LDAP Authentication - Precedence of Admin Filter and Email


#1

Hi

I’m using Gogs v0.11.43.0330 on Linux with SQLite. I have got LDAP Authentication working (Simple Bind and via BindDN).

My question is : User account setup in Gogs, with Authentication sources as LDAP, has entry of Email Address (mandatory) and “This account has administrator permissions” checkbox. Are the gogs values used in preference to LDAP values for “LDAP Email attribute” and resolved via “LDAP Admin Filter”?

  1. The email address shown for the user is always the one configured in Gogs and not from LDAP

  2. Following a successful user LDAP login - I see a successful admin check (as below) but the user does not have “Admin Panel” option in their user dropdown.

2018/05/07 11:15:44 [TRACE] Checking admin with filter '(memberof=cn=myadmin,cn=groups,cn=accounts,dc=company,dc=com)' and base 'uid=myuser,cn=users,cn=accounts,dc=company,dc=com'

Is there a way to make the LDAP settings for these override the user account settings or have I mis-understood the purposes of the LDAP fields?


#2

Hi, just based on the log, it only says checking, doesn’t mean the check is guarantee to pass…


#3

To answer your question, I think Admin Filter has higher precedence of the one stored in local database.


#4

Unknwon hi - If I change the Admin Filter slightly then I see it fail

2018/05/14 11:43:13 [ERROR] [...kg/auth/ldap/ldap.go:306 SearchEntry()] LDAP: Admin search failed: 0 entries

So if no error is shown then does that mean it succeeds? - if I use ldap client on command line (ldapsearch) then the filter returns details.

However - this doesn’t seem to give this user Admin permissions (i.e no “Admin Panel” option in menu)


#5

Hmm… I did check the code that reads the value from LDAP, maybe because it didn’t update the value in the database. Could you please file an issue on GitHub about this?