From e4b0ae020290abfff26ef8b8f35485d277e4da62 Mon Sep 17 00:00:00 2001 From: j3rem1e Date: Thu, 27 Mar 2014 09:16:53 -0400 Subject: LDAP: Authenticated Searches without a manager password Allow to use the LDAP AuthProvider with a LDAP Server prohibiting anonymous searches but without providing a manager password : searches are made on behalf of the authenticated user. --- src/main/distrib/data/gitblit.properties | 9 +++++++++ src/main/java/com/gitblit/auth/LdapAuthProvider.java | 16 +++++++++++++++- 2 files changed, 24 insertions(+), 1 deletion(-) (limited to 'src/main') diff --git a/src/main/distrib/data/gitblit.properties b/src/main/distrib/data/gitblit.properties index 70a6c6e6..b819b381 100644 --- a/src/main/distrib/data/gitblit.properties +++ b/src/main/distrib/data/gitblit.properties @@ -1516,6 +1516,15 @@ realm.ldap.username = cn=Directory Manager # SINCE 1.0.0 realm.ldap.password = password +# Bind pattern for Authentication. +# Allow to directly authenticate an user without LDAP Searches. +# +# e.g. CN=${username},OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain +# +# SINCE 1.5.0 +realm.ldap.bindpattern = + + # Delegate team membership control to LDAP. # # If true, team user memberships will be specified by LDAP groups. This will diff --git a/src/main/java/com/gitblit/auth/LdapAuthProvider.java b/src/main/java/com/gitblit/auth/LdapAuthProvider.java index 3a688d83..892f30ba 100644 --- a/src/main/java/com/gitblit/auth/LdapAuthProvider.java +++ b/src/main/java/com/gitblit/auth/LdapAuthProvider.java @@ -294,6 +294,20 @@ public class LdapAuthProvider extends UsernamePasswordAuthenticationProvider { LDAPConnection ldapConnection = getLdapConnection(); if (ldapConnection != null) { try { + boolean alreadyAuthenticated = false; + + String bindPattern = settings.getString(Keys.realm.ldap.bindpattern, ""); + if (!StringUtils.isEmpty(bindPattern)) { + try { + String bindUser = StringUtils.replace(bindPattern, "${username}", simpleUsername); + ldapConnection.bind(bindUser, new String(password)); + + alreadyAuthenticated = true; + } catch (LDAPException e) { + return null; + } + } + // Find the logging in user's DN String accountBase = settings.getString(Keys.realm.ldap.accountBase, ""); String accountPattern = settings.getString(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))"); @@ -304,7 +318,7 @@ public class LdapAuthProvider extends UsernamePasswordAuthenticationProvider { SearchResultEntry loggingInUser = result.getSearchEntries().get(0); String loggingInUserDN = loggingInUser.getDN(); - if (isAuthenticated(ldapConnection, loggingInUserDN, new String(password))) { + if (alreadyAuthenticated || isAuthenticated(ldapConnection, loggingInUserDN, new String(password))) { logger.debug("LDAP authenticated: " + username); UserModel user = null; -- cgit v1.2.3