Skip to main content

Overview

Gitea supports multiple authentication methods including LDAP, OAuth2, SMTP, and PAM. Authentication sources can be managed through the web interface or command-line.

Managing Authentication Sources

List Authentication Sources

View all configured authentication sources:
Customize the output format:

Delete Authentication Source

Remove an authentication source by ID:

LDAP Authentication

Gitea supports two LDAP authentication modes:
  1. Bind DN - Search for users using a service account
  2. Simple Auth - Authenticate directly with user credentials

LDAP via Bind DN

Add LDAP Source

Update LDAP Source

LDAP Configuration Options

name
string
required
Authentication source name
security-protocol
string
required
Security protocol: unencrypted, ldaps, or starttls
host
string
required
LDAP server hostname or IP address
port
number
required
LDAP server port (typically 389 for LDAP, 636 for LDAPS)
bind-dn
string
DN to bind to the LDAP server (Bind DN mode only)
bind-password
string
Password for the bind DN (Bind DN mode only)
user-search-base
string
required
LDAP base DN where user accounts are searched
user-filter
string
required
LDAP filter to find user records. Use %s as placeholder for username. Example: (&(objectClass=inetOrgPerson)(uid=%s))
username-attribute
string
LDAP attribute containing the username (e.g., uid, sAMAccountName)
firstname-attribute
string
LDAP attribute for first name (e.g., givenName)
surname-attribute
string
LDAP attribute for surname (e.g., sn)
email-attribute
string
required
LDAP attribute for email address (e.g., mail)
public-ssh-key-attribute
string
LDAP attribute containing SSH public keys
avatar-attribute
string
LDAP attribute containing user avatar image
admin-filter
string
LDAP filter to identify admin users
restricted-filter
string
LDAP filter to identify restricted users
skip-tls-verify
boolean
default:"false"
Skip TLS certificate verification (not recommended for production)
synchronize-users
boolean
default:"false"
Enable periodic user synchronization
page-size
number
LDAP search page size for pagination

Group Mapping

Map LDAP groups to Gitea organization teams:

LDAP Simple Auth

For LDAP servers where you can construct the user DN directly:

OAuth2 Authentication

Configure OAuth2 providers like GitHub, GitLab, Google, or custom OpenID Connect providers.

Add OAuth2 Source

OAuth2 Configuration Options

name
string
required
Authentication source display name
provider
string
required
OAuth2 provider: github, gitlab, google, azure, bitbucket, discord, gitea, openidConnect, etc.
key
string
required
OAuth2 client ID
secret
string
required
OAuth2 client secret
auto-discover-url
string
OpenID Connect auto-discovery URL (required for openidConnect provider)
scopes
string
Comma-separated OAuth2 scopes to request
icon-url
string
Custom icon URL for the login button
skip-local-2fa
boolean
default:"false"
Skip Gitea’s 2FA for users authenticated via this source

Custom OAuth2 Endpoints

For self-hosted OAuth2 providers:

OAuth2 Claims and Groups

Update OAuth2 Source

SMTP Authentication

Allow users to authenticate using their email credentials via SMTP.

Add SMTP Source

SMTP Configuration Options

name
string
required
Authentication source name
auth-type
string
default:"PLAIN"
SMTP authentication type: PLAIN, LOGIN, or CRAM-MD5
host
string
required
SMTP server hostname
port
number
required
SMTP server port (typically 25, 465, or 587)
force-smtps
boolean
default:"false"
Force SMTPS on all ports (normally only port 465)
skip-verify
boolean
default:"false"
Skip TLS certificate verification
helo-hostname
string
Hostname sent with HELO command (defaults to current hostname)
disable-helo
boolean
default:"false"
Disable SMTP HELO command
allowed-domains
string
Comma-separated list of allowed email domains. Leave empty to allow all.

Update SMTP Source

Configuration via app.ini

While the CLI is recommended, you can also configure authentication in app.ini:

Two-Factor Authentication

Configure 2FA policies:

Testing Authentication

After configuring an authentication source:
1

Verify Source is Active

Ensure the “Enabled” column shows true
2

Test Login

Attempt to log in via the web interface using credentials from the authentication source
3

Check Logs

Monitor logs for authentication errors:

Best Practices

  • Use LDAPS/StartTLS: Always encrypt LDAP connections in production
  • Restrict Filters: Use LDAP filters to limit which users can authenticate
  • Test Separately: Test authentication sources in a non-production environment first
  • Group Mapping: Use group mapping to automatically assign team memberships
  • Monitor Sync: Enable user synchronization to keep LDAP users up-to-date
  • Backup Sources: Export authentication configuration before making changes