` matching parameter
will be substituted with the login name given on the sign-in form.
- To substitute more than once, e.g. when matching a supplied login name against multiple attributes such as user identifier, email, or even phone number.
- Import the LDIF (change `localhost` to an IPA server if needed). You will be prompted for your Directory Manager password:
```
ldapmodify -h localhost -p 389 -x -D \
"cn=Directory Manager" -W -f gogs.ldif
```
- Add an IPA group for `gogs_users`:
```
ipa group-add --desc="Gogs Users" gogs_users
```
- Note! If you get an error about IPA credentials, run kinit admin and give your admin accound password.
- Now log into Gogs as admin and click on "Authentication" under the Admin Panel. Then click *New LDAP Source* and fill in the details, changing all appropriate fields for your own domain as shown below:
It is possible to use either Bind DN or Simple Auth with FreeIPA. Below are
the relevant parts of sample configurations. These assume that your domain is
`domain.com`, and that users must be a member of group `gogs_users` to get access.
If you want to allow login by email address, you run into the issue that IPA by
default does not grant anonymous search access to the `mail` attribute. This can
be changed easily in IPA:
ipa permission-mod --includedattrs=mail 'System: Read User Standard Attributes'
Alternatively, you could ask your LDAP administrators (who will not be keen on exposing
email addresses to unauthenticated LDAP clients) for a bind user account.
**However** all this is probably not necessary any more, as Gogs translates email
logins to the corresponding user ID\* before it makes the authentication call to the
backend LDAP.
All that is required is that the user's _first login_ is with their user ID,
After that they can use user ID and email address.
---
**Footnotes**
\*) To be precise: it maps their login name onto their "Authentication Login Name",
which administrators can edit on the User's "Edit Account" page.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.