summaryrefslogtreecommitdiffstats
path: root/src/main/java/com/gitblit/auth
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #1160 from fzs/sshLdapAuthenticatorFlorian Zschocke2016-12-181-274/+10
|\ | | | | LDAP SSH key manager
| * Retrieve public SSH keys from LDAP.Florian Zschocke2016-11-291-7/+4
| | | | | | | | | | | | | | | | | | | | | | | | Add new class `LdapPublicKeyManager` which retrieves public SSH keys from LDAP. The attribute can be configured with the new configuration option `realm.ldap.sshPublicKey`. The setting can be a simple attribute name, like `sshPublicKey`, or an attribute name and a prefix for the value, like `altSecurityIdentities:SshKey`, in which case attributes are selected that have the name `altSecurityIdentities` and whose values start with `SshKey:`.
| * Extract LdapConnection into new class from LdapAuthProviderFlorian Zschocke2016-11-231-268/+7
| | | | | | | | | | | | | | | | Extract the inner class `LdapConnection` from the `LdapAuthProvider` into a separate class, so that it can be used from multiple classes that have to connect to an LDAP directory. The new class is placed into the new package `com.gitblit.ldap`, since it isn't specific to authentication.
* | Merge branch 'rcaa-master' into master.Florian Zschocke2016-12-137-9/+9
|\ \ | |/ |/|
| * removing unecessary user cookie codeRodrigo Andrade2016-08-157-8/+8
| |
| * removing duplicated code for cookie genaration and adding random bytes to ↵Rodrigo Andrade2016-08-151-1/+1
| | | | | | | | generate user cookies
* | Set "can admin" permission on LDAP users and teams correctlymerged--fixAdminRoleLDAPFlorian Zschocke2016-11-181-12/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The canAdmin permission is set on a LDAP user, when the user is listed in `realm.ldap.admins` or is a member of a team listed in `realm.ldap.admins`. This leads to inconsistent and surprising behaviour on the EditUser page when clicking the "can admin" checkbox. Also, the "can admin" checkbox is disabled, but not checked, for teams that are listed as admin teams. The new behaviour implemented in this patch makes users and teams from LDAP match local ones. That means: * LDAP teams that are listed in `realm.ldap.admins` get the canAdmin property set if teams are maintained in LDAP. * LDAP users that are listed in `realm.ldap.admins` get the canAdmin property set if teams are maintained in LDAP. * LDAP users do not get the canAdmin property set, if they are only a member of a team listed in `realm.ldap.admins`. * The `supportsRoleChanges` method for users and teams of the `LdapAuthProvider` unconditially returns false if teams are maintained in LDAP, not only for users and teams listed in `realm.ldap.admins`. * Therefore, for all LDAP users and teams the "can admin" checkbox is always disabled if teams are maintained in LDAP.
* | Clean up `LdapAuthProvider` to properly cover different LDAP search scenarios.Florian Zschocke2016-11-111-114/+284
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Gitblit allows in its configuration to set a "manager" user (and password) which can be used to search for the entry of a user wanting to log in. If they are both not set, an anonymous search is attempted. In the description below, when I say "...as manager", it is either as manager or anonymous. So far the behaviour of Gitblit, with respect to binding to and searching in LDAP, has been the following when a user logs in: **bind as manager** **search for the user** _bind as the user_ _search for the teams_ I'll call this code flow A. Later an additional configuration option had been added: `realm.ldap.bindpattern`. (PR gitblit/gitblit#162) It was meant to allow for not using a manager nor anonymous binds, by searching the directory as the user logging in. This is done in code flow B: **bind as manager** _bind as user_ _search for user_ _search for teams_ Both A and B are flawed, I think. In A, it looks like a mistake to me that the binding stays with the user after authentication. The problem that this causes is, that in LDAP server configurations where normal users are not allowed to read groups, the team information cannot be retrieved. I tried but failed to understand how B is supposed to work. There will always be a bind request as either anonymous or the manager DN when the LDAP connection is created. If neither is possible, the authentication process will fail and the user cannot log in. When synchronizing users and teams from LDAP, the following code flow is exercised: F: **bind as manager** **search for users** **search for teams** This patch fixes both code flows by introducing a new flow. C: **bind as manager** **search for user** _bind as user to authenticate_ **bind as manager** **search for teams** And it changes code flow B to the following code flow D: _bind as user_ _search for user_ _search for teams_ With code flows A, C, D and F the following usage (and authentication) scenarios are covered. They are described from the view of a Gitblit administrator's intent and his LDAP setup. * Users and team should be snychronized with LDAP This means anonymous or a fixed account must be able to read users and groups. => covered by C and F As the above allows for authentication and is required for synchronisation, all the others below do not cover synchronization. * No anonymous binding allowed and no special manager binding required This means that users must be able to read user an group entries. => covered by D * The user DN needs to be searched, e.g. because they are not all under the same parent DN. This means that anonymous or a fixed account must be able to read users. -- anonymous or the "manager" account can also read groups => covered by C -- anonymous or the "manager" account cannot read groups but a user can => covered by A I therefore believe that the new code will cover all common use cases. The implementation either directly binds as the user, when `bindpattern` is not empty, or it binds anonymous or against the manger DN to search for the user DN entry. If it directly bound against the user DN, the user is already authenticated. It will then only check that the user DN it found in the search is identical to the one it is currently bound against. If it was bound against a manager DN (or anonymously) it will bind against the found user DN to authenticate the user logging in, and will then rebind against the manager DN. When searching for groups in LDAP, if the search fails with a result code other than SUCCESS, the implementation will bind against the user DN, if it isn't already bound against it. It will then repeat the search for groups under the user authorization. This is to keep backwards compatible with the original behaviour A, in order to not break cases where the LDAP setup would deny a manager account to search for groups but allow it for normal users. To achieve this the implementation introduces an internal `LdapConnection` class that wraps the connection and keeps bind state, so that a rebind as a user is possible. This also fixes a resource leak where the connection was not closed in case that the initial bind as the manager account did not succeed. This commit would fix gitblit/gitblit#920
* implement an HTTP header AuthenticationProviderJoel Johnson2015-12-092-5/+209
|
* Merge branch 'ticket/244' into developJames Moger2015-03-071-11/+24
|\
| * Minor refactoring of user/team checksummingJames Moger2015-03-071-60/+22
| |
| * Setting up a checksum on user and team instances to lower connection delayPierre-yves Baloche2015-03-061-14/+65
| |
* | Fix time units in ldap sync log messageJames Moger2014-11-241-1/+2
| |
* | Merge branch 'ticket/129' into developJames Moger2014-09-301-1/+1
|\|
| * Remove Wicket references from non-Wicket packagesJames Moger2014-09-301-1/+1
| |
* | Allow authentication providers to control user and team role changesJames Moger2014-09-267-2/+119
|/
* Allow LDAP to reset/delete an user email address valueJames Moger2014-09-081-0/+4
|
* fix misstyped passwords leaked in log files with redmine auth providermereth2014-08-191-2/+3
|
* [findbugs] Null check on closing PAM providerJames Moger2014-04-171-1/+3
|
* Warn on LDAP synchronization if the uid attribute is null/undefinedJames Moger2014-04-081-4/+8
|
* LDAP: Escape username in case we are using userbased bind.Jani Averbach2014-03-311-1/+1
|
* LDAP: Authenticated Searches without a manager passwordj3rem1e2014-03-271-1/+15
| | | | | | Allow to use the LDAP AuthProvider with a LDAP Server prohibiting anonymous searches but without providing a manager password : searches are made on behalf of the authenticated user.
* WindowsAuthProvider setting to restrict BUILTIN\AdministratorsJames Moger2014-02-211-3/+5
| | | | | | Some environments do not want to automatically allow Windows admin accounts to be Gitblit admins. This patch allows disabling/enabling the relationship between Windows builtin admin accounts and Gitblit accounts.
* Remove admin permission setting from Redmine auth provider (issue-368)James Moger2014-02-211-5/+0
| | | | | This feature depended on an undocumented behavior of Redmine. If/when Redmine groups are mapped to Gitblit teams, we can reconsider setting the admin permission (issue-321).
* API adjustments and elimination of duplicate config optionsJames Moger2014-02-192-100/+114
|
* Added logging for empty group sync.Alfred Schmid2014-02-191-0/+2
|
* Load empty groups as empty teams from ldap, when ldap userAlfred Schmid2014-02-191-0/+24
| | | | synchronization is enabled.
* Fixed error with negative periods. Using at least ldapCaching period toAlfred Schmid2014-02-191-11/+11
| | | | sync with ldap
* Basic implementation of feature for ldap user synchronization asAlfred Schmid2014-02-191-1/+30
| | | | | background service. Introduced configuration property to configure the synchronization period.
* Centralize cookie creationJames Moger2013-12-117-32/+25
| | | | Change-Id: I1a17416121764f33a8d05a88c80cece0c03ac41d
* Fix external authentication failureJames Moger2013-12-111-14/+21
| | | | Change-Id: I0f415941a4bfd5e63d85c60613cea0c7d10cbb49
* Allow null authentication provider to manipulate usersJames Moger2013-12-101-4/+4
| | | | Change-Id: I07405f2ed915b8f544ac58aca8367301a7d23e38
* Fix LDAP port and bind regressions due to change for issue-343James Moger2013-12-101-2/+11
| | | | Change-Id: I76ee581e067a30fb1656c5c62bdf743846f1a767
* Refactor user services and separate authentication (issue-281)James Moger2013-11-297-0/+1583
Change-Id: I336e005e02623fc5e11a4f8b4408bea5465a43fd