Merge pull request #122 from fzs/ldap-deref-alias

Currently the LDAP user service will not dereference aliases when
searching for groups. This patch enables dereferencing aliases for the
group search. This is benefitial if groups are defined in the DIT in a
common place but only certain ones shall play a role in Gitblit. These
can now be linked under a group that can be provided as search base for
groups, without having to recreate the existing groups under the search
base.

In addition, the new doSearch() method implemented in this patch also
limits the attributes returned for the group search to the "cn"
attribute, which is the only one used. That prevents returning all the
members of the result groups, which can be a lot.

Change-Id: I29e1560390810304386dcea5ca40aaf78601b3a9

diff --git a/releases.moxie b/releases.moxie
index 551771e2d9a8e3f4b666c58c6fc89089f7a33531..5433a9da22ec912f075dcde759fc838a58fdd2d6 100644 (file)
--- a/releases.moxie
+++ b/releases.moxie
@@ -32,6 +32,7 @@ r20: {
        - By default GO will now bind to all interfaces for both http and https connectors.  This simplifies setup for first-time users.        
        - Removed docs indicator on the repositories page
        - Removed the repository setting to enable Markdown document enumeration, this is now automatic and expanded
+       - Retrieve LDAP groups with dereferencing aliases (pr-122)
     additions:
        - Added an optional MirrorExecutor which will periodically fetch ref updates from source repositories for mirrors (issue-5).  Repositories must be manually cloned using native git and "--mirror".
        - Added branch graph image servlet based on EGit's branch graph renderer (issue-194)

diff --git a/src/main/java/com/gitblit/LdapUserService.java b/src/main/java/com/gitblit/LdapUserService.java
index 5a2dbdc89bf989737005518e27e774ec113ff480..888d13c4be30e6caedf2b1697b279fb44e2d2663 100644 (file)
--- a/src/main/java/com/gitblit/LdapUserService.java
+++ b/src/main/java/com/gitblit/LdapUserService.java
@@ -20,6 +20,7 @@ import java.io.File;
 import java.net.URI;\r
 import java.net.URISyntaxException;\r
 import java.security.GeneralSecurityException;\r
+import java.util.Arrays;\r
 import java.util.HashMap;\r
 import java.util.List;\r
 import java.util.Map;\r
@@ -35,11 +36,13 @@ import com.gitblit.models.UserModel;
 import com.gitblit.utils.ArrayUtils;\r
 import com.gitblit.utils.StringUtils;\r
 import com.unboundid.ldap.sdk.Attribute;\r
+import com.unboundid.ldap.sdk.DereferencePolicy;\r
 import com.unboundid.ldap.sdk.ExtendedResult;\r
 import com.unboundid.ldap.sdk.LDAPConnection;\r
 import com.unboundid.ldap.sdk.LDAPException;\r
 import com.unboundid.ldap.sdk.LDAPSearchException;\r
 import com.unboundid.ldap.sdk.ResultCode;\r
+import com.unboundid.ldap.sdk.SearchRequest;\r
 import com.unboundid.ldap.sdk.SearchResult;\r
 import com.unboundid.ldap.sdk.SearchResultEntry;\r
 import com.unboundid.ldap.sdk.SearchScope;\r
@@ -404,7 +407,7 @@ public class LdapUserService extends GitblitUserService {
                for (Attribute userAttribute : loggingInUser.getAttributes())\r
                        groupMemberPattern = StringUtils.replace(groupMemberPattern, "${" + userAttribute.getName() + "}", escapeLDAPSearchFilter(userAttribute.getValue()));\r
 \r
-               SearchResult teamMembershipResult = doSearch(ldapConnection, groupBase, groupMemberPattern);\r
+               SearchResult teamMembershipResult = doSearch(ldapConnection, groupBase, true, groupMemberPattern, Arrays.asList("cn"));\r
                if (teamMembershipResult != null && teamMembershipResult.getEntryCount() > 0) {\r
                        for (int i = 0; i < teamMembershipResult.getEntryCount(); i++) {\r
                                SearchResultEntry teamEntry = teamMembershipResult.getSearchEntries().get(i);\r
@@ -436,7 +439,28 @@ public class LdapUserService extends GitblitUserService {
                        return null;\r
                }\r
        }\r
+       \r
+       private SearchResult doSearch(LDAPConnection ldapConnection, String base, boolean dereferenceAliases, String filter, List<String> attributes) {\r
+               try {\r
+                       SearchRequest searchRequest = new SearchRequest(base, SearchScope.SUB, filter);\r
+                       if ( dereferenceAliases ) {\r
+                               searchRequest.setDerefPolicy(DereferencePolicy.SEARCHING);\r
+                       }\r
+                       if (attributes != null) {\r
+                               searchRequest.setAttributes(attributes);\r
+                       }\r
+                       return ldapConnection.search(searchRequest);\r
+\r
+               } catch (LDAPSearchException e) {\r
+                       logger.error("Problem Searching LDAP", e);\r
 \r
+                       return null;\r
+               } catch (LDAPException e) {\r
+                       logger.error("Problem creating LDAP search", e);\r
+                       return null;\r
+               }\r
+       }\r
+       \r
        private boolean isAuthenticated(LDAPConnection ldapConnection, String userDn, String password) {\r
                try {\r
                        // Binding will stop any LDAP-Injection Attacks since the searched-for user needs to bind to that DN\r