Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

git Push / Pull with http protocol do not respond to omniauth #1349

Closed
sdiaz opened this Issue Aug 31, 2012 · 12 comments

Comments

Projects
None yet
9 participants

sdiaz commented Aug 31, 2012

Hello,

I have LDAP working with Omniauth. It works perfect through web interface, but when trying to push / pull using http protocol I have an error

fatal: Authentication failed

I'm using LDAP username/password instead of the local Gitlab email/password.

Contributor

sodabrew commented Aug 31, 2012

Repo push/pull are served by git directly. You should upload an SSH key for your user and use git protocol.

sdiaz commented Sep 1, 2012

Not directly, we use Grack, but it's seems there is no auth implementation for Devise/Omniauth support.

https://github.com/gitlabhq/grack/blob/master/lib/grack/auth.rb

Contributor

SaitoWu commented Sep 1, 2012

https://github.com/gitlabhq/gitlabhq/blob/master/lib/gitlab/backend/grack_auth.rb

The Grack auth is patched here.

But didn't support omniauth. I'm not a LDAP user, can u send a PR on this?

I'll handle it.

Contributor

mgrobelin commented Oct 25, 2012

Here are some patches that fixed this for me.

All my user can now auth by HTTP (ldap auth) and/or SSH (pubkey auth).

You can find patched files here: https://gist.github.com/3953472

  1. to install ruby-ldap edit Gemfile and execute
bundle install --without development test --no-deployment
  1. edit $PATH_TO_RUBYLIBS/bundler/ruby/1.9.1/omniauth-ldap-f038dd852d7b/lib/omniauth/strategies/ldap.rb & $PATH_TO_RUBYLIBS/bundler/ruby/1.9.1/omniauth-ldap-f038dd852d7b/lib/omniauth-ldap.rb

Note
I don't use net-ldap within omniauth, but ruby-ldap because of ruby-ldap/ruby-net-ldap#50
LDAP uid attribute is used for login, e.g. jdoe@example.com signs in as jdoe with appropriate password - gitlab.yml looks like:

ldap: 
  enabled: true
  host: 'ldap.example.com'
  base: 'ou=People,dc=example,dc=com'
  port: 636
  uid: 'uid'
  method: 'ssl' 
#not used anymore due to patch
  bind_dn: 'uid=gitlab,ou=special users,dc=example,dc=com'
  password: 'XXXXXXXXXXx'
Contributor

sodabrew commented Oct 25, 2012

Make a pull request, not patched files.

On Thu, Oct 25, 2012 at 9:01 AM, Markus Grobelin
notifications@github.comwrote:

Here are some patches that fixed this for me.

All my user can now auth by HTTP (ldap auth) and/or SSH (pubkey auth).

You can find patched files here: https://gist.github.com/3953472

  1. to install ruby-ldap edit Gemfile and execute

bundle install --without development test --no-deployment

  1. edit
    $PATH_TO_RUBYLIBS/bundler/ruby/1.9.1/omniauth-ldap-f038dd852d7b/lib/omniauth/strategies/ldap.rb
    &
    $PATH_TO_RUBYLIBS/bundler/ruby/1.9.1/omniauth-ldap-f038dd852d7b/lib/omniauth-ldap.rb

Note
I don't use net-ldap within omniauth, but ruby-ldap because of
ruby-ldap/ruby-net-ldap#50ruby-ldap/ruby-net-ldap#50
LDAP uid attribute is used for login, e.g. jdoe@example.com signs in as
jdoe with appropriate password - gitlab.yml looks like:

ldap:
enabled: true
host: 'ldap.example.com'
base: 'ou=People,dc=example,dc=com'
port: 636
uid: 'uid'
method: 'ssl' #not used anymore due to patch
bind_dn: 'uid=gitlab,ou=special users,dc=example,dc=com'
password: 'XXXXXXXXXXx'


Reply to this email directly or view it on GitHubhttps://github.com/gitlabhq/gitlabhq/issues/1349#issuecomment-9783250.

@mgrobelin did you ever make a pull request for this? I would love to have this bug fixed in our setup.

Contributor

mgrobelin commented Nov 2, 2012

@sodabrew @dan-blanchard no, as those patches a pretty uncomplete & dirty

https://gist.github.com/3953472#file_grack_auth.rb shows how to force ldap-auth over http

the other modifications in that gist are to resolve issues with 389-ds only and not needed for topic

Contributor

bladealslayer commented Nov 15, 2012

@mgrobelin Could you explain the idea of how you force the LDAP auth? The code in grack_auth.rb:

user = User.find_for_ldap_auth(authhash)
return false if user.nil?

doesn't look like forcing anything, because it relies on Omniauth already done it's job (which it hasn't since it only works for /users/auth/ldap/callback URLs). As it is at the moment, you create yourself the auth hash, which looks like bypassing the LDAP authentication, and not forcing it.

Contributor

mgrobelin commented Nov 19, 2012

@bladealslayer basicially I do it pretty similar to what app/controllers/omniauth_callbacks_controller.rb does. I basicially replaced

self.user = User.find_by_email(creds)

with

self.user = User.find_for_ldap_auth(creds).

... and added some specific mess to make it work with my directory server!

I defined that Omniauth auth hash by hand, because this saves me from modifying most of the involved auth-related functions. Therefore I modified omniauth-ldap's bind method (see "bind_as_2" https://gist.github.com/3953472#file_adaptor.rb) to do the bind with ruby-ldap. Bind succeeded => User authenticated.

Pull request #2557 has the necessary grack module updates to fix http/https auth with LDAP.

I also documented my findings getting this config to work on 4.2 here: http://www.woodruffs.org/2013/02/27/gitlab-4-2-stable-and-ldap-with-activedirectory/

Member

axilleas commented Apr 30, 2013

@senny this can close. randx just merged #3758 which implements this :)

Contributor

senny commented Apr 30, 2013

Closing this one as #3758 was merged.

@axilleas thanks!

@senny senny closed this Apr 30, 2013

dzaporozhets added a commit that referenced this issue Jun 19, 2014

Merge branch 'fix-500-admin-transfer' into 'master'
Fix 500 error when transfer project from admin area

Fixes #1349

fpgentil pushed a commit to fpgentil/gitlabhq that referenced this issue Apr 13, 2015

Merge branch 'remove-sidebar-help-link' into 'master'
Removed help link from sidebar

Closes #1349

I don't see the point in having two links on the page that will do the same thing.

See merge request !483
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment