ldap filters

[dimaj]

This pull request will enable filter queries against ldap which is particularly useful when you have a big ldap directory and want to give access only to a subset of your users to your gitlab instance.

This pull request will enable this feature/functionality after this pull (gitlabhq/omniauth-ldap#3) request is merged in.

Details of mentioned pull request:
Please note that this pull request was migrated from omniauth-ldap project pull request 22 which was developed and authored by sdeframond and can be accessed at this link: intridea#22

[vsizov]

good idea

[riyad]

Can you please make this match the style of the rest of the config options?

[vsizov]

@riyad @randx What do you think about configurations which stored in database. We would be able to cache them and force users to change them after update and so on. Just an idea.

[moritzheiber]

Thank you so much for this!

[dimaj]

You most welcome, thought all the credit goes to the original creator of the patch for the omniauth-ldap

[raphendyr]

PR #3046 implements option forwarding in non hardcoded way, which implements changes done in config/initialize/devise.rb

[Razer6]

@jacobvosmaer Isn't LDAP filtering implemented in GitLab 6.1 Enterprise?

[suknark]

https://github.com/gitlabhq/gitlabhq/issues/439
I tried it but the result is negative. Gitlab 6.
Bind is good, but filter dosen't work.
Can someone help me?

[dimaj]

What's happening?

[suknark]

I'm trying to configure ldap auth filter from my gitlab.
I followed the instructions described on this page http://blog.dimaj.net/content/howto-enable-ldap-filters-gitlab but it is not working.

Could not authorize you from LDAP because "Invalid credentials".

My configuration file looks looks like this.

filter: '(&(uid=%{username})(memberOf=CN=jira-administrators,OU=Jira-Confluence,OU=GPR,DC=domain,DC=ru))'

Without filter authentication succeeds. Could you help me?

(memberOf=CN=jira-administrators,OU=Jira-Confluence,OU=GPR,DC=domain,DC=ru) - I am sure that this part is completely true

[dimaj]

If I am not mistaken, there should be 2 tabs for authentication... 1 tab for GitLab and another tab for LDAP. Make sure that you are trying to authenticate via the ldap. Also, which username are you using to authenticate?
One more thing that comes to mind is that, if I am not mistaken, GitLab requires your LDAP users to have an email associated with the LDAP entry.

I have also replied to you on my blog at the link you have provided. I was basically asking you what you are putting in the 'LDAP Login' field.

[suknark]

Yes, ldap tab.
I try to connect from user who exactly is in this group.
Just user.
Jira and other services work good whith this AD.

[dimaj]

have you looked at the logs?
/home/git/gitlab/log/application.log

See if there's anything relevant there...

[suknark]

application.log is empty.

Only production.log written when you try to login

Started POST "/users/auth/ldap/callback" for 127.0.0.1 at 2013-10-07 15:06:31 +0400 Processing by OmniauthCallbacksController#failure as HTML

where the error?

[dimaj]

this is what I'm getting when logging in with a bad user:

Started POST "/users/auth/ldap/callback" for 127.0.0.1 at 2013-10-07 09:29:18 -0700
Processing by OmniauthCallbacksController#failure as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"Heaw0YumPrRAKovHAUR5p+FrJlzxoZrlzVc7pKJBARs=", "username"=>"bad_user_name", "password"=>"[FILTERED]"}
Redirected to http://gitlab.domain.com/users/sign_in

and a good user:

Started POST "/users/auth/ldap/callback" for 127.0.0.1 at 2013-10-07 09:31:18 -0700
Processing by OmniauthCallbacksController#ldap as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"OU49f8IIO3PwfKBxX47e4U9cVPydZ2T9vys6Ww+8+A4=", "username"=>"good_user_name", "password"=>"[FILTERED]"}
Redirected to http://gitlab.domain.com/

also, just to make sure, your configuration between jira and gitlab is identical (as far as connection string and filter is concerned), right?

[suknark]

settings are not the same.
jira works on java and filter looks like
(&(objectCategory=Person)(sAMAccountName=*))

can the problem is that a user can belong to several groups
ldap returns value in powershell console

samaccountname : r.krankus
memberof : {CN=sg_pb-dc-02v_rdp,OU=Servers,OU=GRP,DC=domain,DC=ru, CN=sg_gitlab-users,OU=Security,OU=GRP,DC=domain,DC
=ru, CN=sg_pk-vcenter-01v_rdp,OU=Servers,OU=GRP,DC=domain,DC=ru, CN=sg_tk-int-pki-01v_admins,OU=Servers,
OU=GRP,DC=domain,DC=ru...}

[dimaj]

I don't think that filters depend on the language (java, ruby). Try using same filter in gitlab as you are using in jira. Then if that works, add more constraints.

[suknark]

it's dosn't work.
maybe the reason is my silly mistake, but so hard to find it

[dimaj]

I am sorry, my knowledge of LDAP is not anywhere near good, so I am afraid that I can't help you.

[ghost]

Didn't see this mentioned yet. For anyone else wondering if this is getting worked on.
http://feedback.gitlab.com/forums/176466-general/suggestions/4397477-ldap-user-white-list-and-advanced-ldap-searching

[jvanbaarsen]

This pull request has been closed because a request for more information has not been reacted to for more than 2 weeks. If you respond and conform to the pull request guidelines in our contributing guidelines we will reopen this pull request. /cc @dosire