How to use ldap authentication with apache2 reverse proxy?


#1

Hi All,
Gogs version:0.11.86.0130
go: 1.10.2
database: sqlite3
Operating system: Oracle linux 7.6
apache2 version: 2.4.6
nginx : 1.12.2
Also, please provide your Gogs version, system, database.

I’ve configured an apache2 reverse proxy and behind gogs.
The reverse proxy is in charge of authentication part using SimpleSAMLphp, mellon and openLDAP.
here an extract of my virtualhost (reverse proxy) configuration to supply to gogs the username of authenticated people.
{code}
ProxyPass “/” “http://gogs-service:3000/
ProxyPassReverse “/” “http://gogs-service:3000/
RequestHeader set SSO_USER “%{SSO_USER}e”
{code}

The auto-registration works well (an authenticated user is automatically added in gogs local user database as “simple user” without administration permission); Meanwhile, I would like to allow than “administrator” users (so people member of LDAP group MyAdmins for example) could access to gogs with administrator permissions (so they could upload files by example), and others authenticated users access to gogs as “normal” user (without administrator permission).

Do I configure LDAP authentication at gogs level? How can I deal with LDAP authentication and reverse proxy?
Is it possible using reverse proxy and auto-registration? Have you got an example of gogs configuration and nginx or apache2 configuration to implement these expected behavior?

regards


#2

Hi, it is unclear to me, you’re running Apache2 behind Gogs, or Gogs behind Apache2?


#3

Hi,
sorry if It was not clear.
I’ve deployed in front an apache2 web server. The apache2 is connected to simplesamlphp that is connected to an openLDAP. My Gogs Server is behind the apache2 web server.
So using my web browser, when I want to access to gogs server, first, apache2 (configured as reverse proxy) display a login page to authenticate the user. once authenticated, the query is forwarded to gogs (reverse proxy mechanism).
This part of installation works as expected. The gogs autoregistration option creates the user in local database (sqlite3). Meanwhile, the user is never created as “administrator”.
I would like that when I’m authenticated using the reverse proxy, the people in administrators group have gogs access with administrator permission. What do you recommend as configuration to allow that kind of behavior?
Regards


#4

Thanks for the update!

I do not think Gogs currently has option to automatically create “admin” user via reverse proxy, it should be assigned, not created.


#5

thanks for your reply.
Meanwhile, is it possible to use LDAP authentication source instead local database. I mean may be when reverse proxy send SSO_USER information in header request, Gogs could use LDAP BIND authentication to check the group instead of create user automatically in local database.
How can I configure gogs to force usage of LDAP instead of local authentication source?


#6

Local database is always required. Ref: https://gogs.io/docs/features/authentication

I’m not 100% sure if you can, but you could try to disable the self-registration and only give login in page. Ref: https://github.com/gogs/gogs/blob/master/conf/app.ini#L201-L202 This is not intended for your use case but might work.


#7

Hi,
Thanks for your advice. It works (I mean, I could connect through my reverse proxy);
The only limitation is that I HAVE TO sign in once (the first time) using LDAP for each user, probably to register the account in local database. Then, each time I try to connect using the reverse proxy (simplesamlphp, etc…), the user (SSO_USER) is sent as expected to GOGS service, and user is automatically connected.
regards,


#8

Yes you have to, local database must be aware.


#9

Thank you for your information.
May be in the future version of Gogs, it could be possible to provide SSO SAML features.
That will probably solve my need.
Regards,