From: Florian Zschocke Date: Fri, 22 Nov 2013 15:09:05 +0000 (-0500) Subject: Merge pull request #122 from fzs/ldap-deref-alias X-Git-Tag: v1.4.0~199 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=e1b00bd19810736ea5244e3dbb8cf09525127315;p=gitblit.git Merge pull request #122 from fzs/ldap-deref-alias Currently the LDAP user service will not dereference aliases when searching for groups. This patch enables dereferencing aliases for the group search. This is benefitial if groups are defined in the DIT in a common place but only certain ones shall play a role in Gitblit. These can now be linked under a group that can be provided as search base for groups, without having to recreate the existing groups under the search base. In addition, the new doSearch() method implemented in this patch also limits the attributes returned for the group search to the "cn" attribute, which is the only one used. That prevents returning all the members of the result groups, which can be a lot. Change-Id: I29e1560390810304386dcea5ca40aaf78601b3a9 --- diff --git a/releases.moxie b/releases.moxie index 551771e2..5433a9da 100644 --- a/releases.moxie +++ b/releases.moxie @@ -32,6 +32,7 @@ r20: { - By default GO will now bind to all interfaces for both http and https connectors. This simplifies setup for first-time users. - Removed docs indicator on the repositories page - Removed the repository setting to enable Markdown document enumeration, this is now automatic and expanded + - Retrieve LDAP groups with dereferencing aliases (pr-122) additions: - Added an optional MirrorExecutor which will periodically fetch ref updates from source repositories for mirrors (issue-5). Repositories must be manually cloned using native git and "--mirror". - Added branch graph image servlet based on EGit's branch graph renderer (issue-194) diff --git a/src/main/java/com/gitblit/LdapUserService.java b/src/main/java/com/gitblit/LdapUserService.java index 5a2dbdc8..888d13c4 100644 --- a/src/main/java/com/gitblit/LdapUserService.java +++ b/src/main/java/com/gitblit/LdapUserService.java @@ -20,6 +20,7 @@ import java.io.File; import java.net.URI; import java.net.URISyntaxException; import java.security.GeneralSecurityException; +import java.util.Arrays; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -35,11 +36,13 @@ import com.gitblit.models.UserModel; import com.gitblit.utils.ArrayUtils; import com.gitblit.utils.StringUtils; import com.unboundid.ldap.sdk.Attribute; +import com.unboundid.ldap.sdk.DereferencePolicy; import com.unboundid.ldap.sdk.ExtendedResult; import com.unboundid.ldap.sdk.LDAPConnection; import com.unboundid.ldap.sdk.LDAPException; import com.unboundid.ldap.sdk.LDAPSearchException; import com.unboundid.ldap.sdk.ResultCode; +import com.unboundid.ldap.sdk.SearchRequest; import com.unboundid.ldap.sdk.SearchResult; import com.unboundid.ldap.sdk.SearchResultEntry; import com.unboundid.ldap.sdk.SearchScope; @@ -404,7 +407,7 @@ public class LdapUserService extends GitblitUserService { for (Attribute userAttribute : loggingInUser.getAttributes()) groupMemberPattern = StringUtils.replace(groupMemberPattern, "${" + userAttribute.getName() + "}", escapeLDAPSearchFilter(userAttribute.getValue())); - SearchResult teamMembershipResult = doSearch(ldapConnection, groupBase, groupMemberPattern); + SearchResult teamMembershipResult = doSearch(ldapConnection, groupBase, true, groupMemberPattern, Arrays.asList("cn")); if (teamMembershipResult != null && teamMembershipResult.getEntryCount() > 0) { for (int i = 0; i < teamMembershipResult.getEntryCount(); i++) { SearchResultEntry teamEntry = teamMembershipResult.getSearchEntries().get(i); @@ -436,7 +439,28 @@ public class LdapUserService extends GitblitUserService { return null; } } + + private SearchResult doSearch(LDAPConnection ldapConnection, String base, boolean dereferenceAliases, String filter, List attributes) { + try { + SearchRequest searchRequest = new SearchRequest(base, SearchScope.SUB, filter); + if ( dereferenceAliases ) { + searchRequest.setDerefPolicy(DereferencePolicy.SEARCHING); + } + if (attributes != null) { + searchRequest.setAttributes(attributes); + } + return ldapConnection.search(searchRequest); + + } catch (LDAPSearchException e) { + logger.error("Problem Searching LDAP", e); + return null; + } catch (LDAPException e) { + logger.error("Problem creating LDAP search", e); + return null; + } + } + private boolean isAuthenticated(LDAPConnection ldapConnection, String userDn, String password) { try { // Binding will stop any LDAP-Injection Attacks since the searched-for user needs to bind to that DN