Browse Source
LDAP: Authenticated Searches without a manager password
Allow to use the LDAP AuthProvider with a LDAP Server prohibiting anonymous searches but without providing a manager password : searches are made on behalf of the authenticated user.tags/v1.5.0
j3rem1e
10 years ago
3 changed files with 29 additions and 2 deletions
+ 5
- 1
releases.moxie
View File
| @@ -11,12 +11,16 @@ r22: { | |||
| security: ~ | |||
| fixes: | |||
| - Ensure the Lucene ticket index is updated on repository deletion. | |||
| changes: ~ | |||
| changes: | |||
| - Option to allow LDAP users to directly authenticate without performing LDAP searches | |||
| additions: | |||
| - Added a French translation | |||
| dependencyChanges: ~ | |||
| contributors: | |||
| - Johann Ollivier-Lapeyre | |||
| - Jeremie Brebec | |||
| settings: | |||
| - { name: 'realm.ldap.bindpattern', defaultValue: ' ' } | |||
| } | |||
| # | |||
+ 9
- 0
src/main/distrib/data/gitblit.properties
View File
| @@ -1516,6 +1516,15 @@ realm.ldap.username = cn=Directory Manager | |||
| # SINCE 1.0.0 | |||
| realm.ldap.password = password | |||
| # Bind pattern for Authentication. | |||
| # Allow to directly authenticate an user without LDAP Searches. | |||
| # | |||
| # e.g. CN=${username},OU=Users,OU=UserControl,OU=MyOrganization,DC=MyDomain | |||
| # | |||
| # SINCE 1.5.0 | |||
| realm.ldap.bindpattern = | |||
| # Delegate team membership control to LDAP. | |||
| # | |||
| # If true, team user memberships will be specified by LDAP groups. This will | |||
+ 15
- 1
src/main/java/com/gitblit/auth/LdapAuthProvider.java
View File
| @@ -294,6 +294,20 @@ public class LdapAuthProvider extends UsernamePasswordAuthenticationProvider { | |||
| LDAPConnection ldapConnection = getLdapConnection(); | |||
| if (ldapConnection != null) { | |||
| try { | |||
| boolean alreadyAuthenticated = false; | |||
| String bindPattern = settings.getString(Keys.realm.ldap.bindpattern, ""); | |||
| if (!StringUtils.isEmpty(bindPattern)) { | |||
| try { | |||
| String bindUser = StringUtils.replace(bindPattern, "${username}", simpleUsername); | |||
| ldapConnection.bind(bindUser, new String(password)); | |||
| alreadyAuthenticated = true; | |||
| } catch (LDAPException e) { | |||
| return null; | |||
| } | |||
| } | |||
| // Find the logging in user's DN | |||
| String accountBase = settings.getString(Keys.realm.ldap.accountBase, ""); | |||
| String accountPattern = settings.getString(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))"); | |||
| @@ -304,7 +318,7 @@ public class LdapAuthProvider extends UsernamePasswordAuthenticationProvider { | |||
| SearchResultEntry loggingInUser = result.getSearchEntries().get(0); | |||
| String loggingInUserDN = loggingInUser.getDN(); | |||
| if (isAuthenticated(ldapConnection, loggingInUserDN, new String(password))) { | |||
| if (alreadyAuthenticated || isAuthenticated(ldapConnection, loggingInUserDN, new String(password))) { | |||
| logger.debug("LDAP authenticated: " + username); | |||
| UserModel user = null; | |||
Loading…