Gitblit devel
parent: 237faead | patch | commit | ignore whitespace
Florian Zschocke
2013-11-22 e1b00bd19810736ea5244e3dbb8cf09525127315 
Merge pull request #122 from fzs/ldap-deref-alias

Currently the LDAP user service will not dereference aliases when
searching for groups. This patch enables dereferencing aliases for the
group search. This is benefitial if groups are defined in the DIT in a
common place but only certain ones shall play a role in Gitblit. These
can now be linked under a group that can be provided as search base for
groups, without having to recreate the existing groups under the search
base.

In addition, the new doSearch() method implemented in this patch also
limits the attributes returned for the group search to the "cn"
attribute, which is the only one used. That prevents returning all the
members of the result groups, which can be a lot.

Change-Id: I29e1560390810304386dcea5ca40aaf78601b3a9
2 files modified
27 ■■■■■ changed files
releases.moxie 1 ●●●● patch | view | raw | blame | history
src/main/java/com/gitblit/LdapUserService.java 26 ●●●●● patch | view | raw | blame | history 
 releases.moxie


@@ -32,6 +32,7 @@


    - By default GO will now bind to all interfaces for both http and https connectors.  This simplifies setup for first-time users.    


    - Removed docs indicator on the repositories page


    - Removed the repository setting to enable Markdown document enumeration, this is now automatic and expanded


    - Retrieve LDAP groups with dereferencing aliases (pr-122)


    additions:


    - Added an optional MirrorExecutor which will periodically fetch ref updates from source repositories for mirrors (issue-5).  Repositories must be manually cloned using native git and "--mirror".


    - Added branch graph image servlet based on EGit's branch graph renderer (issue-194)




 src/main/java/com/gitblit/LdapUserService.java


@@ -20,6 +20,7 @@


import java.net.URI;



import java.net.URISyntaxException;



import java.security.GeneralSecurityException;



import java.util.Arrays;



import java.util.HashMap;



import java.util.List;



import java.util.Map;



@@ -35,11 +36,13 @@


import com.gitblit.utils.ArrayUtils;



import com.gitblit.utils.StringUtils;



import com.unboundid.ldap.sdk.Attribute;



import com.unboundid.ldap.sdk.DereferencePolicy;



import com.unboundid.ldap.sdk.ExtendedResult;



import com.unboundid.ldap.sdk.LDAPConnection;



import com.unboundid.ldap.sdk.LDAPException;



import com.unboundid.ldap.sdk.LDAPSearchException;



import com.unboundid.ldap.sdk.ResultCode;



import com.unboundid.ldap.sdk.SearchRequest;



import com.unboundid.ldap.sdk.SearchResult;



import com.unboundid.ldap.sdk.SearchResultEntry;



import com.unboundid.ldap.sdk.SearchScope;



@@ -404,7 +407,7 @@


        for (Attribute userAttribute : loggingInUser.getAttributes())



            groupMemberPattern = StringUtils.replace(groupMemberPattern, "${" + userAttribute.getName() + "}", escapeLDAPSearchFilter(userAttribute.getValue()));







        SearchResult teamMembershipResult = doSearch(ldapConnection, groupBase, groupMemberPattern);



        SearchResult teamMembershipResult = doSearch(ldapConnection, groupBase, true, groupMemberPattern, Arrays.asList("cn"));



        if (teamMembershipResult != null && teamMembershipResult.getEntryCount() > 0) {



            for (int i = 0; i < teamMembershipResult.getEntryCount(); i++) {



                SearchResultEntry teamEntry = teamMembershipResult.getSearchEntries().get(i);



@@ -436,7 +439,28 @@


            return null;



        }



    }



	


    private SearchResult doSearch(LDAPConnection ldapConnection, String base, boolean dereferenceAliases, String filter, List<String> attributes) {



        try {



            SearchRequest searchRequest = new SearchRequest(base, SearchScope.SUB, filter);



            if ( dereferenceAliases ) {



                searchRequest.setDerefPolicy(DereferencePolicy.SEARCHING);



            }



            if (attributes != null) {



                searchRequest.setAttributes(attributes);



            }



            return ldapConnection.search(searchRequest);







        } catch (LDAPSearchException e) {



            logger.error("Problem Searching LDAP", e);







            return null;



        } catch (LDAPException e) {



            logger.error("Problem creating LDAP search", e);



            return null;



        }



    }



	


    private boolean isAuthenticated(LDAPConnection ldapConnection, String userDn, String password) {



        try {



            // Binding will stop any LDAP-Injection Attacks since the searched-for user needs to bind to that DN