OpenI
/
aiforge
Not watched
1
0
Fork 0
Code
Releases 128 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
5839 Commits
197 Branches
392 MB
2943 Download
Tree: fb5c6b6444
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'fb5c6b6444'
${ noResults }
aiforge/docs/content/doc/features/authentication.en-us.md

authentication.en-us.md 7.2 kB
Raw Normal View History

Import docs into main repository (#2874) * import docs into main repository Signed-off-by: Matti Ranta <matti@mdranta.net>
7 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194 
  1. ---

  2. date: "2016-12-01T16:00:00+02:00"

  3. title: "Authentication"

  4. slug: "authentication"

  5. weight: 10

  6. toc: true

  7. draft: false

  8. menu:

  9.   sidebar:

  10.     parent: "features"

  11.     name: "Authentication"

  12.     weight: 10

  13.     identifier: "authentication"

  14. ---

  15. 

  16. ---

  17. name: Authentication

  18. ---

  19. 

  20. # Authentication

  21. 

  22. ## LDAP (Lightweight Directory Access Protocol)

  23. 

  24. Both the LDAP via BindDN and the simple auth LDAP share the following fields:

  25. 

  26. - Authorization Name **(required)**

  27.   - A name to assign to the new method of authorization.

  28. 

  29. - Host **(required)**

  30.   - The address where the LDAP server can be reached.

  31.   - Example: `mydomain.com`

  32. 

  33. - Port **(required)**

  34.   - The port to use when connecting to the server.

  35.   - Example: `389` for LDAP or `636` for LDAP SSL

  36. 

  37. - Enable TLS Encryption (optional)

  38.   - Whether to use TLS when connecting to the LDAP server.

  39. 

  40. - Admin Filter (optional)

  41.   - An LDAP filter specifying if a user should be given administrator

  42.     privileges. If a user account passes the filter, the user will be

  43.     privileged as an administrator.

  44.   - Example: `(objectClass=adminAccount)`

  45.   - Example for Microsoft Active Directory (AD): `(memberOf=CN=admin-group,OU=example,DC=example,DC=org)`

  46. 

  47. - Username attribute (optional)

  48.   - The attribute of the user's LDAP record containing the user name. Given

  49.     attribute value will be used for new Gitea account user name after first

  50.     successful sign-in. Leave empty to use login name given on sign-in form.

  51.   - This is useful when supplied login name is matched against multiple

  52.     attributes, but only single specific attribute should be used for Gitea

  53.     account name, see "User Filter".

  54.   - Example: `uid`

  55.   - Example for Microsoft Active Directory (AD): `sAMAccountName`

  56. 

  57. - First name attribute (optional)

  58.   - The attribute of the user's LDAP record containing the user's first name.

  59.     This will be used to populate their account information.

  60.   - Example: `givenName`

  61. 

  62. - Surname attribute (optional)

  63.   - The attribute of the user's LDAP record containing the user's surname.

  64.     This will be used to populate their account information.

  65.   - Example: `sn`

  66. 

  67. - E-mail attribute **(required)**

  68.   - The attribute of the user's LDAP record containing the user's email

  69.     address. This will be used to populate their account information.

  70.   - Example: `mail`

  71. 

  72. **LDAP via BindDN** adds the following fields:

  73. 

  74. - Bind DN (optional)

  75.   - The DN to bind to the LDAP server with when searching for the user. This

  76.     may be left blank to perform an anonymous search.

  77.   - Example: `cn=Search,dc=mydomain,dc=com`

  78. 

  79. - Bind Password (optional)

  80.   - The password for the Bind DN specified above, if any. _Note: The password

  81.     is stored in plaintext at the server. As such, ensure that your Bind DN

  82.     has as few privileges as possible._

  83. 

  84. - User Search Base **(required)**

  85.   - The LDAP base at which user accounts will be searched for.

  86.   - Example: `ou=Users,dc=mydomain,dc=com`

  87. 

  88. - User Filter **(required)**

  89.   - An LDAP filter declaring how to find the user record that is attempting to

  90.     authenticate. The `%s` matching parameter will be substituted with login

  91.     name given on sign-in form.

  92.   - Example: `(&(objectClass=posixAccount)(uid=%s))`

  93.   - Example for Microsoft Active Directory (AD): `(&(objectCategory=Person)(memberOf=CN=user-group,OU=example,DC=example,DC=org)(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))`

  94.   - To substitute more than once `%[1]s` should be used instead, e.g. when

  95.     matching supplied login name against multiple attributes such as user

  96.     identifier, email or even phone number.

  97.   - Example: `(&(objectClass=Person)(|(uid=%[1]s)(mail=%[1]s)(mobile=%[1]s)))`

  98. 

  99. **LDAP using simple auth** adds the following fields:

  100. 

  101. - User DN **(required)**

  102.   - A template to use as the user's DN. The `%s` matching parameter will be substituted with login name given on sign-in form.

  103.   - Example: `cn=%s,ou=Users,dc=mydomain,dc=com`

  104.   - Example: `uid=%s,ou=Users,dc=mydomain,dc=com`

  105. 

  106. - User Filter **(required)**

  107.   - An LDAP filter declaring when a user should be allowed to log in. The `%s`

  108.     matching parameter will be substituted with login name given on sign-in

  109.     form.

  110.   - Example: `(&(objectClass=posixAccount)(cn=%s))`

  111.   - Example: `(&(objectClass=posixAccount)(uid=%s))`

  112. 

  113. **Verify group membership in LDAP** uses the following fields:

  114. 

  115. * Group Search Base (optional)

  116.     * The LDAP DN used for groups.

  117.     * Example: `ou=group,dc=mydomain,dc=com`

  118. 

  119. * Group Name Filter (optional)

  120.     * An LDAP filter declaring how to find valid groups in the above DN.

  121.     * Example: `(|(cn=gitea_users)(cn=admins))`

  122. 

  123. * User Attribute in Group (optional)

  124.     * Which user LDAP attribute is listed in the group.

  125.     * Example: `uid`

  126. 

  127. * Group Attribute for User (optional)

  128.     * Which group LDAP attribute contains an array above user attribute names.

  129.     * Example: `memberUid`

  130. 

  131. ## PAM (Pluggable Authentication Module)

  132. 

  133. To configure this you just need to set the 'PAM Service Name' to a filename in `/etc/pam.d/`.

  134. If you want it to work with normal Linux passwords, the user running Gitea must have read access to `/etc/shadow`.

  135. 

  136. ## SMTP (Simple Mail Transfer Protocol)

  137. 

  138. This option allows Gitea to log in to your SMTP host as a Gitea user. To configure this, simply set the fields below:

  139. 

  140. - Authentication Name **(required)**

  141.   - A name to assign to the new method of authorization.

  142. 

  143. - SMTP Authentication Type **(required)**

  144.   - Type of authentication for use on your SMTP host, PLAIN or LOGIN.

  145. 

  146. - Host **(required)**

  147.   - The address where the SMTP host can be reached.

  148.   - Example: `smtp.mydomain.com`

  149. 

  150. - Port **(required)**

  151.   - The port to use when connecting to the server.

  152.   - Example: `587`

  153. 

  154. - Allowed Domains

  155.   - Restrict what domains can log in if you're using public SMTP host or SMTP host with multiple domains.

  156.   - Example: `gitea.io,mydomain.com,mydomain2.com`

  157. 

  158. - Enable TLS Encryption

  159.   - Enable TLS encryption on authentication.

  160. 

  161. - Skip TLS Verify

  162.   - Disable TLS verify on authentication.

  163.   

  164. - This authentication is activate

  165.   - Enable or disable this auth.

  166. 

  167. ## FreeIPA

  168. 

  169. - In order to log in to Gitea using FreeIPA credentials, you need to create a bind account for Gitea to use:

  170. 

  171. -  On the FreeIPA server, create a `gitea.ldif` file, replacing `dc=example,dc=com` with your DN, and providing an appropriately secure password:

  172. ```

  173.   dn: uid=gitea,cn=sysaccounts,cn=etc,dc=example,dc=com

  174.   changetype: add

  175.   objectclass: account

  176.   objectclass: simplesecurityobject

  177.   uid: gitea

  178.   userPassword: secure password

  179.   passwordExpirationTime: 20380119031407Z

  180.   nsIdleTimeout: 0

  181. ```

  182. 

  183. - Import the LDIF (change localhost to an IPA server if needed), you’ll be prompted for your Directory Manager password:

  184. ```

  185.   ldapmodify -h localhost -p 389 -x -D \

  186.   "cn=Directory Manager" -W -f gitea.ldif

  187. ```

  188. -  Add an IPA group for gitea_users :

  189. ```

  190.   ipa group-add --desc="Gitea Users" gitea_users

  191. ```

  192. -  Note: If you get an error about IPA credentials, please run `kinit admin` and give your admin account password.

  193. 

  194. -  Now login to the Gitea as an Administrator, click on "Authentication" under Admin Panel. Then click `Add New Source` and fill in the details, changing all where appropriate to your own domain.

No Description