diff options
| author | Lauris BH <lauris@nix.lv> | 2020-03-05 08:30:33 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-03-05 08:30:33 +0200 |
| commit | 37c3db7be6dd6fc5ee085979cc5f5dda09d978c3 (patch) | |
| tree | f77e1d61daaee11f6aab8e491120620e597c2782 /cmd | |
| parent | be544e8e6a78360d87315ada9695cc6d70c3617c (diff) | |
| download | gitea-37c3db7be6dd6fc5ee085979cc5f5dda09d978c3.tar.gz gitea-37c3db7be6dd6fc5ee085979cc5f5dda09d978c3.zip | |
Add restricted user filter to LDAP authentication (#10600)
* Add restricted user filter to LDAP authentification
* Fix unit test cases
Diffstat (limited to 'cmd')
| -rw-r--r-- | cmd/admin_auth_ldap.go | 7 | ||||
| -rw-r--r-- | cmd/admin_auth_ldap_test.go | 8 |
2 files changed, 15 insertions, 0 deletions
diff --git a/cmd/admin_auth_ldap.go b/cmd/admin_auth_ldap.go index e869686cbd..5ab64ec7d5 100644 --- a/cmd/admin_auth_ldap.go +++ b/cmd/admin_auth_ldap.go @@ -61,6 +61,10 @@ var ( Name: "admin-filter", Usage: "An LDAP filter specifying if a user should be given administrator privileges.", }, + cli.StringFlag{ + Name: "restricted-filter", + Usage: "An LDAP filter specifying if a user should be given restricted status.", + }, cli.BoolFlag{ Name: "allow-deactivate-all", Usage: "Allow empty search results to deactivate all users.", @@ -235,6 +239,9 @@ func parseLdapConfig(c *cli.Context, config *models.LDAPConfig) error { if c.IsSet("admin-filter") { config.Source.AdminFilter = c.String("admin-filter") } + if c.IsSet("restricted-filter") { + config.Source.RestrictedFilter = c.String("restricted-filter") + } if c.IsSet("allow-deactivate-all") { config.Source.AllowDeactivateAll = c.Bool("allow-deactivate-all") } diff --git a/cmd/admin_auth_ldap_test.go b/cmd/admin_auth_ldap_test.go index 4af9f167c3..87f4f789ab 100644 --- a/cmd/admin_auth_ldap_test.go +++ b/cmd/admin_auth_ldap_test.go @@ -39,6 +39,7 @@ func TestAddLdapBindDn(t *testing.T) { "--user-search-base", "ou=Users,dc=full-domain-bind,dc=org", "--user-filter", "(memberOf=cn=user-group,ou=example,dc=full-domain-bind,dc=org)", "--admin-filter", "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)", + "--restricted-filter", "(memberOf=cn=restricted-group,ou=example,dc=full-domain-bind,dc=org)", "--username-attribute", "uid-bind full", "--firstname-attribute", "givenName-bind full", "--surname-attribute", "sn-bind full", @@ -74,6 +75,7 @@ func TestAddLdapBindDn(t *testing.T) { SearchPageSize: 99, Filter: "(memberOf=cn=user-group,ou=example,dc=full-domain-bind,dc=org)", AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)", + RestrictedFilter: "(memberOf=cn=restricted-group,ou=example,dc=full-domain-bind,dc=org)", Enabled: true, }, }, @@ -265,6 +267,7 @@ func TestAddLdapSimpleAuth(t *testing.T) { "--user-search-base", "ou=Users,dc=full-domain-simple,dc=org", "--user-filter", "(&(objectClass=posixAccount)(full-simple-cn=%s))", "--admin-filter", "(memberOf=cn=admin-group,ou=example,dc=full-domain-simple,dc=org)", + "--restricted-filter", "(memberOf=cn=restricted-group,ou=example,dc=full-domain-simple,dc=org)", "--username-attribute", "uid-simple full", "--firstname-attribute", "givenName-simple full", "--surname-attribute", "sn-simple full", @@ -292,6 +295,7 @@ func TestAddLdapSimpleAuth(t *testing.T) { AttributeSSHPublicKey: "publickey-simple full", Filter: "(&(objectClass=posixAccount)(full-simple-cn=%s))", AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=full-domain-simple,dc=org)", + RestrictedFilter: "(memberOf=cn=restricted-group,ou=example,dc=full-domain-simple,dc=org)", Enabled: true, }, }, @@ -499,6 +503,7 @@ func TestUpdateLdapBindDn(t *testing.T) { "--user-search-base", "ou=Users,dc=full-domain-bind,dc=org", "--user-filter", "(memberOf=cn=user-group,ou=example,dc=full-domain-bind,dc=org)", "--admin-filter", "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)", + "--restricted-filter", "(memberOf=cn=restricted-group,ou=example,dc=full-domain-bind,dc=org)", "--username-attribute", "uid-bind full", "--firstname-attribute", "givenName-bind full", "--surname-attribute", "sn-bind full", @@ -543,6 +548,7 @@ func TestUpdateLdapBindDn(t *testing.T) { SearchPageSize: 99, Filter: "(memberOf=cn=user-group,ou=example,dc=full-domain-bind,dc=org)", AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=full-domain-bind,dc=org)", + RestrictedFilter: "(memberOf=cn=restricted-group,ou=example,dc=full-domain-bind,dc=org)", Enabled: true, }, }, @@ -978,6 +984,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { "--user-search-base", "ou=Users,dc=full-domain-simple,dc=org", "--user-filter", "(&(objectClass=posixAccount)(full-simple-cn=%s))", "--admin-filter", "(memberOf=cn=admin-group,ou=example,dc=full-domain-simple,dc=org)", + "--restricted-filter", "(memberOf=cn=restricted-group,ou=example,dc=full-domain-simple,dc=org)", "--username-attribute", "uid-simple full", "--firstname-attribute", "givenName-simple full", "--surname-attribute", "sn-simple full", @@ -1006,6 +1013,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) { AttributeSSHPublicKey: "publickey-simple full", Filter: "(&(objectClass=posixAccount)(full-simple-cn=%s))", AdminFilter: "(memberOf=cn=admin-group,ou=example,dc=full-domain-simple,dc=org)", + RestrictedFilter: "(memberOf=cn=restricted-group,ou=example,dc=full-domain-simple,dc=org)", }, }, }, |