From a502d96a860456ec5e8c96761db70f7cabb74751 Mon Sep 17 00:00:00 2001
From: Paul Martin <paul@paulsputer.com>
Date: Sat, 30 Apr 2016 04:19:14 -0400
Subject: [PATCH] Merge pull request #1073 from gitblit/1062-DocEditorUpdates
---
src/main/java/com/gitblit/auth/LdapAuthProvider.java | 47 +++++++++++++++++++++++++++++++++++++++++------
1 files changed, 41 insertions(+), 6 deletions(-)
diff --git a/src/main/java/com/gitblit/auth/LdapAuthProvider.java b/src/main/java/com/gitblit/auth/LdapAuthProvider.java
index 83f2466..cc772e7 100644
--- a/src/main/java/com/gitblit/auth/LdapAuthProvider.java
+++ b/src/main/java/com/gitblit/auth/LdapAuthProvider.java
@@ -30,6 +30,7 @@
import com.gitblit.Constants;
import com.gitblit.Constants.AccountType;
+import com.gitblit.Constants.Role;
import com.gitblit.Keys;
import com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider;
import com.gitblit.models.TeamModel;
@@ -119,8 +120,12 @@
final Map<String, UserModel> ldapUsers = new HashMap<String, UserModel>();
for (SearchResultEntry loggingInUser : result.getSearchEntries()) {
-
- final String username = loggingInUser.getAttribute(uidAttribute).getValue();
+ Attribute uid = loggingInUser.getAttribute(uidAttribute);
+ if (uid == null) {
+ logger.error("Can not synchronize with LDAP, missing \"{}\" attribute", uidAttribute);
+ continue;
+ }
+ final String username = uid.getValue();
logger.debug("LDAP synchronizing: " + username);
UserModel user = userManager.getUserModel(username);
@@ -268,7 +273,6 @@
return StringUtils.isEmpty(settings.getString(Keys.realm.ldap.email, ""));
}
-
/**
* If the LDAP server will maintain team memberships then LdapUserService
* will not allow team membership changes. In this scenario all team
@@ -280,6 +284,32 @@
@Override
public boolean supportsTeamMembershipChanges() {
return !settings.getBoolean(Keys.realm.ldap.maintainTeams, false);
+ }
+
+ @Override
+ public boolean supportsRoleChanges(UserModel user, Role role) {
+ if (Role.ADMIN == role) {
+ if (!supportsTeamMembershipChanges()) {
+ List<String> admins = settings.getStrings(Keys.realm.ldap.admins);
+ if (admins.contains(user.username)) {
+ return false;
+ }
+ }
+ }
+ return true;
+ }
+
+ @Override
+ public boolean supportsRoleChanges(TeamModel team, Role role) {
+ if (Role.ADMIN == role) {
+ if (!supportsTeamMembershipChanges()) {
+ List<String> admins = settings.getStrings(Keys.realm.ldap.admins);
+ if (admins.contains("@" + team.name)) {
+ return false;
+ }
+ }
+ }
+ return true;
}
@Override
@@ -295,13 +325,13 @@
if (ldapConnection != null) {
try {
boolean alreadyAuthenticated = false;
-
+
String bindPattern = settings.getString(Keys.realm.ldap.bindpattern, "");
if (!StringUtils.isEmpty(bindPattern)) {
try {
String bindUser = StringUtils.replace(bindPattern, "${username}", escapeLDAPSearchFilter(simpleUsername));
ldapConnection.bind(bindUser, new String(password));
-
+
alreadyAuthenticated = true;
} catch (LDAPException e) {
return null;
@@ -423,6 +453,10 @@
Attribute attribute = userEntry.getAttribute(email);
if (attribute != null && attribute.hasValue()) {
user.emailAddress = attribute.getValue();
+ } else {
+ // issue-456/ticket-134
+ // allow LDAP to delete an email address
+ user.emailAddress = null;
}
}
}
@@ -583,7 +617,8 @@
if (ldapSyncService.isReady()) {
long ldapSyncPeriod = getSynchronizationPeriodInMilliseconds();
int delay = 1;
- logger.info("Ldap sync service will update users and groups every {} minutes.", ldapSyncPeriod);
+ logger.info("Ldap sync service will update users and groups every {} minutes.",
+ TimeUnit.MILLISECONDS.toMinutes(ldapSyncPeriod));
scheduledExecutorService.scheduleAtFixedRate(ldapSyncService, delay, ldapSyncPeriod, TimeUnit.MILLISECONDS);
} else {
logger.info("Ldap sync service is disabled.");
--
Gitblit v1.9.1