From e4b0ae020290abfff26ef8b8f35485d277e4da62 Mon Sep 17 00:00:00 2001 From: j3rem1e Date: Thu, 27 Mar 2014 09:16:53 -0400 Subject: [PATCH] LDAP: Authenticated Searches without a manager password Allow to use the LDAP AuthProvider with a LDAP Server prohibiting anonymous searches but without providing a manager password : searches are made on behalf of the authenticated user. --- releases.moxie | 6 +++++- src/main/distrib/data/gitblit.properties | 9 +++++++++ .../java/com/gitblit/auth/LdapAuthProvider.java | 16 +++++++++++++++- 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/releases.moxie b/releases.moxie index 52424513..c9687e26 100644 --- a/releases.moxie +++ b/releases.moxie @@ -11,12 +11,16 @@ r22: { security: ~ fixes: - Ensure the Lucene ticket index is updated on repository deletion. - changes: ~ + changes: + - Option to allow LDAP users to directly authenticate without performing LDAP searches additions: - Added a French translation dependencyChanges: ~ contributors: - Johann Ollivier-Lapeyre + - Jeremie Brebec + settings: + - { name: 'realm.ldap.bindpattern', defaultValue: ' ' } } # diff --git a/src/main/distrib/data/gitblit.properties b/src/main/distrib/data/gitblit.properties index 70a6c6e6..b819b381 100644 --- a/src/main/distrib/data/gitblit.properties +++ b/src/main/distrib/data/gitblit.properties @@ -1516,6 +1516,15 @@ realm.ldap.username = cn=Directory Manager # SINCE 1.0.0 realm.ldap.password = password +# Bind pattern for Authentication. +# Allow to directly authenticate an user without LDAP Searches. +# +# e.g. CN=${username},OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain +# +# SINCE 1.5.0 +realm.ldap.bindpattern = + + # Delegate team membership control to LDAP. # # If true, team user memberships will be specified by LDAP groups. This will diff --git a/src/main/java/com/gitblit/auth/LdapAuthProvider.java b/src/main/java/com/gitblit/auth/LdapAuthProvider.java index 3a688d83..892f30ba 100644 --- a/src/main/java/com/gitblit/auth/LdapAuthProvider.java +++ b/src/main/java/com/gitblit/auth/LdapAuthProvider.java @@ -294,6 +294,20 @@ public class LdapAuthProvider extends UsernamePasswordAuthenticationProvider { LDAPConnection ldapConnection = getLdapConnection(); if (ldapConnection != null) { try { + boolean alreadyAuthenticated = false; + + String bindPattern = settings.getString(Keys.realm.ldap.bindpattern, ""); + if (!StringUtils.isEmpty(bindPattern)) { + try { + String bindUser = StringUtils.replace(bindPattern, "${username}", simpleUsername); + ldapConnection.bind(bindUser, new String(password)); + + alreadyAuthenticated = true; + } catch (LDAPException e) { + return null; + } + } + // Find the logging in user's DN String accountBase = settings.getString(Keys.realm.ldap.accountBase, ""); String accountPattern = settings.getString(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))"); @@ -304,7 +318,7 @@ public class LdapAuthProvider extends UsernamePasswordAuthenticationProvider { SearchResultEntry loggingInUser = result.getSearchEntries().get(0); String loggingInUserDN = loggingInUser.getDN(); - if (isAuthenticated(ldapConnection, loggingInUserDN, new String(password))) { + if (alreadyAuthenticated || isAuthenticated(ldapConnection, loggingInUserDN, new String(password))) { logger.debug("LDAP authenticated: " + username); UserModel user = null; -- 2.39.5