parent
631c85ba4f
commit
7d84d4a8f0
@ -1,43 +1,64 @@
|
||||
LDAP authentication
|
||||
===================
|
||||
Gogs LDAP Authentication Module
|
||||
===============================
|
||||
|
||||
## Goal
|
||||
## About
|
||||
|
||||
Authenticat user against LDAP directories
|
||||
This authentication module attempts to authorize and authenticate a user
|
||||
against an LDAP server. Like most LDAP authentication systems, this module does
|
||||
this in two steps. First, it queries the LDAP server using a Bind DN and
|
||||
searches for the user that is attempting to sign in. If the user is found, the
|
||||
module attempts to bind to the server using the user's supplied credentials. If
|
||||
this succeeds, the user has been authenticated, and his account information is
|
||||
retrieved and passed to the Gogs login infrastructure.
|
||||
|
||||
It will bind with the user's login/pasword and query attributs ("mail" for instance) in a pool of directory servers
|
||||
## Usage
|
||||
|
||||
The first OK wins.
|
||||
To use this module, add an LDAP authentication source via the Authentications
|
||||
section in the admin panel. The fields should be set as follows:
|
||||
|
||||
If there's connection error, the server will be disabled and won't be checked again
|
||||
Authorization Name (required)
|
||||
A name to assign to the new method of authorization.
|
||||
|
||||
## Usage
|
||||
Host (required)
|
||||
The address where the LDAP server can be reached.
|
||||
Example: mydomain.com
|
||||
|
||||
Port (required)
|
||||
The port to use when connecting to the server.
|
||||
Example: 636
|
||||
|
||||
In the [security] section, set
|
||||
> LDAP_AUTH = true
|
||||
Enable TLS Encryption (optional)
|
||||
Whether to use TLS when connecting to the LDAP server.
|
||||
|
||||
then for each LDAP source, set
|
||||
Bind DN (optional)
|
||||
The DN to bind to the LDAP server with when searching for the user.
|
||||
This may be left blank to perform an anonymous search.
|
||||
Example: cn=Search,dc=mydomain,dc=com
|
||||
|
||||
> [LdapSource-someuniquename]
|
||||
> name=canonicalName
|
||||
> host=hostname-or-ip
|
||||
> port=3268 # or regular LDAP port
|
||||
> # the following settings depend highly how you've configured your AD
|
||||
> basedn=dc=ACME,dc=COM
|
||||
> MSADSAFORMAT=%s@ACME.COM
|
||||
> filter=(&(objectClass=user)(sAMAccountName=%s))
|
||||
Bind Password (optional)
|
||||
The password for the Bind DN specified above, if any.
|
||||
|
||||
### Limitation
|
||||
User Search Base (required)
|
||||
The LDAP base at which user accounts will be searched for.
|
||||
Example: ou=Users,dc=mydomain,dc=com
|
||||
|
||||
Only tested on an MS 2008R2 DC, using global catalog (TCP/3268)
|
||||
User Filter (required)
|
||||
An LDAP filter declaring how to find the user record that is attempting
|
||||
to authenticate. The '%s' matching parameter will be substituted with
|
||||
the user's username.
|
||||
Example: (&(objectClass=posixAccount)(uid=%s))
|
||||
|
||||
This MSAD is a mess.
|
||||
First name attribute (optional)
|
||||
The attribute of the user's LDAP record containing the user's first
|
||||
name. This will be used to populate their account information.
|
||||
Example: givenName
|
||||
|
||||
The way how one checks the directory (CN, DN etc...) may be highly depending local custom configuration
|
||||
Surname name attribute (optional)
|
||||
The attribute of the user's LDAP record containing the user's surname
|
||||
This will be used to populate their account information.
|
||||
Example: sn
|
||||
|
||||
### Todo
|
||||
* Define a timeout per server
|
||||
* Check servers marked as "Disabled" when they'll come back online
|
||||
* Find a more flexible way to define filter/MSADSAFORMAT/Attributes etc... maybe text/template ?
|
||||
* Check OpenLDAP server
|
||||
* SSL support ?
|
||||
E-mail attribute (required)
|
||||
The attribute of the user's LDAP record containing the user's email
|
||||
address. This will be used to populate their account information.
|
||||
Example: mail
|
||||
|
@ -1,29 +0,0 @@
|
||||
package ldap
|
||||
|
||||
// import (
|
||||
// "fmt"
|
||||
// "testing"
|
||||
// )
|
||||
|
||||
// var ldapServer = "ldap.itd.umich.edu"
|
||||
// var ldapPort = 389
|
||||
// var baseDN = "dc=umich,dc=edu"
|
||||
// var filter = []string{
|
||||
// "(cn=cis-fac)",
|
||||
// "(&(objectclass=rfc822mailgroup)(cn=*Computer*))",
|
||||
// "(&(objectclass=rfc822mailgroup)(cn=*Mathematics*))"}
|
||||
// var attributes = []string{
|
||||
// "cn",
|
||||
// "description"}
|
||||
// var msadsaformat = ""
|
||||
|
||||
// func TestLDAP(t *testing.T) {
|
||||
// AddSource("test", ldapServer, ldapPort, baseDN, attributes, filter, msadsaformat)
|
||||
// user, err := LoginUserLdap("xiaolunwen", "")
|
||||
// if err != nil {
|
||||
// t.Error(err)
|
||||
// return
|
||||
// }
|
||||
|
||||
// fmt.Println(user)
|
||||
// }
|
File diff suppressed because one or more lines are too long
Loading…
Reference in new issue