Organization/Team membership for new users

[stertingen]

• Gitea version (or commit ref): 1.8.2
• Git version: 2.20.1
• Operating system: Docker on Debian
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

Description

I'm using Gitea for a pretty small organization (20-30 members, but continuously changing) with LDAP (simple auth) login. When a new user logs in for the first time, I want them to have full access to all repositories owned by a organization ('MyOrga').

Is there a way to add any user to a team (for example 'Developers' in organization 'MyOrga') on first login?

(Alternative, more general approach: Map LDAP groups to teams in organizations. This would be nice to grant extra permissions based on the LDAP group; a default team membership would be realized using a filter returning true. Already proposed: #2121, #2212)

[TwoTwenty]

I also need this/these feature/features.

[guillep2k]

Yes, a perfect scenario would be for this to be a dynamic feature: gitea could get group membership externaly and there would be a group <---> team relationship on each organization, and users will be added/removed automatically when there are any changes. For unix/linux environments a general solution could be the command "id -Gn user" (there is a -z flag to force the separator to be \0 to support group names with spaces on them); this would be nice because it's just a system configuration and doesn't depend on the technology. For windows, there are other methods (like get-aduser in powershell).

The problem is to generalize this feature to something already supported by gitea (pam, ldap, etc.) and make it consistent. Ideally this could be some kind of plugin or extension linked to the organization.

[guillep2k]

Yes, a perfect scenario would be for this to be a dynamic feature: gitea could get group membership externaly and there would be a group <---> team relationship on each organization, and users will be added/removed automatically when there are any changes. For unix/linux environments a general solution could be the command "id -Gn user" (there is a -z flag to force the separator to be \0 to support group names with spaces on them); this would be nice because it's just a system configuration and doesn't depend on the technology. For windows, there are other methods (like get-aduser in powershell).

The problem is to generalize this feature to something already supported by gitea (pam, ldap, etc.) and make it consistent. Ideally this could be some kind of plugin or extension linked to the organization.

Well, digging deeper in the documentation I now realize that we can use the API for such level of customization. Kudos to the Gitea team.

[maxguru]

I would find this useful too.

[jfint]

I would really like for this to stay alive.

[dorbeus]

In gitlab this function works like this.
https://youtu.be/HPMjM-14qa8

[IntelligentesTierMaulApollo13]

Could this enhancement in gogs help here?
gogs/gogs#662

[alexattws]

We've implemented mapping LDAP groups to teams in (all) organizations (by group/team name) and published it here, if anyone is interested,
https://github.com/tws-inc/gitea-group-sync

[KaiMartin]

We've implemented mapping LDAP groups to teams in (all) organizations (by group/team name) and published it here, if anyone is interested,
https://github.com/tws-inc/gitea-group-sync

We run gitea for about 200 people in a research institute. The ability to map LDAP groups to teams and organizations would reduce day-to-day administration significantly. I will try to adapt your approach to our needs. Will report on the progress - but don't hold your breadth...

[pbodnar]

1. Sure, the gitea-group-sync looks promising and easily adaptable approach for any company.
2. This issue describes de-facto the same requirement as Add user to organization based on LDAP group membership #2121 or even earlier Support for LDAP and AD Group sync #1395. Close it as a duplicate then?