Freeipa Authentication


#1

Hi,
Love Gogs! works great!
Recently I’ve installed FreeIPA on my home server and I wanted to authenticate gogs using IPA.
I was trying to follow instructions from gogs.io/docs/features/authentication
(I wish there was also text version of filters as it was not easy to read/copy from a screenshot).

After setup, when i try to login using domain user/password, I just get “Username or password is not correct.”

journalctl is not helpful here as it does not give much info:
Mar 09 23:16:05 ipaserver .mydomain .com gogs[9056]: [Macaron] 2019-03-09 23:16:05: Started POST /user/login for 10.0.1.4
Mar 09 23:16:05 ipaserver .mydomain .com gogs[9056]: [Macaron] 2019-03-09 23:16:05: Completed POST /user/login 200 OK in 102.869595ms

Gogs: 0.11.53.0603
System: 4.20.13-200.fc29.x86_64
FreeIPA version: 4.7.2
MySQL: 8.0.15

Authentication settings:
Host:myipaserver.home.mydomain.com

Bind DN: uid=gogs,cn=sysaccounts,cn=etc,dc=home,dc.mydomain,dc=com
User Search Base: cn=accounts,dc=home,dc.mydomain,dc=com
User Filter: (&(uid=%s)(memberOf=cn=gogs_users,cn=groups,cn=accounts,dc=home,dc.mydomain,dc=com|))

Any suggestions how and where i could start debugging?

ps. It was very hard to post this question with “New Users are allowed only for 2 links”
Thank you in advance!


#2

Hi, change log level to Trace and restart Gogs, it will put more logs to the log file (logs/gogs.log): https://github.com/gogs/gogs/blob/master/conf/app.ini#L341


#3

Thanks! that helps, It looks like filter I have might (?) be not correct. I was following your documentation/screenshot for that. I will try to google reg LDAP filters but I appreciate any suggestions:

2019/03/10 10:11:32 [TRACE] Search for LDAP user: myuser
2019/03/10 10:11:32 [TRACE] LDAP: Bound as BindDN: uid=gogs,cn=sysaccounts,cn=etc,dc=home,dc=mydomain,dc=com
2019/03/10 10:11:32 [TRACE] LDAP: Searching for DN using filter '(&(uid=myuser)(memberOf=cn=gogs_users,cn=groups,cn=accounts,dc=home,dc=mydomain,dc=com|))' and base 'cn=accounts,dc=home,dc=mydomain,dc=com'
2019/03/10 10:11:32 [TRACE] LDAP: Failed search using filter '(&(uid=myuser)(memberOf=cn=gogs_users,cn=groups,cn=accounts,dc=home,dc=mydomain,dc=com|))': <nil>
2019/03/10 10:11:32 [TRACE] Template: user/auth/login

#4

Ok, read little bit about it, and found that there should be no pipe at the end of the filter (that was a confusing element from your documentation screenshot)

Looks like filter works but I am getting “Protocol Error”:

2019/03/11 00:48:35 [TRACE] LDAP will use BindDN
2019/03/11 00:48:35 [TRACE] Search for LDAP user: myuser
2019/03/11 00:48:35 [TRACE] LDAP: Bound as BindDN: uid=gogs,cn=sysaccounts,cn=etc,dc=home,dc=mydomain,dc=com
2019/03/11 00:48:35 [TRACE] LDAP: Searching for DN using filter '(&(uid=myuser)(memberOf=cn=gogs_users,cn=groups,cn=accounts,dc=home,dc=mydomain,dc=com))' and base 'cn=accounts,dc=home,dc=mydomain,dc=com'
2019/03/11 00:48:35 [TRACE] Binding with userDN: uid=myuser,cn=users,cn=accounts,dc=home,dc=mydomain,dc=com
2019/03/11 00:48:35 [TRACE] Bound successfully with userDN: uid=myuser,cn=users,cn=accounts,dc=home,dc=mydomain,dc=com
2019/03/11 00:48:35 [TRACE] Fetching attributes '', '', '', 'mail', '' with filter '(&(uid=myuser)(memberOf=cn=gogs_users,cn=groups,cn=accounts,dc=home,dc=mydomain,dc=com))' and base 'uid=myuser,cn=users,cn=accounts,dc=home,dc=mydomain,dc=com'
2019/03/11 00:48:35 [ERROR] [...kg/auth/ldap/ldap.go:232 SearchEntry()] LDAP: User search failed: LDAP Result Code 2 "Protocol Error": 
2019/03/11 00:48:35 [TRACE] Template: user/auth/login

#5

Does your LDAP server support LDAP version 3? I think the package Gogs relies on only supports version 3 but I’m not pro on this, not 100% sure.


#6

I am using latest build of FreeIPA which looking at documentation, does support LDAP3
https://www.freeipa.org/page/V3/LDAP_code

For eg: this python code works for me just fine, i am able to connect to LDAP3 and get user data from ipa server:

from ldap3 import Server, Connection, ALL
server = Server('ipaserver.home.mydomain.com', get_info=ALL)
conn = Connection(server, 'uid=gogs,cn=sysaccounts,cn=etc,dc=home,dc=mydomain,dc=com', 'mypassword', auto_bind=True)
conn.search('cn=accounts,dc=home,dc=mydomain,dc=com', '(objectclass=person)')
print(conn.entries)

> [DN: uid=admin,cn=users,cn=accounts,dc=home,dc=mydomain,dc=com - STATUS: Read - READ TIME: 2019-03-11T22:13:57.520527]

#7

Hmm… currently have no idea.