janosmiko
diff --git a/‎.github/workflows/docker-publish.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/docker-publish.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎Dockerfile‎
Lines changed: 4 additions & 4 deletions b/‎Dockerfile‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎README.md‎
Lines changed: 45 additions & 34 deletions b/‎README.md‎
Lines changed: 45 additions & 34 deletions
diff --git a/‎TODO.md‎
Lines changed: 4 additions & 0 deletions b/‎TODO.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎config.go‎
Lines changed: 31 additions & 14 deletions b/‎config.go‎
Lines changed: 31 additions & 14 deletions
diff --git a/‎config.yaml.sample‎
Lines changed: 21 additions & 4 deletions b/‎config.yaml.sample‎
Lines changed: 21 additions & 4 deletions
@@ -22,9 +22,9 @@ jobs:
     - name: Build
       run: |-
         docker build \
-          --tag "ghcr.io/janosmiko/gitea-group-sync:latest" \
+          --tag "ghcr.io/janosmiko/gitea-ldap-sync:latest" \
           .
 
     - name: Publish
       run: |-
-        docker push "ghcr.io/janosmiko/gitea-group-sync:latest"
+        docker push "ghcr.io/janosmiko/gitea-ldap-sync:latest"
@@ -1,20 +1,20 @@
 FROM golang:1.17.8-bullseye AS build
 
-WORKDIR /go/src/github.com/janosmiko/gitea-group-sync/
+WORKDIR /go/src/github.com/janosmiko/gitea-ldap-sync/
 
 COPY go.mod go.sum ./
 
 RUN go mod download -x
 
 COPY . ./
 
-RUN CGO_ENABLED=0 GOOS=linux go build -a -ldflags '-extldflags "-static"' -o gitea-group-sync .
+RUN CGO_ENABLED=0 GOOS=linux go build -a -ldflags '-extldflags "-static"' -o gitea-ldap-sync .
 
 FROM debian:bullseye-slim
 
-COPY --from=build /go/src/github.com/janosmiko/gitea-group-sync/gitea-group-sync /usr/bin/gitea-group-sync
+COPY --from=build /go/src/github.com/janosmiko/gitea-ldap-sync/gitea-ldap-sync /usr/bin/gitea-ldap-sync
 
 RUN apt-get update && apt-get install -y ca-certificates \
     && rm -fr /var/cache/apt/
 
-ENTRYPOINT ["/usr/bin/gitea-group-sync"]
+ENTRYPOINT ["/usr/bin/gitea-ldap-sync"]
@@ -1,17 +1,20 @@
-# Gitea Group Sync from LDAP
+# Gitea Advanced LDAP User/Group Sync
 
-This application is designed to sync LDAP groups and user membership to Gitea.
+This application is designed to sync LDAP users, groups (orgs and teams) and user membership to Gitea.
 
 It can do the following:
 
+- **Create** (and optionally delete) **Gitea Users** based on **LDAP users**.
 - **Create** (and optionally delete) **Gitea Organizations** based on **LDAP groups**.
 - **Create** (and optionally delete) **Gitea Teams** inside Organizations based on **LDAP subgroups**.
 - **Attach** existing **Gitea Users** to appropriate **Gitea Teams** based on group membership information in LDAP.
 
-**The application is not going to sync users from LDAP to Gitea as Gitea provides a solution for that.**
+~~The application is not going to sync users from LDAP to Gitea as Gitea provides a solution for that.~~
+
+This application syncs users as well. We suggest to disable Gitea LDAP user sync (but you can still use Gitea's LDAP Provider).
 
 Docker image available
-at [ghcr.io/janosmiko/gitea-group-sync](https://github.com/janosmiko/gitea-group-sync/pkgs/container/gitea-group-sync).
+at [ghcr.io/janosmiko/gitea-ldap-sync](https://github.com/janosmiko/gitea-ldap-sync/pkgs/container/gitea-ldap-sync).
 
 ## Usage
 
@@ -25,7 +28,7 @@ docker-compose up -d
 
 ### Kubernetes
 
-Modify the values in [deploy/secret.yaml](deploy/secret.yaml) and [deploy/job.yaml](deploy/job.yaml) and apply them to Kubernetes.
+Modify the values in [deploy/secret.yaml](deploy/secret.yaml) and [deploy/job.yaml](deploy/deployment.yaml) and apply them to Kubernetes.
 
 ```
 kubectl apply -f deploy/secret.yaml
@@ -39,34 +42,43 @@ Variables.
 
 Available Environment Variables (find example values in [config.yaml.sample](config.yaml.sample)):
 
-| Variable                       | Description                                                | Default            |
-|--------------------------------|------------------------------------------------------------|--------------------|
-| `DEBUG`                        | Enable debug mode                                          | `false`            |
-| `GITEA_BASE_URL`               | Gitea baseURL in `https://user@gitea.com` format.          | `""`               |
-| `GITEA_TOKEN`                  | Gitea admin user token                                     | `""`               |
-| `LDAP_URL`                     | LDAP connection URL                                        | `""`               |
-| `LDAP_PORT`                    | LDAP connection port                                       | `389`              |
-| `LDAP_USE_TLS`                 | Enable TLS connection for LDAP                             | `true`             |
-| `LDAP_ALLOW_INSECURE_TLS`      | Allow insecure TLS connections (disable cert verification) | `false`            |
-| `LDAP_BIND_DN`                 | LDAP Bind DN (or username)                                 | `""`               |
-| `LDAP_BIND_PASSWORD`           | LDAP Bind Password                                         | `""`               |
-| `LDAP_USER_SEARCH_BASE`        | LDAP User Search Base                                      | `""`               |
-| `LDAP_USER_FILTER`             | LDAP User Filter                                           | `""`               |
-| `LDAP_USER_IDENTITY_ATTRIBUTE` | LDAP attribute to match Gitea User                         | `"sAMAccountName"` |
-| `LDAP_USER_FULLNAME`           | LDAP attribute for Gitea User Fullname                     | `"cn"`             |
-| `LDAP_GROUP_SEARCH_BASE`       | LDAP Group Search Base (Gitea Organizations)               | `""`               |
-| `LDAP_GROUP_FILTER`            | LDAP Group Filter                                          | `""`               |
-| `LDAP_SUBGROUP_SEARCH_BASE`    | LDAP Subgroup Search Base (Gitea Teams)                    | `""`               |
-| `LDAP_SUBGROUP_FILTER`         | LDAP Subgroup filter                                       | `""`               |
-| `LDAP_EXCLUDE_GROUPS`          | Exclude groups from sync (separated by whitespace)         | `""`               |
-| `LDAP_EXCLUDE_GROUPS_REGEX`    | Exclude groups from sync (regular expression)              | `""`               |
-| `LDAP_EXCLUDE_SUBGROUPS`       | Exclude subgroups from sync (separated by whitespace)      | `""`               |
-| `LDAP_EXCLUDE_SUBGROUPS_REGEX` | Exclude groups from sync (regular expression)              | `""`               |
-| `LDAP_TRIM_PARENT_NAME`        | Trim parent name from subgroup name                        | `false`            |
-| `LDAP_SUBGROUP_SEPARATOR`      | Trim parent name from subgroup name by this separator      | `"/"`              |
-| `CRON_TIMER`                   | Configure the schedule of the sync (cron format)           | `"@every 1m"`      |
-| `SYNC_CONFIG_CREATE_GROUPS`    | Create non-existing groups in Gitea.                       | `true`             |
-| `SYNC_CONFIG_FULL_SYNC`        | Delete groups from Gitea if they are not existing in LDAP  | `false`            |
+| Variable                             | Description                                                   | Default            |
+|--------------------------------------|---------------------------------------------------------------|--------------------|
+| `DEBUG`                              | Enable debug mode                                             | `false`            |
+| `GITEA_BASE_URL`                     | Gitea baseURL in `https://user@gitea.com` format.             | `""`               |
+| `GITEA_TOKEN`                        | Gitea admin user token                                        | `""`               |
+| `LDAP_URL`                           | LDAP connection URL                                           | `""`               |
+| `LDAP_PORT`                          | LDAP connection port                                          | `389`              |
+| `LDAP_USE_TLS`                       | Enable TLS connection for LDAP                                | `true`             |
+| `LDAP_ALLOW_INSECURE_TLS`            | Allow insecure TLS connections (disable cert verification)    | `false`            |
+| `LDAP_BIND_DN`                       | LDAP Bind DN (or username)                                    | `""`               |
+| `LDAP_BIND_PASSWORD`                 | LDAP Bind Password                                            | `""`               |
+| `LDAP_USER_SEARCH_BASE`              | LDAP User Search Base                                         | `""`               |
+| `LDAP_USER_FILTER`                   | LDAP User Filter                                              | `""`               |
+| `LDAP_USER_USERNAME_ATTRIBUTE`       | LDAP attribute for Gitea User Username                        | `"sAMAccountName"` |
+| `LDAP_USER_FULLNAME_ATTRIBUTE`       | LDAP attribute for Gitea User Fullname                        | `"cn"`             |
+| `LDAP_USER_FIRST_NAME_ATTRIBUTE`     | LDAP attribute for Gitea User First Name (first + sur = full) | `""`               |
+| `LDAP_USER_SURNAME_ATTRIBUTE`        | LDAP attribute for Gitea User Surname                         | `""`               |
+| `LDAP_USER_EMAIL_ATTRIBUTE`          | LDAP attribute for Gitea User Email                           | `"mail"`           |
+| `LDAP_USER_PUBLIC_SSH_KEY_ATTRIBUTE` | LDAP attribute for Gitea User SSH Key                         | `"sshPublicKey"`   |
+| `LDAP_USER_AVATAR_ATTRIBUTE`         | LDAP attribute for Gitea User Avatar                          | `"avatar"`         |
+| `LDAP_EXCLUDED_USERS`                | Exclude users from sync (separated by whitespace)             | `"root"`           |
+| `LDAP_EXCLUDED_USERS_REGEX`          | Exclude users from sync (regular expression)                  | `""`               |
+| `LDAP_ADMIN_FILTER`                  | LDAP attribute for Gitea User Avatar                          | `""`               |
+| `LDAP_RESTRICTED_FILTER`             | LDAP attribute for Gitea User Avatar                          | `""`               |
+| `LDAP_GROUP_SEARCH_BASE`             | LDAP Group Search Base (Gitea Organizations)                  | `""`               |
+| `LDAP_GROUP_FILTER`                  | LDAP Group Filter                                             | `""`               |
+| `LDAP_SUBGROUP_SEARCH_BASE`          | LDAP Subgroup Search Base (Gitea Teams)                       | `""`               |
+| `LDAP_SUBGROUP_FILTER`               | LDAP Subgroup filter                                          | `""`               |
+| `LDAP_EXCLUDE_GROUPS`                | Exclude groups from sync (separated by whitespace)            | `""`               |
+| `LDAP_EXCLUDE_GROUPS_REGEX`          | Exclude groups from sync (regular expression)                 | `""`               |
+| `LDAP_EXCLUDE_SUBGROUPS`             | Exclude subgroups from sync (separated by whitespace)         | `""`               |
+| `LDAP_EXCLUDE_SUBGROUPS_REGEX`       | Exclude groups from sync (regular expression)                 | `""`               |
+| `LDAP_TRIM_PARENT_NAME`              | Trim parent name from subgroup name                           | `false`            |
+| `LDAP_SUBGROUP_SEPARATOR`            | Trim parent name from subgroup name by this separator         | `"/"`              |
+| `CRON_TIMER`                         | Configure the schedule of the sync (cron format)              | `"@every 1m"`      |
+| `SYNC_CONFIG_CREATE_GROUPS`          | Create non-existing groups in Gitea.                          | `true`             |
+| `SYNC_CONFIG_FULL_SYNC`              | Delete groups from Gitea if they are not existing in LDAP     | `false`            |
 
 
 Additional settings for creating Organizations and Teams in Gitea:
@@ -76,7 +88,6 @@ Additional settings for creating Organizations and Teams in Gitea:
 - `SYNC_CONFIG_DEFAULTS_TEAM_INCLUDES_ALL_REPOSITORIES`
 - `SYNC_CONFIG_DEFAULTS_TEAM_PERMISSION`
 - `SYNC_CONFIG_DEFAULTS_TEAM_UNITS`
-- `SYNC_CONFIG_DEFAULTS_TEAM_UNITS_MAP`
 
 # License
 
 
@@ -0,0 +1,4 @@
+# TODO
+
+- add avatar sync, when it's available in Gitea SDK
+- add ssh public key sync, when it's available in Gitea SDK
@@ -9,7 +9,7 @@ import (
 
 func initConfig() (*Config, error) {
 	viper.AddConfigPath(".")
-	viper.AddConfigPath("/etc/gitea-group-sync")
+	viper.AddConfigPath("/etc/gitea-ldap-sync")
 	viper.SetConfigName("config")
 	viper.SetConfigType("yaml")
 
@@ -20,19 +20,33 @@ func initConfig() (*Config, error) {
 
 	viper.SetTypeByDefaultValue(true)
 	viper.SetDefault("gitea.token", []string{""})
+	viper.SetDefault("ldap.exclude_users", []string{"root"})
 	viper.SetDefault("ldap.exclude_groups", []string{""})
 	viper.SetDefault("ldap.exclude_subgroups", []string{""})
 	viper.SetDefault("gitea.client_timeout", 10) // nolint:gomnd
 	viper.SetDefault("ldap.port", "389")
 	viper.SetDefault("ldap.use_tls", true)
 	viper.SetDefault("ldap.allow_insecure_tls", true)
-	viper.SetDefault("ldap.user_identity_attribute", "sAMAccountName")
-	viper.SetDefault("ldap.user_fullname", "cn")
+	viper.SetDefault("ldap.user_username_attribute", "sAMAccountName")
+	viper.SetDefault("ldap.user_fullname_attribute", "cn")
+	viper.SetDefault("ldap.user_first_name_attribute", "name")
+	viper.SetDefault("ldap.user_surname_attribute", "")
+	viper.SetDefault("ldap.user_email_attribute", "mail")
+	viper.SetDefault("ldap.user_public_ssh_key_attribute", "sshPublicKey")
+	viper.SetDefault("ldap.user_avatar_attribute", "avatar")
+	viper.SetDefault("ldap.admin_filter", "")
+	viper.SetDefault("ldap.restricted_filter", "")
 	viper.SetDefault("ldap.trim_parent_name", false)
 	viper.SetDefault("ldap.subgroup_separator", "/")
+	viper.SetDefault("ldap.exclude_users_regex", "")
+	viper.SetDefault("ldap.exclude_groups_regex", "")
+	viper.SetDefault("ldap.exclude_subgroups_regex", "")
 	viper.SetDefault("cron_timer", "@every 1m")
 	viper.SetDefault("sync_config.create_groups", true)
 	viper.SetDefault("sync_config.full_sync", false)
+	viper.SetDefault("sync_config.defaults.user.allow_create_organization", false)
+	viper.SetDefault("sync_config.defaults.user.max_repo_creation", 0)
+	viper.SetDefault("sync_config.defaults.user.visibility", "private")
 	viper.SetDefault("sync_config.defaults.organization.repo_admin_change_team_access", false)
 	viper.SetDefault("sync_config.defaults.organization.visibility", "private")
 	viper.SetDefault("sync_config.defaults.team.can_create_org_repo", false)
@@ -50,11 +64,6 @@ func initConfig() (*Config, error) {
         "repo.ext_wiki"
         ]`,
 	)
-	// nolint:lll
-	viper.SetDefault(
-		"sync_config.defaults.team.units_map",
-		`{"repo.code":"write","repo.issues":"write","repo.ext_issues":"none","repo.wiki":"write","repo.pulls":"owner","repo.releases":"none","repo.projects":"none","repo.ext_wiki":"none"}`,
-	)
 
 	_ = viper.BindEnv("gitea.base_url")
 	_ = viper.BindEnv("gitea.token")
@@ -66,8 +75,14 @@ func initConfig() (*Config, error) {
 	_ = viper.BindEnv("ldap.bind_password")
 	_ = viper.BindEnv("ldap.user_filter")
 	_ = viper.BindEnv("ldap.user_search_base")
-	_ = viper.BindEnv("ldap.user_identity_attribute")
-	_ = viper.BindEnv("ldap.user_fullname")
+	_ = viper.BindEnv("ldap.user_username_attribute")
+	_ = viper.BindEnv("ldap.user_fullname_attribute")
+	_ = viper.BindEnv("ldap.user_first_name_attribute")
+	_ = viper.BindEnv("ldap.user_surname_attribute")
+	_ = viper.BindEnv("ldap.user_email_attribute")
+	_ = viper.BindEnv("ldap.user_public_ssh_key_attribute")
+	_ = viper.BindEnv("ldap.user_avatar_attribute")
+	_ = viper.BindEnv("ldap.exclude_users")
 	_ = viper.BindEnv("ldap.group_filter")
 	_ = viper.BindEnv("ldap.group_search_base")
 	_ = viper.BindEnv("ldap.subgroup_filter")
@@ -81,13 +96,15 @@ func initConfig() (*Config, error) {
 	_ = viper.BindEnv("cron_timer")
 	_ = viper.BindEnv("sync_config.create_groups")
 	_ = viper.BindEnv("sync_config.full_sync")
+	_ = viper.BindEnv("sync_config.defaults.user.allow_create_organization")
+	_ = viper.BindEnv("sync_config.defaults.user.max_repo_creation")
+	_ = viper.BindEnv("sync_config.defaults.user.visibility")
 	_ = viper.BindEnv("sync_config.defaults.organization.repo_admin_change_team_access")
 	_ = viper.BindEnv("sync_config.defaults.organization.visibility")
 	_ = viper.BindEnv("sync_config.team.can_create_org_repo")
 	_ = viper.BindEnv("sync_config.team.includes_all_repositories")
 	_ = viper.BindEnv("sync_config.team.permission")
 	_ = viper.BindEnv("sync_config.team.units")
-	_ = viper.BindEnv("sync_config.team.units_map")
 
 	for _, v := range viper.AllKeys() {
 		zap.S().Debug(v, ": ", viper.GetString(v))
@@ -135,10 +152,10 @@ func (c Config) checkConfig() {
 		zap.L().Info("LDAP_USER_SEARCH_BASE is empty")
 		missing = true
 	}
-	if len(c.LDAP.UserIdentityAttribute) == 0 {
-		zap.L().Info("LDAP_USER_IDENTITY_ATTRIBUTE is empty, using default: 'sAMAccountName'")
+	if len(c.LDAP.UserUsernameAttribute) == 0 {
+		zap.L().Info("LDAP_USER_USERNAME_ATTRIBUTE is empty, using default: 'sAMAccountName'")
 	}
-	if len(c.LDAP.UserFullName) == 0 {
+	if len(c.LDAP.UserFullNameAttribute) == 0 {
 		zap.L().Info("LDAP_USER_FULLNAME is empty, using default: 'cn'")
 	}
 	if len(c.LDAP.GroupFilter) == 0 {
 
@@ -1,4 +1,4 @@
-# Example Configuration for gitea-group-sync
+# Example Configuration for gitea-ldap-sync
 debug: false
 
 # Gitea Configuration
@@ -20,8 +20,19 @@ ldap:
 
   user_search_base: 'ou=users,DC=ldap,DC=example,DC=com'
   user_filter: '(&(objectClass=user)(memberOf=*))'
-  user_identity_attribute: "sAMAccountName"
-  user_fullname: "cn"    # can be changed to "sn" if needed
+  user_username_attribute: "sAMAccountName"
+  user_fullname_attribute: "cn"    # can be changed to "sn" if needed
+  user_first_name_attribute: ""
+  user_surname_attribute: ""
+  user_email_attribute: "mail"
+  user_public_ssh_key_attribute: "sshPublicKey"
+  user_avatar_attribute: "avatar"
+
+  exclude_users: []
+  exclude_users_regex: ""
+
+  admin_filter: ""
+  restricted_filter: ""
 
   # These groups will be mapped as Organizations in Gitea
   group_search_base: 'ou=groups,DC=ldap,DC=example,DC=com'
@@ -55,6 +66,9 @@ ldap:
 cron_timer: '@every 1m'
 
 sync_config:
+  # If CreateUsers is set to true, the process will create Users in Gitea.
+  create_users: true
+
   # If CreateGroups is set to true, the process will create Organizations and Teams in Gitea.
   create_groups: true
 
@@ -64,6 +78,10 @@ sync_config:
 
   # Default settings for creating Organizations and Teams in Gitea.
   defaults:
+    user:
+      allow_create_organization: false
+      max_repo_creation: 0
+      visibility: "private"                 # Valid options: private, limited, public
     organization:
       repo_admin_change_team_access: false
       visibility: "private"
@@ -82,4 +100,3 @@ sync_config:
         "repo.projects",
         "repo.ext_wiki"
         ]
-      units_map: '{"repo.code":"write","repo.issues":"write","repo.ext_issues":"none","repo.wiki":"write","repo.pulls":"owner","repo.releases":"none","repo.projects":"none","repo.ext_wiki":"none"}'
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +# TODO
++
 +- add avatar sync, when it's available in Gitea SDK
 +- add ssh public key sync, when it's available in Gitea SDK