From 136fbddd52fba5a06e3c833dce5460cf11f2d5be Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Tue, 30 Sep 2014 10:45:02 -0400
Subject: [PATCH] Merge branch 'ticket/198' into develop
---
src/main/java/com/gitblit/auth/LdapAuthProvider.java | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++----
1 files changed, 52 insertions(+), 4 deletions(-)
diff --git a/src/main/java/com/gitblit/auth/LdapAuthProvider.java b/src/main/java/com/gitblit/auth/LdapAuthProvider.java
index 3a688d8..6c97ddf 100644
--- a/src/main/java/com/gitblit/auth/LdapAuthProvider.java
+++ b/src/main/java/com/gitblit/auth/LdapAuthProvider.java
@@ -30,6 +30,7 @@
import com.gitblit.Constants;
import com.gitblit.Constants.AccountType;
+import com.gitblit.Constants.Role;
import com.gitblit.Keys;
import com.gitblit.auth.AuthenticationProvider.UsernamePasswordAuthenticationProvider;
import com.gitblit.models.TeamModel;
@@ -119,8 +120,12 @@
final Map<String, UserModel> ldapUsers = new HashMap<String, UserModel>();
for (SearchResultEntry loggingInUser : result.getSearchEntries()) {
-
- final String username = loggingInUser.getAttribute(uidAttribute).getValue();
+ Attribute uid = loggingInUser.getAttribute(uidAttribute);
+ if (uid == null) {
+ logger.error("Can not synchronize with LDAP, missing \"{}\" attribute", uidAttribute);
+ continue;
+ }
+ final String username = uid.getValue();
logger.debug("LDAP synchronizing: " + username);
UserModel user = userManager.getUserModel(username);
@@ -268,7 +273,6 @@
return StringUtils.isEmpty(settings.getString(Keys.realm.ldap.email, ""));
}
-
/**
* If the LDAP server will maintain team memberships then LdapUserService
* will not allow team membership changes. In this scenario all team
@@ -280,6 +284,32 @@
@Override
public boolean supportsTeamMembershipChanges() {
return !settings.getBoolean(Keys.realm.ldap.maintainTeams, false);
+ }
+
+ @Override
+ public boolean supportsRoleChanges(UserModel user, Role role) {
+ if (Role.ADMIN == role) {
+ if (!supportsTeamMembershipChanges()) {
+ List<String> admins = settings.getStrings(Keys.realm.ldap.admins);
+ if (admins.contains(user.username)) {
+ return false;
+ }
+ }
+ }
+ return true;
+ }
+
+ @Override
+ public boolean supportsRoleChanges(TeamModel team, Role role) {
+ if (Role.ADMIN == role) {
+ if (!supportsTeamMembershipChanges()) {
+ List<String> admins = settings.getStrings(Keys.realm.ldap.admins);
+ if (admins.contains("@" + team.name)) {
+ return false;
+ }
+ }
+ }
+ return true;
}
@Override
@@ -294,6 +324,20 @@
LDAPConnection ldapConnection = getLdapConnection();
if (ldapConnection != null) {
try {
+ boolean alreadyAuthenticated = false;
+
+ String bindPattern = settings.getString(Keys.realm.ldap.bindpattern, "");
+ if (!StringUtils.isEmpty(bindPattern)) {
+ try {
+ String bindUser = StringUtils.replace(bindPattern, "${username}", escapeLDAPSearchFilter(simpleUsername));
+ ldapConnection.bind(bindUser, new String(password));
+
+ alreadyAuthenticated = true;
+ } catch (LDAPException e) {
+ return null;
+ }
+ }
+
// Find the logging in user's DN
String accountBase = settings.getString(Keys.realm.ldap.accountBase, "");
String accountPattern = settings.getString(Keys.realm.ldap.accountPattern, "(&(objectClass=person)(sAMAccountName=${username}))");
@@ -304,7 +348,7 @@
SearchResultEntry loggingInUser = result.getSearchEntries().get(0);
String loggingInUserDN = loggingInUser.getDN();
- if (isAuthenticated(ldapConnection, loggingInUserDN, new String(password))) {
+ if (alreadyAuthenticated || isAuthenticated(ldapConnection, loggingInUserDN, new String(password))) {
logger.debug("LDAP authenticated: " + username);
UserModel user = null;
@@ -409,6 +453,10 @@
Attribute attribute = userEntry.getAttribute(email);
if (attribute != null && attribute.hasValue()) {
user.emailAddress = attribute.getValue();
+ } else {
+ // issue-456/ticket-134
+ // allow LDAP to delete an email address
+ user.emailAddress = null;
}
}
}
--
Gitblit v1.9.1