"Code Hosting service" below means Forgejo.
Due to certain specific requirements our deployment is a little customized.
While we prefer users to use SSO/OpenID Connect for authentication, we also want code hosting service to be aware of all active users to correctly synchronize account access and SSH keys. When running with both LDAP and OpenID Connect integration enabled users are automatically created in a local database based on LDAP source, however OpenID Connect identity is not automatically bound to LDAP users. This causes code hosting service to still show a password-based authentication form in order to join the two identities.
Workaround for this in our case is a SQL trigger function that automatically creates an OpenID Connect -> LDAP identity binding injected directly into code hosting service's PostgreSQL database. This trigger can be reviewed in create-oidc-binding.sql
file here. For this to work correctly auto-registration needs to be disabled for OpenID Connect integration, in case some new user attempts to log in before code hosting service runs external users synchronization job.
LDAP users synchronization job has been adjusted to run every 10 minutes. (in contrast to default 24h, see app.ini.template
)
Explore page has users listing disabled. Email and name display is disabled.