From 228baa80b2063bc2692474e3bbc6eeef887f063e Mon Sep 17 00:00:00 2001 From: Friedrich Beckmann Date: Sat, 27 Apr 2013 22:20:26 +0200 Subject: [PATCH 1/2] LDAP Authentification with grack for https push - fixed password check --- lib/gitlab/backend/grack_auth.rb | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/lib/gitlab/backend/grack_auth.rb b/lib/gitlab/backend/grack_auth.rb index abbee6132d3..9de68283dc0 100644 --- a/lib/gitlab/backend/grack_auth.rb +++ b/lib/gitlab/backend/grack_auth.rb @@ -1,4 +1,5 @@ require_relative 'shell_env' +require 'omniauth-ldap' module Grack class Auth < Rack::Auth::Basic @@ -32,8 +33,14 @@ module Grack # Authentication with username and password login, password = @auth.credentials self.user = User.find_by_email(login) || User.find_by_username(login) - return false unless user.try(:valid_password?, password) + if user.nil? + ldap_auth(login,password) + return false unless !user.nil? + else + return false unless user.valid_password?(password); + end + Gitlab::ShellEnv.set_env(user) end @@ -47,6 +54,23 @@ module Grack end end + def ldap_auth(login, password) + # Check user against LDAP backend if user is not authenticated + # Only check with valid login and password to prevent anonymous bind results + gl = Gitlab.config + if gl.ldap.enabled && !login.blank? && !password.blank? + ldap = OmniAuth::LDAP::Adaptor.new(gl.ldap) + ldap_user = ldap.bind_as( + filter: Net::LDAP::Filter.eq(ldap.uid, login), + size: 1, + password: password + ) + if ldap_user + self.user = User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap') + end + end + end + def validate_get_request project.public || can?(user, :download_code, project) end -- GitLab From 20a88f5c43efa3ab0af80d26c90268132e6f7997 Mon Sep 17 00:00:00 2001 From: Friedrich Beckmann Date: Mon, 29 Apr 2013 22:26:03 +0200 Subject: [PATCH 2/2] LDAP authentication in grack - check ldap conf before call / added comment --- lib/gitlab/backend/grack_auth.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/gitlab/backend/grack_auth.rb b/lib/gitlab/backend/grack_auth.rb index 9de68283dc0..f46455f4735 100644 --- a/lib/gitlab/backend/grack_auth.rb +++ b/lib/gitlab/backend/grack_auth.rb @@ -34,11 +34,15 @@ module Grack login, password = @auth.credentials self.user = User.find_by_email(login) || User.find_by_username(login) - if user.nil? + # If the provided login was not a known email or username + # then user is nil + if user.nil? + # Second chance - try LDAP authentication + return false unless Gitlab.config.ldap.enabled ldap_auth(login,password) return false unless !user.nil? else - return false unless user.valid_password?(password); + return false unless user.valid_password?(password) end Gitlab::ShellEnv.set_env(user) -- GitLab