Add some additional checking for LDAP DNs in Group Sync

9a68cad8 · Drew Blessing · faad5120 · 9a68cad8
Commit 9a68cad8 authored Apr 14, 2016 by Drew Blessing
Show whitespace changes
Inline Side-by-side

Showing with 13 additions and 7 deletions

lib/gitlab/ldap/group_sync.rb lib/gitlab/ldap/group_sync.rb +13 -7

No files found.
--- a/lib/gitlab/ldap/group_sync.rb
+++ b/lib/gitlab/ldap/group_sync.rb
+require 'net/ldap/dn'
 module Gitlab
  module LDAP
    class GroupSync
@@ -181,13 +183,17 @@ module Gitlab
      # account for that. See gitlab-ee#442
      def ensure_full_dns!(dns)
        dns.map! do |dn|
-          # If there is more than one equal sign we must have a full DN
+          parsed_dn = Net::LDAP::DN.new(dn).to_a
-          # Or at least the probability is higher.
+          # If there is more than one key/value set we must have a full DN,
-          return dn if dn.count('=') > 1
+          # or at least the probability is higher.
+          if parsed_dn.count > 2
-          # If there is only one equal sign, we may only have a `uid`.
+            dn
-          # In this case, strip the first part and look up full DN by UID
+          elsif parsed_dn[0] == 'uid'
-          dn_for_uid(dn.split('=')[1])
+            dn_for_uid(parsed_dn[1])
+          else
+            logger.warn { "Found potentially malformed/incomplete DN: '#{dn}'" }
+            dn
+          end
        end
      end