You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Impacted version: 4.22.0 (and probably many older versions)
Deployment mode: standalone app behind an apache reverse proxy
Problem description:
I'm using LDAP authentication
I've added an additional filter recently: |(memberOf=cn=gitbucket,ou=group,dc=daemons-point,dc=com)
I've tried to verify this filter: I removed my personal user from this LDAP group and tried to
login
Expected behavior: I'm unable to login
Observed behavior: I am able to login!
Within the log file, a message like this shows up:
2018-03-07 14:18:43.978 [qtp321001045-18] INFO g.core.service.AccountService - LDAP error: User does not exist.
I browsed the database tables and I think the ACCOUNT table and the password field are responsible for this behavior. Once I delete the password by setting the password column to '' for my user, everything works as expected!
The text was updated successfully, but these errors were encountered:
uli-heller
changed the title
LDAP Authentication: Login works although I see this i the log: LDAP error: User does not exist.
LDAP Authentication: Login works although I see this in the log: LDAP error: User does not exist.
Mar 7, 2018
As far as I know, if you previously had an account without LDAP authentication, that authentication is not revoked. so you're always able to log-in even if you're not member of LDAP anymore.
I have the very same situation going on on my gitbucket instance, if you want to disable such behavior just clean-up the password.
Anyway, it would be nice to have a way to disable it from administration console
@Sherpard You're probably right. The current behavior is kind of unexpected. Since for example changing the password in LDAP doesn't prevent you from logging in with the password you stored within gitbucket before. To me, it seems that gitbucket works like this:
Try to login using LDAP
If this fails, try to login using gitbucket internal authentication
I think there should be at least a remark about this in the LDAP config documentation.
I would suggest to implement a realm selector on the log in page. Or a feature to disable git bucket realm all together.
This behavior allows to authenticate with git bucket, but LDAP records it as a failed login. On many enterprise systems, that would mean an account lock if it happens too often
Issue
Impacted version: 4.22.0 (and probably many older versions)
Deployment mode: standalone app behind an apache reverse proxy
Problem description:
|(memberOf=cn=gitbucket,ou=group,dc=daemons-point,dc=com)
login
Within the log file, a message like this shows up:
The text was updated successfully, but these errors were encountered: