LDAP allow disable auto register users

[manuelluis]

• Gitea version (or commit ref): 1.3.2
• Git version: 2.9
• Operating system: RHEL7
• Database (use [x]):
  • [ ] PostgreSQL
  • [x] MySQL
  • [ ] MSSQL
  • [ ] SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • [ ] Yes (provide example URL)
  • [ ] No
  • [x] Not relevant
• Log gist:

Description

Currently you cannot disable the auto registration for users that are validated through LDAP. I like to manually create the users and validate against LDAP but disable the auto creation.

In commit https://github.com/go-gitea/gitea/commit/cd37fccdfbdf5a1a5b2d85263ffb219068d19205 the option for disable auto registration of users in LDAP was removed. This commit was discussed in gogs issue: LDAP authentication not allowing users to login https://github.com/gogits/gogs/issues/1625

This problem was discussed before in this gogs issue: LDAP auto register toggle: https://github.com/gogits/gogs/issues/3179

Is it ok to do a pull request to enable this option again?

[lafriks]

What is use case for this? There is no way to manually create users for LDAP auth source.

[manuelluis]

The use case is: if you cannot filter the users in the LDAP Authentication using the search base or user filter you cannot limit your users.

I just want to use the LDAP Authentication to check the password not to limit the users that have access.

When I create an user I can select the Authentication Source:

Users -> Create New Account -> Authentication Source, In authentication Source select the LDAP Authentication created in Authentications.

[lafriks]

Ok, you can create users manually, I take my words back :)

Most correct way would be limit users by group, isn't that option for you?

[manuelluis]

Yes, the most correct way is limiting the search base or filter users by groups, but I have some limitations for creating and manager the users in the LDAP. It's easy for me create users manually that authenticate to LDAP in gitea, only use LDAP for authentication.

[lafriks]

But this feature would need to be added back a bit differently as it was before as now also ldap sync must be updated to check for that. Anyway feel free to submit PR. Also when authorizing user has to see correct reason for not being able to authorize because of disabled user registration

[manuelluis]

I had not noticed that the sync not only update users also create user all users that found in LDAP.

It's not working for me because there is to many users:

[...gitea/models/user.go:1393 SyncExternalUsers()] [E] LDAP Search failed unexpectedly! (LDAP Result Code 4 "Size Limit Exceeded": )

[strk]

[...gitea/models/user.go:1393 SyncExternalUsers()] [E] LDAP Search failed unexpectedly! (LDAP Result Code 4 "Size Limit Exceeded": )

Interesting, do you know what such "Size Limit" is ?

[manuelluis]

The LDAP is Active Directory, it has a configurable maximun number of returned results, by default it's 1000.

The function SearchWithPaging should get all the users of the AD, paginating the result.

[lafriks]

Yeah, pagination is not yet implemented but it's on my to-do list :)

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

[lafriks]

@manuelluis paging has been already implemented

[Lantizia]

Going back to what @manuelluis originally raised...

Currently you cannot disable the auto registration for users that are validated through LDAP. I like to manually create the users and validate against LDAP but disable the auto creation.

Yes, this would be super useful still.

There aren't always times when you can make dedicated groups to limit which users can log in... and even if you do have that ability... there can be other reasons where you'd prefer to pre-create Gitea users (of the same login name that you have on AD) prior to a users first LDAP login, usually to pre-tailor one or more attributes which couldn't be learnt from AD (or perhaps would be messed up by it).

Ultimately having the choice of just doing a password check only for existing users... is a useful feature to reintroduce for greater flexibility. It's an option on most other web based apps I've used like MediaWiki, phpIPAM, moodle, etc...