Gitblit devel
parent: 21be4b4b | patch | commit | ignore whitespace
j3rem1e
2014-03-27 e4b0ae020290abfff26ef8b8f35485d277e4da62 
LDAP: Authenticated Searches without a manager password

Allow to use the LDAP AuthProvider with a LDAP Server
prohibiting anonymous searches but without providing
a manager password : searches are made on behalf of
the authenticated user.
3 files modified
31 ■■■■■ changed files
releases.moxie 6 ●●●● patch | view | raw | blame | history
src/main/distrib/data/gitblit.properties 9 ●●●●● patch | view | raw | blame | history
src/main/java/com/gitblit/auth/LdapAuthProvider.java 16 ●●●●● patch | view | raw | blame | history 
 releases.moxie


@@ -11,12 +11,16 @@


    security: ~


    fixes:


    - Ensure the Lucene ticket index is updated on repository deletion.


    changes: ~


    changes:


    - Option to allow LDAP users to directly authenticate without performing LDAP searches


    additions:


    - Added a French translation


    dependencyChanges: ~


    contributors:


    - Johann Ollivier-Lapeyre


    - Jeremie Brebec


    settings:


    - { name: 'realm.ldap.bindpattern', defaultValue: ' ' }


}




#




 src/main/distrib/data/gitblit.properties


@@ -1516,6 +1516,15 @@


# SINCE 1.0.0



realm.ldap.password = password







# Bind pattern for Authentication.



# Allow to directly authenticate an user without LDAP Searches.



# 


# e.g. CN=${username},OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain



#



# SINCE 1.5.0



realm.ldap.bindpattern = 










# Delegate team membership control to LDAP.



#



# If true, team user memberships will be specified by LDAP groups.  This will





 src/main/java/com/gitblit/auth/LdapAuthProvider.java


@@ -294,6 +294,20 @@


        LDAPConnection ldapConnection = getLdapConnection();


        if (ldapConnection != null) {


            try {


                boolean alreadyAuthenticated = false;


				


                String bindPattern = settings.getString(Keys.realm.ldap.bindpattern, "");


                if (!StringUtils.isEmpty(bindPattern)) {


                    try {


                        String bindUser = StringUtils.replace(bindPattern, "${username}", simpleUsername);


                        ldapConnection.bind(bindUser, new String(password));


						


                        alreadyAuthenticated = true;


                    } catch (LDAPException e) {


                        return null;


                    }


                }




                // Find the logging in user's DN


                String accountBase = settings.getString(Keys.realm.ldap.accountBase, "");


                String accountPattern = settings.getString(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))");


@@ -304,7 +318,7 @@


                    SearchResultEntry loggingInUser = result.getSearchEntries().get(0);


                    String loggingInUserDN = loggingInUser.getDN();




                    if (isAuthenticated(ldapConnection, loggingInUserDN, new String(password))) {


                    if (alreadyAuthenticated || isAuthenticated(ldapConnection, loggingInUserDN, new String(password))) {


                        logger.debug("LDAP authenticated: " + username);




                        UserModel user = null;