Merge pull request #122 from fzs/ldap-deref-alias

Currently the LDAP user service will not dereference aliases when
searching for groups. This patch enables dereferencing aliases for the
group search. This is benefitial if groups are defined in the DIT in a
common place but only certain ones shall play a role in Gitblit. These
can now be linked under a group that can be provided as search base for
groups, without having to recreate the existing groups under the search
base.

In addition, the new doSearch() method implemented in this patch also
limits the attributes returned for the group search to the "cn"
attribute, which is the only one used. That prevents returning all the
members of the result groups, which can be a lot.

Change-Id: I29e1560390810304386dcea5ca40aaf78601b3a9

1 files changed, 25 insertions, 1 deletions

diff --git a/src/main/java/com/gitblit/LdapUserService.java b/src/main/java/com/gitblit/LdapUserService.java
index 5a2dbdc8..888d13c4 100644
--- a/src/main/java/com/gitblit/LdapUserService.java
+++ b/src/main/java/com/gitblit/LdapUserService.java
@@ -20,6 +20,7 @@ import java.io.File;
 import java.net.URI;

 import java.net.URISyntaxException;

 import java.security.GeneralSecurityException;

+import java.util.Arrays;

 import java.util.HashMap;

 import java.util.List;

 import java.util.Map;

@@ -35,11 +36,13 @@ import com.gitblit.models.UserModel;
 import com.gitblit.utils.ArrayUtils;

 import com.gitblit.utils.StringUtils;

 import com.unboundid.ldap.sdk.Attribute;

+import com.unboundid.ldap.sdk.DereferencePolicy;

 import com.unboundid.ldap.sdk.ExtendedResult;

 import com.unboundid.ldap.sdk.LDAPConnection;

 import com.unboundid.ldap.sdk.LDAPException;

 import com.unboundid.ldap.sdk.LDAPSearchException;

 import com.unboundid.ldap.sdk.ResultCode;

+import com.unboundid.ldap.sdk.SearchRequest;

 import com.unboundid.ldap.sdk.SearchResult;

 import com.unboundid.ldap.sdk.SearchResultEntry;

 import com.unboundid.ldap.sdk.SearchScope;

@@ -404,7 +407,7 @@ public class LdapUserService extends GitblitUserService {
 		for (Attribute userAttribute : loggingInUser.getAttributes())

 			groupMemberPattern = StringUtils.replace(groupMemberPattern, "${" + userAttribute.getName() + "}", escapeLDAPSearchFilter(userAttribute.getValue()));

 

-		SearchResult teamMembershipResult = doSearch(ldapConnection, groupBase, groupMemberPattern);

+		SearchResult teamMembershipResult = doSearch(ldapConnection, groupBase, true, groupMemberPattern, Arrays.asList("cn"));

 		if (teamMembershipResult != null && teamMembershipResult.getEntryCount() > 0) {

 			for (int i = 0; i < teamMembershipResult.getEntryCount(); i++) {

 				SearchResultEntry teamEntry = teamMembershipResult.getSearchEntries().get(i);

@@ -436,7 +439,28 @@ public class LdapUserService extends GitblitUserService {
 			return null;

 		}

 	}

+	

+	private SearchResult doSearch(LDAPConnection ldapConnection, String base, boolean dereferenceAliases, String filter, List<String> attributes) {

+		try {

+			SearchRequest searchRequest = new SearchRequest(base, SearchScope.SUB, filter);

+			if ( dereferenceAliases ) {

+				searchRequest.setDerefPolicy(DereferencePolicy.SEARCHING);

+			}

+			if (attributes != null) {

+				searchRequest.setAttributes(attributes);

+			}

+			return ldapConnection.search(searchRequest);

+

+		} catch (LDAPSearchException e) {

+			logger.error("Problem Searching LDAP", e);

 

+			return null;

+		} catch (LDAPException e) {

+			logger.error("Problem creating LDAP search", e);

+			return null;

+		}

+	}

+	

 	private boolean isAuthenticated(LDAPConnection ldapConnection, String userDn, String password) {

 		try {

 			// Binding will stop any LDAP-Injection Attacks since the searched-for user needs to bind to that DN