mirror of
				https://codeberg.org/forgejo/forgejo.git
				synced 2025-10-22 18:12:28 +00:00 
			
		
		
		
	* Add single sign-on support via SSPI on Windows * Ensure plugins implement interface * Ensure plugins implement interface * Move functions used only by the SSPI auth method to sspi_windows.go * Field SSPISeparatorReplacement of AuthenticationForm should not be required via binding, as binding will insist the field is non-empty even if another login type is selected * Fix breaking of oauth authentication on download links. Do not create new session with SSPI authentication on download links. * Update documentation for the new 'SPNEGO with SSPI' login source * Mention in documentation that ROOT_URL should contain the FQDN of the server * Make sure that Contexter is not checking for active login sources when the ORM engine is not initialized (eg. when installing) * Always initialize and free SSO methods, even if they are not enabled, as a method can be activated while the app is running (from Authentication sources) * Add option in SSPIConfig for removing of domains from logon names * Update helper text for StripDomainNames option * Make sure handleSignIn() is called after a new user object is created by SSPI auth method * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Remove default value from text of form field helper Co-Authored-By: Lauris BH <lauris@nix.lv> * Only make a query to the DB to check if SSPI is enabled on handlers that need that information for templates * Remove code duplication * Log errors in ActiveLoginSources Co-Authored-By: Lauris BH <lauris@nix.lv> * Revert suffix of randomly generated E-mails for Reverse proxy authentication Co-Authored-By: Lauris BH <lauris@nix.lv> * Revert unneeded white-space change in template Co-Authored-By: Lauris BH <lauris@nix.lv> * Add copyright comments at the top of new files * Use loopback name for randomly generated emails * Add locale tag for the SSPISeparatorReplacement field with proper casing * Revert casing of SSPISeparatorReplacement field in locale file, moving it up, next to other form fields * Update docs/content/doc/features/authentication.en-us.md Co-Authored-By: guillep2k <18600385+guillep2k@users.noreply.github.com> * Remove Priority() method and define the order in which SSO auth methods should be executed in one place * Log authenticated username only if it's not empty * Rephrase helper text for automatic creation of users * Return error if more than one active SSPI auth source is found * Change newUser() function to return error, letting caller log/handle the error * Move isPublicResource, isPublicPage and handleSignIn functions outside SSPI auth method to allow other SSO methods to reuse them if needed * Refactor initialization of the list containing SSO auth methods * Validate SSPI settings on POST * Change SSPI to only perform authentication on its own login page, API paths and download links. Leave Toggle middleware to redirect non authenticated users to login page * Make 'Default language' in SSPI config empty, unless changed by admin * Show error if admin tries to add a second authentication source of type SSPI * Simplify declaration of global variable * Rebuild gitgraph.js on Linux * Make sure config values containing only whitespace are not accepted
		
			
				
	
	
		
			257 lines
		
	
	
	
		
			11 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			257 lines
		
	
	
	
		
			11 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| ---
 | |
| date: "2016-12-01T16:00:00+02:00"
 | |
| title: "Authentication"
 | |
| slug: "authentication"
 | |
| weight: 10
 | |
| toc: true
 | |
| draft: false
 | |
| menu:
 | |
|   sidebar:
 | |
|     parent: "features"
 | |
|     name: "Authentication"
 | |
|     weight: 10
 | |
|     identifier: "authentication"
 | |
| ---
 | |
| 
 | |
| ---
 | |
| name: Authentication
 | |
| ---
 | |
| 
 | |
| # Authentication
 | |
| 
 | |
| ## LDAP (Lightweight Directory Access Protocol)
 | |
| 
 | |
| Both the LDAP via BindDN and the simple auth LDAP share the following fields:
 | |
| 
 | |
| - Authorization Name **(required)**
 | |
|   - A name to assign to the new method of authorization.
 | |
| 
 | |
| - Host **(required)**
 | |
|   - The address where the LDAP server can be reached.
 | |
|   - Example: `mydomain.com`
 | |
| 
 | |
| - Port **(required)**
 | |
|   - The port to use when connecting to the server.
 | |
|   - Example: `389` for LDAP or `636` for LDAP SSL
 | |
| 
 | |
| - Enable TLS Encryption (optional)
 | |
|   - Whether to use TLS when connecting to the LDAP server.
 | |
| 
 | |
| - Admin Filter (optional)
 | |
|   - An LDAP filter specifying if a user should be given administrator
 | |
|     privileges. If a user account passes the filter, the user will be
 | |
|     privileged as an administrator.
 | |
|   - Example: `(objectClass=adminAccount)`
 | |
|   - Example for Microsoft Active Directory (AD): `(memberOf=CN=admin-group,OU=example,DC=example,DC=org)`
 | |
| 
 | |
| - Username attribute (optional)
 | |
|   - The attribute of the user's LDAP record containing the user name. Given
 | |
|     attribute value will be used for new Gitea account user name after first
 | |
|     successful sign-in. Leave empty to use login name given on sign-in form.
 | |
|   - This is useful when supplied login name is matched against multiple
 | |
|     attributes, but only single specific attribute should be used for Gitea
 | |
|     account name, see "User Filter".
 | |
|   - Example: `uid`
 | |
|   - Example for Microsoft Active Directory (AD): `sAMAccountName`
 | |
| 
 | |
| - First name attribute (optional)
 | |
|   - The attribute of the user's LDAP record containing the user's first name.
 | |
|     This will be used to populate their account information.
 | |
|   - Example: `givenName`
 | |
| 
 | |
| - Surname attribute (optional)
 | |
|   - The attribute of the user's LDAP record containing the user's surname.
 | |
|     This will be used to populate their account information.
 | |
|   - Example: `sn`
 | |
| 
 | |
| - E-mail attribute **(required)**
 | |
|   - The attribute of the user's LDAP record containing the user's email
 | |
|     address. This will be used to populate their account information.
 | |
|   - Example: `mail`
 | |
| 
 | |
| **LDAP via BindDN** adds the following fields:
 | |
| 
 | |
| - Bind DN (optional)
 | |
|   - The DN to bind to the LDAP server with when searching for the user. This
 | |
|     may be left blank to perform an anonymous search.
 | |
|   - Example: `cn=Search,dc=mydomain,dc=com`
 | |
| 
 | |
| - Bind Password (optional)
 | |
|   - The password for the Bind DN specified above, if any. _Note: The password
 | |
|     is stored in plaintext at the server. As such, ensure that the Bind DN
 | |
|     has as few privileges as possible._
 | |
| 
 | |
| - User Search Base **(required)**
 | |
|   - The LDAP base at which user accounts will be searched for.
 | |
|   - Example: `ou=Users,dc=mydomain,dc=com`
 | |
| 
 | |
| - User Filter **(required)**
 | |
|   - An LDAP filter declaring how to find the user record that is attempting to
 | |
|     authenticate. The `%s` matching parameter will be substituted with login
 | |
|     name given on sign-in form.
 | |
|   - Example: `(&(objectClass=posixAccount)(uid=%s))`
 | |
|   - Example for Microsoft Active Directory (AD): `(&(objectCategory=Person)(memberOf=CN=user-group,OU=example,DC=example,DC=org)(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))`
 | |
|   - To substitute more than once, `%[1]s` should be used instead, e.g. when
 | |
|     matching supplied login name against multiple attributes such as user
 | |
|     identifier, email or even phone number.
 | |
|   - Example: `(&(objectClass=Person)(|(uid=%[1]s)(mail=%[1]s)(mobile=%[1]s)))`
 | |
| - Enable user synchronization
 | |
|   - This option enables a periodic task that synchronizes the Gitea users with
 | |
|     the LDAP server. The default period is every 24 hours but that can be
 | |
|     changed in the app.ini file.  See the *cron.sync_external_users* section in
 | |
|     the [sample
 | |
|     app.ini](https://github.com/go-gitea/gitea/blob/master/custom/conf/app.ini.sample)
 | |
|     for detailed comments about that section.  The *User Search Base* and *User
 | |
|     Filter* settings described above will limit which users can use Gitea and
 | |
|     which users will be synchronized.  When initially run the task will create
 | |
|     all LDAP users that match the given settings so take care if working with
 | |
|     large Enterprise LDAP directories.
 | |
| 
 | |
| **LDAP using simple auth** adds the following fields:
 | |
| 
 | |
| - User DN **(required)**
 | |
|   - A template to use as the user's DN. The `%s` matching parameter will be
 | |
|     substituted with login name given on sign-in form.
 | |
|   - Example: `cn=%s,ou=Users,dc=mydomain,dc=com`
 | |
|   - Example: `uid=%s,ou=Users,dc=mydomain,dc=com`
 | |
| 
 | |
| - User Search Base  (optional)
 | |
|   - The LDAP base at which user accounts will be searched for.
 | |
|   - Example: `ou=Users,dc=mydomain,dc=com`
 | |
| 
 | |
| - User Filter **(required)**
 | |
|   - An LDAP filter declaring when a user should be allowed to log in. The `%s`
 | |
|     matching parameter will be substituted with login name given on sign-in
 | |
|     form.
 | |
|   - Example: `(&(objectClass=posixAccount)(cn=%s))`
 | |
|   - Example: `(&(objectClass=posixAccount)(uid=%s))`
 | |
| 
 | |
| **Verify group membership in LDAP** uses the following fields:
 | |
| 
 | |
| * Group Search Base (optional)
 | |
|     * The LDAP DN used for groups.
 | |
|     * Example: `ou=group,dc=mydomain,dc=com`
 | |
| 
 | |
| * Group Name Filter (optional)
 | |
|     * An LDAP filter declaring how to find valid groups in the above DN.
 | |
|     * Example: `(|(cn=gitea_users)(cn=admins))`
 | |
| 
 | |
| * User Attribute in Group (optional)
 | |
|     * Which user LDAP attribute is listed in the group.
 | |
|     * Example: `uid`
 | |
| 
 | |
| * Group Attribute for User (optional)
 | |
|     * Which group LDAP attribute contains an array above user attribute names.
 | |
|     * Example: `memberUid`
 | |
| 
 | |
| ## PAM (Pluggable Authentication Module)
 | |
| 
 | |
| To configure PAM, set the 'PAM Service Name' to a filename in `/etc/pam.d/`. To
 | |
| work with normal Linux passwords, the user running Gitea must have read access
 | |
| to `/etc/shadow`.
 | |
| 
 | |
| ## SMTP (Simple Mail Transfer Protocol)
 | |
| 
 | |
| This option allows Gitea to log in to an SMTP host as a Gitea user. To
 | |
| configure this, set the fields below:
 | |
| 
 | |
| - Authentication Name **(required)**
 | |
|   - A name to assign to the new method of authorization.
 | |
| 
 | |
| - SMTP Authentication Type **(required)**
 | |
|   - Type of authentication to use to connect to SMTP host, PLAIN or LOGIN.
 | |
| 
 | |
| - Host **(required)**
 | |
|   - The address where the SMTP host can be reached.
 | |
|   - Example: `smtp.mydomain.com`
 | |
| 
 | |
| - Port **(required)**
 | |
|   - The port to use when connecting to the server.
 | |
|   - Example: `587`
 | |
| 
 | |
| - Allowed Domains
 | |
|   - Restrict what domains can log in if using a public SMTP host or SMTP host
 | |
|     with multiple domains.
 | |
|   - Example: `gitea.io,mydomain.com,mydomain2.com`
 | |
| 
 | |
| - Enable TLS Encryption
 | |
|   - Enable TLS encryption on authentication.
 | |
| 
 | |
| - Skip TLS Verify
 | |
|   - Disable TLS verify on authentication.
 | |
| 
 | |
| - This authentication is activate
 | |
|   - Enable or disable this auth.
 | |
| 
 | |
| ## FreeIPA
 | |
| 
 | |
| - In order to log in to Gitea using FreeIPA credentials, a bind account needs to
 | |
|   be created for Gitea:
 | |
| 
 | |
| - On the FreeIPA server, create a `gitea.ldif` file, replacing `dc=example,dc=com`
 | |
|   with your DN, and provide an appropriately secure password:
 | |
| ```
 | |
|   dn: uid=gitea,cn=sysaccounts,cn=etc,dc=example,dc=com
 | |
|   changetype: add
 | |
|   objectclass: account
 | |
|   objectclass: simplesecurityobject
 | |
|   uid: gitea
 | |
|   userPassword: secure password
 | |
|   passwordExpirationTime: 20380119031407Z
 | |
|   nsIdleTimeout: 0
 | |
| ```
 | |
| 
 | |
| - Import the LDIF (change localhost to an IPA server if needed). A prompt for
 | |
|  Directory Manager password will be presented:
 | |
| ```
 | |
|   ldapmodify -h localhost -p 389 -x -D \
 | |
|   "cn=Directory Manager" -W -f gitea.ldif
 | |
| ```
 | |
| - Add an IPA group for gitea\_users :
 | |
| ```
 | |
|   ipa group-add --desc="Gitea Users" gitea_users
 | |
| ```
 | |
| - Note: For errors about IPA credentials, run `kinit admin` and provide the
 | |
|   domain admin account password.
 | |
| 
 | |
| - Log in to Gitea as an Administrator and click on "Authentication" under Admin Panel.
 | |
|   Then click `Add New Source` and fill in the details, changing all where appropriate.
 | |
| 
 | |
| ## SPNEGO with SSPI (Kerberos/NTLM, for Windows only)
 | |
| 
 | |
| Gitea supports SPNEGO single sign-on authentication (the scheme defined by RFC4559) for the web part of the server via the Security Support Provider Interface (SSPI) built in Windows. SSPI works only in Windows environments - when both the server and the clients are running Windows.
 | |
| 
 | |
| Before activating SSPI single sign-on authentication (SSO) you have to prepare your environment:
 | |
| 
 | |
| - Create a separate user account in active directory, under which the `gitea.exe` process will be running (eg. `user` under domain `domain.local`):
 | |
| 
 | |
| - Create a service principal name for the host where `gitea.exe` is running with class `HTTP`:
 | |
|   - Start `Command Prompt` or `PowerShell` as a priviledged domain user (eg. Domain Administrator)
 | |
|   - Run the command below, replacing `host.domain.local` with the fully qualified domain name (FQDN) of the server where the web application will be running, and `domain\user` with the name of the account created in the previous step:
 | |
|   ```
 | |
|     setspn -A HTTP/host.domain.local domain\user
 | |
|   ```
 | |
| 
 | |
| - Sign in (*sign out if you were already signed in*) with the user created
 | |
| 
 | |
| - Make sure that `ROOT_URL` in the `[server]` section of `custom/conf/app.ini` is the fully qualified domain name of the server where the web application will be running - the same you used when creating the service principal name (eg. `host.domain.local`)
 | |
| 
 | |
| - Start the web server (`gitea.exe web`)
 | |
| 
 | |
| - Enable SSPI authentication by adding an `SPNEGO with SSPI` authentication source in `Site Administration -> Authentication Sources`
 | |
| 
 | |
| - Sign in to a client computer in the same domain with any domain user (client computer, different from the server running `gitea.exe`)
 | |
| 
 | |
| - If you are using Chrome, Edge or Internet Explorer, add the URL of the web app to the Local intranet sites (`Internet Options -> Security -> Local intranet -> Sites`)
 | |
| 
 | |
| - Start Chrome, Edge or Internet Explorer and navigate to the FQDN URL of gitea (eg. `http://host.domain.local:3000`)
 | |
| 
 | |
| - Click the `Sign In` button on the dashboard and choose SSPI to be automatically logged in with the same user that is currently logged on to the computer
 | |
| 
 | |
| - If it does not work, make sure that:
 | |
|   - You are not running the web browser on the same server where gitea is running. You should be running the web browser on a domain joined computer (client) that is different from the server. If both the client and server are runnning on the same computer NTLM will be prefered over Kerberos.
 | |
|   - There is only one `HTTP/...` SPN for the host
 | |
|   - The SPN contains only the hostname, without the port
 | |
|   - You have added the URL of the web app to the `Local intranet zone`
 | |
|   - The clocks of the server and client should not differ with more than 5 minutes (depends on group policy)
 | |
|   - `Integrated Windows Authentication` should be enabled in Internet Explorer (under `Advanced settings`)
 |