Commit Graph

42 Commits

Author SHA1 Message Date
zeripath
8bb0a6f425 Synchronize SSH keys on login with LDAP + Fix SQLite deadlock on ldap ssh key deletion (#5557)
* Synchronize SSH keys on login with LDAP

* BUG: Fix hang on sqlite during LDAP key deletion
2018-12-27 12:28:48 -05:00
Tony Homrich
2058c362a8 LDAP via simple auth separate bind user and search base (#5055) 2018-12-27 11:51:19 -05:00
Magnus Lindvall
cdb9478774 LDAP Public SSH Keys synchronization (#1844)
* Add LDAP Key Synchronization feature

Signed-off-by: Magnus Lindvall <magnus@dnmgns.com>

* Add migration: add login source id column for public_key table

* Only update keys if needed

* Add function to only list pubkey synchronized from ldap

* Only list pub ssh keys synchronized from ldap. Do not sort strings as ExistsInSlice does it.

* Only get keys belonging to current login source id

* Set default login source id to 0

* Some minor cleanup. Add integration tests (updete dep testify)
2018-05-24 07:59:02 +03:00
Lauris BH
501fb228e6
Add option to use paged LDAP search when synchronizing users (#3895) 2018-05-05 17:30:47 +03:00
Jochen Rill
f94e6fd7a5 Correct ldap username validation. (#2880)
PR #342 was only partially applied. Spaces should not be at the start
and end of a username but they can be inside.
2017-11-13 11:32:16 +02:00
Lauris BH
524885dd65 LDAP user synchronization (#1478) 2017-05-10 15:10:18 +02:00
Denis Denisov
f0a989c1d0 Correction LDAP validation (#342)
* Correction LDAP username validation

As https://msdn.microsoft.com/en-us/library/aa366101(v=vs.85).aspx describe spaces should not be in start or at the end of username but they can be inside the username. So please check my solution for it.

* Check for zero length passwords in LDAP module.

According to https://tools.ietf.org/search/rfc4513#section-5.1.2 LDAP client should always check before bind whether a password is an empty value. There are at least one LDAP implementation which does not return error if you try to bind with DN set and empty password - AD.

* Clearing the login/email spaces at the [start/end]
2016-12-12 08:46:51 +08:00
Lunny Xiao
ec87a75c00 golint fixed for modules/auth 2016-11-27 21:39:06 +08:00
Sandro Santilli
4247304f5a Update import paths from github.com/go-gitea to code.gitea.io (#135)
- Update import paths from github.com/go-gitea to code.gitea.io
- Fix import path for travis

See https://docs.travis-ci.com/user/languages/go#Go-Import-Path
2016-11-10 17:24:48 +01:00
Sandro Santilli
864d1b1f9f Fix type in unused constant name (#111)
* Write LDAP, SMTP, PAM, DLDAP back to all uppercase

* Fix type in unused constant name

* Other MixCased fixes

* Complete MixerCasing of template constants

* Re uppercase LTS and LDAPS suffixes

* Uppercase JSON suffix in constant names

* Proper case LoginNoType

* Prefix unexported template path constants with "tpl"
2016-11-07 18:58:22 -02:00
Sandro Santilli
05fd9d3f09 Security protocols 2016-11-07 17:38:43 +01:00
Rémy Boulanouar
2d68bd1ef9 Change import reference to match gitea instead of gogs (#37) 2016-11-03 10:29:56 -02:00
Unknwon
a752f09055 #2709 validate username attribute fetched from LDAP 2016-07-12 07:07:57 +08:00
Unknwon
401bf944ef Use SecurityProtocol to replace UseSSL in LDAP config
Initially proposed by #2376 and fixes #3068 as well.
2016-07-08 07:25:09 +08:00
Paul Tötterman
fb970b9d87 Add ServerName to tls.Config in LDAP auth (#3104)
From https://godoc.org/crypto/tls#Config

    ServerName is used to verify the hostname on the returned
    certificates unless InsecureSkipVerify is given. It is also included
    in the client's handshake to support virtual hosting unless it is
    an IP address.

This is needed for certificate validation without InsecureSkipVerify.
2016-06-01 01:11:28 -07:00
Adam Strzelecki
5649556a33 LDAP: Make a bit more detailed log traces
This is useful especially to check whether we fetch right attributes, using
right LDAP search base and in right order.
2016-02-20 14:12:32 +01:00
Adam Strzelecki
834d92a47b LDAP: Fetch attributes in Bind DN context option
This is feature is workaround for #2628 (JumpCloud) and some other services
that allow LDAP search only under BindDN user account, but not allow any LDAP
search query in logged user DN context.

Such approach is an alternative to minimal permissions security pattern for
BindDN user.
2016-02-20 14:12:32 +01:00
Adam Strzelecki
e2f95c2845 LDAP: Use single connection in BindDN mode auth
According to RFC 4511 4.2.1. Processing of the Bind Request "Clients may send
multiple Bind requests to change the authentication and/or security
associations or to complete a multi-stage Bind process. Authentication from
earlier binds is subsequently ignored."

Therefore we should not use 2 connections, but single one just sending two bind
requests.
2016-02-20 14:01:47 +01:00
Adam Strzelecki
3808638df1 Fix #2221 LDAP username attribute must be fetched
This is fix-up for 573305f. Forgot to fetch AttributeUsername value from the
LDAP server, so the setting was effectively not working as intended.
2016-02-07 18:18:29 +01:00
Alex Myasoedov
ae54d878c0 Fix misspelled words 2015-12-06 16:42:23 +02:00
Adam Strzelecki
573305f3d3 LDAP: Optional user name attribute specification
Consider following LDAP search query example:

    (&(objectClass=Person)(|(uid=%s)(mail=%s)))

Right now on first login attempt Gogs will use the text supplied on login form
as the newly created user name. In example query above the text matches against
both e-mail or user name. So if user puts the e-mail then the new Gogs user
name will be e-mail which may be undesired.

Using optional user name attribute setting we can explicitly say we want Gogs
user name to be certain LDAP attribute eg. `uid`, so even user will use e-mail
to login 1st time, the new account will receive correct user name.
2015-12-02 00:20:14 +01:00
Unknwon
aaa3f1b2b9 Use better LDAP lib and should fix #1139 2015-11-26 14:04:58 -05:00
Unknwon
f255b1e86d #1896 fatal when no needed update task 2015-11-04 21:57:10 -05:00
Sergio Benitez
630ebbe6c2 Sanitizing input to LDAP authentication module. 2015-10-26 18:08:59 -07:00
Unknwon
6a1907d994 revert simple LDAP userDN and update example 2015-09-16 12:15:14 -04:00
Unknwon
f5c7f22cc8 #1637 able to skip verify for LDAP 2015-09-14 15:48:51 -04:00
Unknwon
2bc3e83e1c fix simple LDAP userDN 2015-09-14 12:24:37 -04:00
Sergio Benitez
2d1db4bf05 Added LDAP simple auth support. 2015-09-04 20:48:34 -07:00
Unknwon
f1adbca0f1 #1554 check adminFilter length before LDAP search 2015-09-01 08:40:11 -04:00
Girish Ramakrishnan
24d7a86a8d Set IsAdmin using LDAP
The IsAdmin flag is set based on whether the admin filter
returned any result. The admin filter is applied with the user dn
as the search root.

In the future, we should update IsAdmin as well on each login.
Alternately, we can have a periodic sync operation.
2015-08-18 23:49:12 -07:00
Unknwon
6235bd1fe9 work on #986 and fix a LDAP crash 2015-08-18 04:03:11 +08:00
Unknwon
55ccb00a47 Merge branch 'develop' of https://github.com/SergioBenitez/gogs into develop
# Conflicts:
#	modules/bindata/bindata.go
2015-08-16 14:31:54 +08:00
Sergio Benitez
7d84d4a8f0 Significantly enhanced LDAP support in Gogs. 2015-08-12 17:01:22 -07:00
Lauris BH
00653e52ee Get username, name, surname and e-mail from LDAP server 2015-02-08 01:49:51 +02:00
Joseph Crail
39c068400e Fix spelling errors in comments. 2014-12-06 20:22:48 -05:00
Unknwon
59a7c7c5a5 Remove ldap dep 2014-09-07 20:04:47 -04:00
Unknwon
8dd07c0ddd New UI merge in progress 2014-07-26 00:24:27 -04:00
Lunny Xiao
f6c94c29d5 implicated error for ldap dial 2014-05-16 10:31:39 +08:00
Sebastian Jackel
eb264a112b Add LDAP over SSL support 2014-05-15 14:27:16 +02:00
Lunny Xiao
55019bfbc5 merge all login methods 2014-05-11 14:12:45 +08:00
Lunny Xiao
79ea34e70e ldap support 2014-05-03 10:48:14 +08:00
juju2013
efc05ea1de initial support for LDAP authentication/MSAD 2014-04-23 23:07:54 +02:00