update login source to ldap-simple

This commit is contained in:
Emmanuel Averty 2023-06-25 12:11:59 +02:00 committed by grosmanal
parent b1883d875a
commit 8b5577525d
4 changed files with 35 additions and 7 deletions

View file

@ -1,5 +1,15 @@
## Additional informations
### Known issue about admin access
This package ask during its installation which group of users should be considered as forgejo administrators. These users should be able to access the admin page of forgejo. But they won't :(
Two forgejo features are not yet compatible :
- the reverse proxy authentication (which allows yunohost user to be automatically logged in forgejo)
- the login source (which tells forgejo to check yunohost users base to know if it is an admin or not)
The choice have been done to keep the reverse proxy authentication. But an [issue](https://codeberg.org/forgejo/forgejo/issues/930) is created to have both features.
In conclusion, this forgejo installation does not (yet) allow to access the forgejo admin page.
### Notes on SSH usage
If you want to use Forgejo with SSH and be able to pull/push with your SSH key, your SSH daemon must be properly configured to use private/public keys. Here is a sample configuration `/etc/ssh/sshd_config` that works with Forgejo:

View file

@ -5,7 +5,7 @@ name = "Forgejo"
description.en = "Lightweight software forge"
description.fr = "Forge logiciel légère"
version = "1.19.3-0~ynh1"
version = "1.19.3-0~ynh2"
maintainers = ["Emmanuel Averty"]
@ -34,15 +34,16 @@ ram.runtime = "2G"
type = "path"
default = "/forgejo"
[install.admin]
type = "user"
[install.init_main_permission]
help.en = "If enabled, Forgejo will be accessible by people who do not have an account. This can be changed later via the webadmin."
help.fr = "Si cette case est cochée, Forgejo sera accessible aux personnes nayant pas de compte. Vous pourrez changer ceci plus tard via la webadmin."
type = "group"
default = "visitors"
[install.init_admin_permission]
help.en = "Users of this group should have access to Forgejo admin page (but the won't : see application description in yunohost admin)"
help.fr = "Les utilisateurs de ce groupe devrait avoir accès à la page d'administration de Forgejo (mais cela ne fonctionne pas : voir la description de l'application dans l'administration de yunohost"
type = "group"
default = "admins"
[resources]
[resources.sources.main]
amd64.url = "https://codeberg.org/attachments/8dc303a9-8a4e-416c-8d6c-62e0d3e289e8"
@ -68,6 +69,11 @@ ram.runtime = "2G"
[resources.permissions]
main.url = "/"
admin.allowed = "admins"
admin.show_tile = false
admin.auth_header = false
admin.protected = true
[resources.apt]
packages = "postgresql"

View file

@ -99,7 +99,7 @@ ynh_add_fail2ban_config --logpath "/var/log/$app/forgejo.log" --failregex ".*Fai
ynh_script_progression --message="Adding LDAP configuration..." --weight=1
pushd "$install_dir"
ynh_exec_as $app ./forgejo admin auth add-ldap --security-protocol "Unencrypted" --name "YunoHost LDAP" --host "localhost" --port "389" --skip-tls-verify --user-search-base "ou=users,dc=yunohost,dc=org" --user-filter "(&(uid=%s)(objectClass=posixAccount)(permission=cn=$app.main,ou=permission,dc=yunohost,dc=org))" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail" --admin-filter "(permission=cn=$app.admin,ou=permission,dc=yunohost,dc=org)"
ynh_exec_as $app ./forgejo admin auth add-ldap-simple --security-protocol "Unencrypted" --name "YunoHost LDAP" --host "localhost" --port "389" --skip-tls-verify --user-search-base "ou=users,dc=yunohost,dc=org" --user-dn "uid=%s,ou=Users,dc=yunohost,dc=org" --user-filter "(&(objectclass=posixAccount)(uid=%s)(permission=cn=$app.main,ou=permission,dc=yunohost,dc=org))" --admin-filter "(permission=cn=forgejo.admin,ou=permission,dc=yunohost,dc=org)" --username-attribute "uid" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail"
popd
#=================================================

View file

@ -28,6 +28,18 @@ ynh_systemd_action --service_name=$app --action="stop" --log_path="systemd"
#=================================================
ynh_script_progression --message="Ensuring downward compatibility..." --weight=1
# Update forgejo login source
pushd "$install_dir"
old_login_source_id=$(ynh_exec_as $app ./forgejo admin auth list | grep "YunoHost LDAP" | grep "via BindDN" | cut -f 1)
if [ ! -z $old_login_source_id ]; then
# Delete old login source
ynh_exec_as $app ./forgejo admin auth delete --id $old_login_source_id
# Create new login source
ynh_exec_as $app ./forgejo admin auth add-ldap-simple --security-protocol "Unencrypted" --name "YunoHost LDAP" --host "localhost" --port "389" --skip-tls-verify --user-search-base "ou=users,dc=yunohost,dc=org" --user-dn "uid=%s,ou=Users,dc=yunohost,dc=org" --user-filter "(&(objectclass=posixAccount)(uid=%s)(permission=cn=$app.main,ou=permission,dc=yunohost,dc=org))" --admin-filter "(permission=cn=forgejo.admin,ou=permission,dc=yunohost,dc=org)" --username-attribute "uid" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail"
fi
popd
# forgejo home directory has changed (yunohost packaging v2)
# .ssh directory should move from old home dir (data_dir) to new one
# (/var/www/$app is the default value for home in resources.system_user)