diff options
author | j3rem1e <jeremie.brebec@gmail.com> | 2014-03-27 09:16:53 -0400 |
---|---|---|
committer | James Moger <james.moger@gitblit.com> | 2014-03-27 09:16:53 -0400 |
commit | e4b0ae020290abfff26ef8b8f35485d277e4da62 (patch) | |
tree | 15b07d0ef544e0c0f31c2c5634529d9d1fd4998c /src/main | |
parent | 21be4b4b2370b7eddf839fe64dd4207f72a05a2a (diff) | |
download | gitblit-e4b0ae020290abfff26ef8b8f35485d277e4da62.tar.gz gitblit-e4b0ae020290abfff26ef8b8f35485d277e4da62.zip |
LDAP: Authenticated Searches without a manager password
Allow to use the LDAP AuthProvider with a LDAP Server
prohibiting anonymous searches but without providing
a manager password : searches are made on behalf of
the authenticated user.
Diffstat (limited to 'src/main')
-rw-r--r-- | src/main/distrib/data/gitblit.properties | 9 | ||||
-rw-r--r-- | src/main/java/com/gitblit/auth/LdapAuthProvider.java | 16 |
2 files changed, 24 insertions, 1 deletions
diff --git a/src/main/distrib/data/gitblit.properties b/src/main/distrib/data/gitblit.properties index 70a6c6e6..b819b381 100644 --- a/src/main/distrib/data/gitblit.properties +++ b/src/main/distrib/data/gitblit.properties @@ -1516,6 +1516,15 @@ realm.ldap.username = cn=Directory Manager # SINCE 1.0.0
realm.ldap.password = password
+# Bind pattern for Authentication.
+# Allow to directly authenticate an user without LDAP Searches.
+#
+# e.g. CN=${username},OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain
+#
+# SINCE 1.5.0
+realm.ldap.bindpattern =
+
+
# Delegate team membership control to LDAP.
#
# If true, team user memberships will be specified by LDAP groups. This will
diff --git a/src/main/java/com/gitblit/auth/LdapAuthProvider.java b/src/main/java/com/gitblit/auth/LdapAuthProvider.java index 3a688d83..892f30ba 100644 --- a/src/main/java/com/gitblit/auth/LdapAuthProvider.java +++ b/src/main/java/com/gitblit/auth/LdapAuthProvider.java @@ -294,6 +294,20 @@ public class LdapAuthProvider extends UsernamePasswordAuthenticationProvider { LDAPConnection ldapConnection = getLdapConnection(); if (ldapConnection != null) { try { + boolean alreadyAuthenticated = false; + + String bindPattern = settings.getString(Keys.realm.ldap.bindpattern, ""); + if (!StringUtils.isEmpty(bindPattern)) { + try { + String bindUser = StringUtils.replace(bindPattern, "${username}", simpleUsername); + ldapConnection.bind(bindUser, new String(password)); + + alreadyAuthenticated = true; + } catch (LDAPException e) { + return null; + } + } + // Find the logging in user's DN String accountBase = settings.getString(Keys.realm.ldap.accountBase, ""); String accountPattern = settings.getString(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))"); @@ -304,7 +318,7 @@ public class LdapAuthProvider extends UsernamePasswordAuthenticationProvider { SearchResultEntry loggingInUser = result.getSearchEntries().get(0); String loggingInUserDN = loggingInUser.getDN(); - if (isAuthenticated(ldapConnection, loggingInUserDN, new String(password))) { + if (alreadyAuthenticated || isAuthenticated(ldapConnection, loggingInUserDN, new String(password))) { logger.debug("LDAP authenticated: " + username); UserModel user = null; |