From 7c026d22caebd755ebbc8a969365f2c8c30d789d Mon Sep 17 00:00:00 2001 From: Gary Moon Date: Fri, 5 May 2023 14:18:53 -0400 Subject: [PATCH] Update LDAP filters to include both username and email address (#24547) Since the login form label for user_name unconditionally displays `Username or Email Address` for the `user_name` field, bring matching LDAP filters to more prominence in the documentation/placeholders. Signed-off-by: Gary Moon --- doc/administration/command-line.en-us.md | 2 +- doc/usage/authentication.en-us.md | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/doc/administration/command-line.en-us.md b/doc/administration/command-line.en-us.md index bf4578af..37ba0c04 100644 --- a/doc/administration/command-line.en-us.md +++ b/doc/administration/command-line.en-us.md @@ -225,7 +225,7 @@ Admin operations: - `--synchronize-users`: Enable user synchronization. - `--page-size value`: Search page size. - Examples: - - `gitea admin auth add-ldap --name ldap --security-protocol unencrypted --host mydomain.org --port 389 --user-search-base "ou=Users,dc=mydomain,dc=org" --user-filter "(&(objectClass=posixAccount)(uid=%s))" --email-attribute mail` + - `gitea admin auth add-ldap --name ldap --security-protocol unencrypted --host mydomain.org --port 389 --user-search-base "ou=Users,dc=mydomain,dc=org" --user-filter "(&(objectClass=posixAccount)(|(uid=%[1]s)(mail=%[1]s)))" --email-attribute mail` - `update-ldap`: Update existing LDAP (via Bind DN) authentication source - Options: - `--id value`: ID of authentication source. Required. diff --git a/doc/usage/authentication.en-us.md b/doc/usage/authentication.en-us.md index 2b8cdd29..d9648200 100644 --- a/doc/usage/authentication.en-us.md +++ b/doc/usage/authentication.en-us.md @@ -100,9 +100,9 @@ Adds the following fields: - User Filter **(required)** - An LDAP filter declaring how to find the user record that is attempting to - authenticate. The `%s` matching parameter will be substituted with login + authenticate. The `%[1]s` matching parameter will be substituted with login name given on sign-in form. - - Example: `(&(objectClass=posixAccount)(uid=%s))` + - Example: `(&(objectClass=posixAccount)(|(uid=%[1]s)(mail=%[1]s)))` - Example for Microsoft Active Directory (AD): `(&(objectCategory=Person)(memberOf=CN=user-group,OU=example,DC=example,DC=org)(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))` - To substitute more than once, `%[1]s` should be used instead, e.g. when matching supplied login name against multiple attributes such as user @@ -137,11 +137,11 @@ Adds the following fields: - Example: `ou=Users,dc=mydomain,dc=com` - User Filter **(required)** - - An LDAP filter declaring when a user should be allowed to log in. The `%s` + - An LDAP filter declaring when a user should be allowed to log in. The `%[1]s` matching parameter will be substituted with login name given on sign-in form. - - Example: `(&(objectClass=posixAccount)(cn=%s))` - - Example: `(&(objectClass=posixAccount)(uid=%s))` + - Example: `(&(objectClass=posixAccount)(|(cn=%[1]s)(mail=%[1]s)))` + - Example: `(&(objectClass=posixAccount)(|(uid=%[1]s)(mail=%[1]s)))` ### Verify group membership in LDAP