New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP admin right after first login #2855
Comments
This is indeed a problem. The admin filter should be applied on-demand meaning every time a user logs in. That's a typical use case for accessing a directory service as its optimized for read access. |
Partially my pull request #3062 that does sync users with LDAP fixes it |
I have checked the LDAP logs when authenticating. It actually makes a query with the admin filter at the time of every login. But does not appear to use that result. |
I did a bit of digging. It looks like it's doing the LDAP search and returns IsAdmin in the result to |
@jonlundy good point..! |
That's a real problem which confused me too. Seems like there are currently only to ways to work around this bug:
|
This is claimed to be fixed by merging #4405, please help test on |
Is this working for anyone?
This even happens when the admin filter is the same as the user filter User filter works, admin does not
|
@matthijsvdr hi, based on the https://gogs.io/docs/features/authentication, I think currently admin filter does not recognize |
@unknwon a that sucks :( |
When using LDAP with admin filter gogs will create a "local clone" LDAP user with admin parameter (modules/login.go:296) but if the user is not in the admin group at the time of the first login he/she is created without admin privileges.
But if you add that user later in admin group in LDAP, gogs will check if user is in admin group but it will not sync the data, so user will never be admin even if you add it in LDAP later.
Now this is a common case in big companies, first you create an user in LDAP, and then admin rights are added later per managers approval.
The text was updated successfully, but these errors were encountered: