Drone auth not working from ldap users. Internal users works

[hdhog]

• Gitea version (or commit ref): 1.2.1
• Git version: 2.10.0
• Operating system: Gentoo
• Database (use [x]):
  • PostgreSQL
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant

Description

I have setup Drone CI with Gitea 1.2.1. Users use ldap athentication. When the user logs in to Drone, they receive a 401 Unauthorized response.
Users using the internal authentication are authorized in Drone without errors

Headers

Request auth, user hdhog use ldap auth

GET /api/v1/users/hdhog/tokens HTTP/1.1
Host: rni-git.domain.local
User-Agent: Go-http-client/1.1
Authorization: Basic ************
Accept-Encoding: gzip

Response

HTTP/1.1 401 Unauthorized
Server: nginx/1.11.4
Date: Thu, 19 Oct 2017 08:19:23 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 0
Connection: keep-alive
Keep-Alive: timeout=20
Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
Set-Cookie: i_like_gitea=3b83a0a31165124a; Path=/; HttpOnly
Set-Cookie: _csrf=Dyz3YGDpXqWFUfP7vYRmA8R1tZI6MTUwODQwMTE2MzQ2ODE2OTc4OQ%3D%3D; Path=/; Expires=Fri, 20 Oct 2017 08:19:23 GMT; HttpOnly
X-Frame-Options: SAMEORIGIN

Request auth, root user internal auth

GET /api/v1/users/root/tokens HTTP/1.1
Host: rni-git.domain.local
User-Agent: Go-http-client/1.1
Authorization: Basic ***********
Accept-Encoding: gzip

Response:

HTTP/1.1 200 OK
Server: nginx/1.11.4
Date: Thu, 19 Oct 2017 08:32:46 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: keep-alive
Keep-Alive: timeout=20
Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
Set-Cookie: i_like_gitea=d5bd15cc06a4bad7; Path=/; HttpOnly
Set-Cookie: _csrf=Vql8i2VjWaZT3tqTCcT5EdS59HU6MTUwODQwMTk2NTk4ODg0OTk2Mg%3D%3D; ath=/; Expires=Fri, 20 Oct 2017 08:32:45 GMT; HttpOnly
X-Frame-Options: SAMEORIGIN

[lunny]

Any log on the console or file?

[DblK]

Has user logged first in gitea or not?
Depending on configuration drone use organization and this comes from gitea not ldap.

Give a try and tell us

[jcgruenhage]

I've just tried, I can query that endpoint with an ldap user, no matter whether the user had first logged into gitea or not.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

[maurerle]

I am using Gitea with LDAP and just set up drone.io
Login with LDAP worked like charm. Seems like LDAP has not been setup correctly.

Only problem is drone.io ignoring the second-factor authentication and logs in immediately, but i don't think this is a real issue as the auth is just using the LDAP behind right?

[ptman]

logs in immediately? I don't get it to log in unless I remove the second factor

[maurerle]

Yes thats right. This is since drone release 1.0 i think.
Version 0.9 just ignored the second factor and afterwards you don't have an option to log in with second-factor at all.
I hope this will be fixed in the future. But this seems to be a drone issue

[techknowlogick]

Closing this, as Drone 1.1.0 now supports using OAuth2 from Gitea, which supports connecting with any user incl. LDAP ones (also basic auth will soon be deprecated as a form of auth on Drone side). OAuth2 ensures that 2FA is followed. Please see https://discourse.drone.io/t/documentation-document-how-gogs-gitea-login-works/3762/7?u=techknowlogick for instructions on using oauth2 with Gitea/Drone.