Piotr Dobrowolski
a51e754022
Change-Id: I1063748a9647f70623a8bf5f1ecec55ddeb6a8d1 Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1782 Reviewed-by: q3k <q3k@hackerspace.pl> |
||
|---|---|---|
| .. | ||
| app.ini.template | ||
| bootstrap-auth.sh | ||
| create-oidc-binding.sql | ||
| entrypoint.sh | ||
| forgejo.libsonnet | ||
| prod.jsonnet | ||
| README.md | ||
| signin_inner.tmpl | ||
Hackerspace Code Hosting deployment
"Code Hosting service" below means Forgejo.
Due to certain specific requirements our deployment is a little customized.
While we prefer users to use SSO/OpenID Connect for authentication, we also want code hosting service to be aware of all active users to correctly synchronize account access and SSH keys. When running with both LDAP and OpenID Connect integration enabled users are automatically created in a local database based on LDAP source, however OpenID Connect identity is not automatically bound to LDAP users. This causes code hosting service to still show a password-based authentication form in order to join the two identities.
Workaround for this in our case is a SQL trigger function that automatically
creates an OpenID Connect -> LDAP identity binding injected directly into code
hosting service's PostgreSQL database. This trigger can be reviewed in
create-oidc-binding.sql file here. For this to work correctly
auto-registration needs to be disabled for OpenID Connect integration, in case
some new user attempts to log in before code hosting service runs external
users synchronization job.
LDAP users synchronization job has been adjusted to run every 10 minutes. (in
contrast to default 24h, see app.ini.template)
Explore page has users listing disabled. Email and name display is disabled.