Commit 63c6f30a authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Fix ldap auth for http push

parent a3645b5b
...@@ -70,5 +70,24 @@ module Gitlab ...@@ -70,5 +70,24 @@ module Gitlab
def log def log
Gitlab::AppLogger Gitlab::AppLogger
end end
def ldap_auth(login, password)
# Check user against LDAP backend if user is not authenticated
# Only check with valid login and password to prevent anonymous bind results
return nil unless ldap_conf.enabled && !login.blank? && !password.blank?
ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
ldap_user = ldap.bind_as(
filter: Net::LDAP::Filter.eq(ldap.uid, login),
size: 1,
password: password
)
User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap') if ldap_user
end
def ldap_conf
@ldap_conf ||= Gitlab.config.ldap
end
end end
end end
...@@ -32,20 +32,11 @@ module Grack ...@@ -32,20 +32,11 @@ module Grack
if @auth.provided? if @auth.provided?
# Authentication with username and password # Authentication with username and password
login, password = @auth.credentials login, password = @auth.credentials
self.user = User.find_by_email(login) || User.find_by_username(login)
# If the provided login was not a known email or username @user = authenticate(login, password)
# then user is nil return false unless @user
if user.nil?
# Second chance - try LDAP authentication
return false unless Gitlab.config.ldap.enabled
ldap_auth(login,password)
return false unless !user.nil?
else
return false unless user.valid_password?(password)
end
Gitlab::ShellEnv.set_env(user) Gitlab::ShellEnv.set_env(@user)
end end
# Git upload and receive # Git upload and receive
...@@ -58,21 +49,35 @@ module Grack ...@@ -58,21 +49,35 @@ module Grack
end end
end end
def authenticate(login, password)
user = User.find_by_email(login) || User.find_by_username(login)
# If the provided login was not a known email or username
# then user is nil
if user.nil? || user.ldap_user?
# Second chance - try LDAP authentication
return nil unless ldap_conf.enabled
auth = Gitlab::Auth.new
auth.ldap_auth(login, password)
else
return user if user.valid_password?(password)
end
end
def ldap_auth(login, password) def ldap_auth(login, password)
# Check user against LDAP backend if user is not authenticated # Check user against LDAP backend if user is not authenticated
# Only check with valid login and password to prevent anonymous bind results # Only check with valid login and password to prevent anonymous bind results
gl = Gitlab.config return nil unless ldap_conf.enabled && !login.blank? && !password.blank?
if gl.ldap.enabled && !login.blank? && !password.blank?
ldap = OmniAuth::LDAP::Adaptor.new(gl.ldap) ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
ldap_user = ldap.bind_as( ldap_user = ldap.bind_as(
filter: Net::LDAP::Filter.eq(ldap.uid, login), filter: Net::LDAP::Filter.eq(ldap.uid, login),
size: 1, size: 1,
password: password password: password
) )
if ldap_user
self.user = User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap') User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap') if ldap_user
end
end
end end
def validate_get_request def validate_get_request
...@@ -139,5 +144,9 @@ module Grack ...@@ -139,5 +144,9 @@ module Grack
abilities abilities
end end
end end
def ldap_conf
@ldap_conf ||= Gitlab.config.ldap
end
end# Auth end# Auth
end# Grack end# Grack
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment