ldap filters #2497

Closed
wants to merge 2 commits into
from

Conversation

9 participants
@dimaj

dimaj commented Jan 7, 2013

This pull request will enable filter queries against ldap which is particularly useful when you have a big ldap directory and want to give access only to a subset of your users to your gitlab instance.

This pull request will enable this feature/functionality after this pull (gitlabhq/omniauth-ldap#3) request is merged in.

Details of mentioned pull request:
Please note that this pull request was migrated from omniauth-ldap project pull request 22 which was developed and authored by sdeframond and can be accessed at this link: intridea#22

@vsizov

This comment has been minimized.

Show comment
Hide comment
@vsizov

vsizov Jan 8, 2013

Contributor

good idea

Contributor

vsizov commented Jan 8, 2013

good idea

@riyad

View changes

config/gitlab.yml.example
@@ -48,6 +48,8 @@ ldap:
base: '_the_base_where_you_search_for_users'
port: 636
uid: 'sAMAccountName'
+ ## or use a filter
+ ## filter: '(&(uid=%{username})(memberOf=cn=gitlab,ou=groups,dc=mydomain))'

This comment has been minimized.

@riyad

riyad Jan 9, 2013

Contributor

Can you please make this match the style of the rest of the config options?

@riyad

riyad Jan 9, 2013

Contributor

Can you please make this match the style of the rest of the config options?

@vsizov

This comment has been minimized.

Show comment
Hide comment
@vsizov

vsizov Jan 9, 2013

Contributor

@riyad @randx What do you think about configurations which stored in database. We would be able to cache them and force users to change them after update and so on. Just an idea.

Contributor

vsizov commented Jan 9, 2013

@riyad @randx What do you think about configurations which stored in database. We would be able to cache them and force users to change them after update and so on. Just an idea.

@moritzheiber

This comment has been minimized.

Show comment
Hide comment
@moritzheiber

moritzheiber Jan 10, 2013

Thank you so much for this!

Thank you so much for this!

@dimaj

This comment has been minimized.

Show comment
Hide comment
@dimaj

dimaj Jan 10, 2013

You most welcome, thought all the credit goes to the original creator of the patch for the omniauth-ldap

dimaj commented Jan 10, 2013

You most welcome, thought all the credit goes to the original creator of the patch for the omniauth-ldap

@raphendyr

This comment has been minimized.

Show comment
Hide comment
@raphendyr

raphendyr Mar 22, 2013

Contributor

PR #3046 implements option forwarding in non hardcoded way, which implements changes done in config/initialize/devise.rb

Contributor

raphendyr commented Mar 22, 2013

PR #3046 implements option forwarding in non hardcoded way, which implements changes done in config/initialize/devise.rb

@Razer6

This comment has been minimized.

Show comment
Hide comment
@Razer6

Razer6 Oct 3, 2013

Member

@jacobvosmaer Isn't LDAP filtering implemented in GitLab 6.1 Enterprise?

Member

Razer6 commented Oct 3, 2013

@jacobvosmaer Isn't LDAP filtering implemented in GitLab 6.1 Enterprise?

@suknark

This comment has been minimized.

Show comment
Hide comment
@suknark

suknark Oct 4, 2013

https://github.com/gitlabhq/gitlabhq/issues/439
I tried it but the result is negative. Gitlab 6.
Bind is good, but filter dosen't work.
Can someone help me?

suknark commented Oct 4, 2013

https://github.com/gitlabhq/gitlabhq/issues/439
I tried it but the result is negative. Gitlab 6.
Bind is good, but filter dosen't work.
Can someone help me?

@dimaj

This comment has been minimized.

Show comment
Hide comment
@dimaj

dimaj Oct 4, 2013

What's happening?

dimaj commented Oct 4, 2013

What's happening?

@suknark

This comment has been minimized.

Show comment
Hide comment
@suknark

suknark Oct 4, 2013

I'm trying to configure ldap auth filter from my gitlab.
I followed the instructions described on this page http://blog.dimaj.net/content/howto-enable-ldap-filters-gitlab but it is not working.

Could not authorize you from LDAP because "Invalid credentials".

My configuration file looks looks like this.

filter: '(&(uid=%{username})(memberOf=CN=jira-administrators,OU=Jira-Confluence,OU=GPR,DC=domain,DC=ru))'

Without filter authentication succeeds. Could you help me?

(memberOf=CN=jira-administrators,OU=Jira-Confluence,OU=GPR,DC=domain,DC=ru) - I am sure that this part is completely true

suknark commented Oct 4, 2013

I'm trying to configure ldap auth filter from my gitlab.
I followed the instructions described on this page http://blog.dimaj.net/content/howto-enable-ldap-filters-gitlab but it is not working.

Could not authorize you from LDAP because "Invalid credentials".

My configuration file looks looks like this.

filter: '(&(uid=%{username})(memberOf=CN=jira-administrators,OU=Jira-Confluence,OU=GPR,DC=domain,DC=ru))'

Without filter authentication succeeds. Could you help me?

(memberOf=CN=jira-administrators,OU=Jira-Confluence,OU=GPR,DC=domain,DC=ru) - I am sure that this part is completely true

@dimaj

This comment has been minimized.

Show comment
Hide comment
@dimaj

dimaj Oct 4, 2013

If I am not mistaken, there should be 2 tabs for authentication... 1 tab for GitLab and another tab for LDAP. Make sure that you are trying to authenticate via the ldap. Also, which username are you using to authenticate?
One more thing that comes to mind is that, if I am not mistaken, GitLab requires your LDAP users to have an email associated with the LDAP entry.

I have also replied to you on my blog at the link you have provided. I was basically asking you what you are putting in the 'LDAP Login' field.

dimaj commented Oct 4, 2013

If I am not mistaken, there should be 2 tabs for authentication... 1 tab for GitLab and another tab for LDAP. Make sure that you are trying to authenticate via the ldap. Also, which username are you using to authenticate?
One more thing that comes to mind is that, if I am not mistaken, GitLab requires your LDAP users to have an email associated with the LDAP entry.

I have also replied to you on my blog at the link you have provided. I was basically asking you what you are putting in the 'LDAP Login' field.

@suknark

This comment has been minimized.

Show comment
Hide comment
@suknark

suknark Oct 4, 2013

Yes, ldap tab.
I try to connect from user who exactly is in this group.
Just user.
Jira and other services work good whith this AD.

suknark commented Oct 4, 2013

Yes, ldap tab.
I try to connect from user who exactly is in this group.
Just user.
Jira and other services work good whith this AD.

@dimaj

This comment has been minimized.

Show comment
Hide comment
@dimaj

dimaj Oct 5, 2013

have you looked at the logs?
/home/git/gitlab/log/application.log

See if there's anything relevant there...

dimaj commented Oct 5, 2013

have you looked at the logs?
/home/git/gitlab/log/application.log

See if there's anything relevant there...

@suknark

This comment has been minimized.

Show comment
Hide comment
@suknark

suknark Oct 7, 2013

application.log is empty.

Only production.log written when you try to login

Started POST "/users/auth/ldap/callback" for 127.0.0.1 at 2013-10-07 15:06:31 +0400 Processing by OmniauthCallbacksController#failure as HTML

where the error?

suknark commented Oct 7, 2013

application.log is empty.

Only production.log written when you try to login

Started POST "/users/auth/ldap/callback" for 127.0.0.1 at 2013-10-07 15:06:31 +0400 Processing by OmniauthCallbacksController#failure as HTML

where the error?

@dimaj

This comment has been minimized.

Show comment
Hide comment
@dimaj

dimaj Oct 7, 2013

this is what I'm getting when logging in with a bad user:

Started POST "/users/auth/ldap/callback" for 127.0.0.1 at 2013-10-07 09:29:18 -0700
Processing by OmniauthCallbacksController#failure as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"Heaw0YumPrRAKovHAUR5p+FrJlzxoZrlzVc7pKJBARs=", "username"=>"bad_user_name", "password"=>"[FILTERED]"}
Redirected to http://gitlab.domain.com/users/sign_in

and a good user:

Started POST "/users/auth/ldap/callback" for 127.0.0.1 at 2013-10-07 09:31:18 -0700
Processing by OmniauthCallbacksController#ldap as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"OU49f8IIO3PwfKBxX47e4U9cVPydZ2T9vys6Ww+8+A4=", "username"=>"good_user_name", "password"=>"[FILTERED]"}
Redirected to http://gitlab.domain.com/

also, just to make sure, your configuration between jira and gitlab is identical (as far as connection string and filter is concerned), right?

dimaj commented Oct 7, 2013

this is what I'm getting when logging in with a bad user:

Started POST "/users/auth/ldap/callback" for 127.0.0.1 at 2013-10-07 09:29:18 -0700
Processing by OmniauthCallbacksController#failure as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"Heaw0YumPrRAKovHAUR5p+FrJlzxoZrlzVc7pKJBARs=", "username"=>"bad_user_name", "password"=>"[FILTERED]"}
Redirected to http://gitlab.domain.com/users/sign_in

and a good user:

Started POST "/users/auth/ldap/callback" for 127.0.0.1 at 2013-10-07 09:31:18 -0700
Processing by OmniauthCallbacksController#ldap as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"OU49f8IIO3PwfKBxX47e4U9cVPydZ2T9vys6Ww+8+A4=", "username"=>"good_user_name", "password"=>"[FILTERED]"}
Redirected to http://gitlab.domain.com/

also, just to make sure, your configuration between jira and gitlab is identical (as far as connection string and filter is concerned), right?

@suknark

This comment has been minimized.

Show comment
Hide comment
@suknark

suknark Oct 8, 2013

settings are not the same.
jira works on java and filter looks like
(&(objectCategory=Person)(sAMAccountName=*))

can the problem is that a user can belong to several groups
ldap returns value in powershell console

samaccountname : r.krankus
memberof : {CN=sg_pb-dc-02v_rdp,OU=Servers,OU=GRP,DC=domain,DC=ru, CN=sg_gitlab-users,OU=Security,OU=GRP,DC=domain,DC
=ru, CN=sg_pk-vcenter-01v_rdp,OU=Servers,OU=GRP,DC=domain,DC=ru, CN=sg_tk-int-pki-01v_admins,OU=Servers,
OU=GRP,DC=domain,DC=ru...}

suknark commented Oct 8, 2013

settings are not the same.
jira works on java and filter looks like
(&(objectCategory=Person)(sAMAccountName=*))

can the problem is that a user can belong to several groups
ldap returns value in powershell console

samaccountname : r.krankus
memberof : {CN=sg_pb-dc-02v_rdp,OU=Servers,OU=GRP,DC=domain,DC=ru, CN=sg_gitlab-users,OU=Security,OU=GRP,DC=domain,DC
=ru, CN=sg_pk-vcenter-01v_rdp,OU=Servers,OU=GRP,DC=domain,DC=ru, CN=sg_tk-int-pki-01v_admins,OU=Servers,
OU=GRP,DC=domain,DC=ru...}

@dimaj

This comment has been minimized.

Show comment
Hide comment
@dimaj

dimaj Oct 8, 2013

I don't think that filters depend on the language (java, ruby). Try using same filter in gitlab as you are using in jira. Then if that works, add more constraints.

dimaj commented Oct 8, 2013

I don't think that filters depend on the language (java, ruby). Try using same filter in gitlab as you are using in jira. Then if that works, add more constraints.

@suknark

This comment has been minimized.

Show comment
Hide comment
@suknark

suknark Oct 8, 2013

it's dosn't work.
maybe the reason is my silly mistake, but so hard to find it

suknark commented Oct 8, 2013

it's dosn't work.
maybe the reason is my silly mistake, but so hard to find it

@dimaj

This comment has been minimized.

Show comment
Hide comment
@dimaj

dimaj Oct 9, 2013

I am sorry, my knowledge of LDAP is not anywhere near good, so I am afraid that I can't help you.

dimaj commented Oct 9, 2013

I am sorry, my knowledge of LDAP is not anywhere near good, so I am afraid that I can't help you.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Nov 7, 2013

Didn't see this mentioned yet. For anyone else wondering if this is getting worked on.
http://feedback.gitlab.com/forums/176466-general/suggestions/4397477-ldap-user-white-list-and-advanced-ldap-searching

ghost commented Nov 7, 2013

Didn't see this mentioned yet. For anyone else wondering if this is getting worked on.
http://feedback.gitlab.com/forums/176466-general/suggestions/4397477-ldap-user-white-list-and-advanced-ldap-searching

@jvanbaarsen

This comment has been minimized.

Show comment
Hide comment
@jvanbaarsen

jvanbaarsen Dec 8, 2013

Contributor

This pull request has been closed because a request for more information has not been reacted to for more than 2 weeks. If you respond and conform to the pull request guidelines in our contributing guidelines we will reopen this pull request. /cc @dosire

Contributor

jvanbaarsen commented Dec 8, 2013

This pull request has been closed because a request for more information has not been reacted to for more than 2 weeks. If you respond and conform to the pull request guidelines in our contributing guidelines we will reopen this pull request. /cc @dosire

@dosire dosire closed this Dec 9, 2013

dzaporozhets added a commit that referenced this pull request Sep 14, 2015

Merge branch 'add_diff_note_hover_size' into 'master'
Keep add-diff-note button the same size on hover. Fixes #2497

Removes the overridden `font-size` and `width` so the button inherits size on hover. See #2497 for screenshots of prior behavior.

See merge request !1285
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment