Merge branch 'recursive_ldap_groups' into 'master'

Recursive LDAP groups (ActiveDirectory only)

CHANGELOG-EE

 v 6.7.0
   - Improve LDAP sign-in speed by reusing connections
+  - Add support for Active Directory nested LDAP groups
 
 v 6.5.0
   - Add reset permissions button to Group#members page

lib/gitlab/ldap/adapter.rb

@@ -63,7 +63,7 @@ module Gitlab
         options.merge!(size: size) if size
 
         ldap.search(options).map do |entry|
-          Gitlab::LDAP::Group.new(entry)
+          Gitlab::LDAP::Group.new(entry, self)
         end
       end
 
@@ -106,6 +106,10 @@ module Gitlab
         users(*args).first
       end
 
+      def dn_matches_filter?(dn, filter)
+        ldap.search(base: dn, filter: filter, attributes: %w{dn}).any?
+      end
+
       private
 
       def config

lib/gitlab/ldap/group.rb

@@ -12,9 +12,10 @@ module Gitlab
         adapter.group(cn)
       end
 
-      def initialize(entry)
+      def initialize(entry, adapter=nil)
         Rails.logger.debug { "Instantiating #{self.class.name} with LDIF:\n#{entry.to_ldif}" }
         @entry = entry
+        @adapter = adapter
       end
 
       def cn
@@ -40,8 +41,10 @@ module Gitlab
       def has_member?(user)
         if memberuid?
           member_uids.include?(user.uid)
+        elsif member_dns.include?(user.dn)
+          true
         else
-          member_dns.include?(user.dn)
+          adapter.dn_matches_filter?(user.dn, active_directory_recursive_memberof_filter)
         end
       end
 
@@ -60,6 +63,12 @@ module Gitlab
 
       private
 
+      # We use the ActiveDirectory LDAP_MATCHING_RULE_IN_CHAIN matching rule; see
+      # http://msdn.microsoft.com/en-us/library/aa746475%28VS.85%29.aspx#code-snippet-5
+      def active_directory_recursive_memberof_filter
+        Net::LDAP::Filter.ex("memberOf:1.2.840.113556.1.4.1941", entry.dn)
+      end
+
       def entry
         @entry
       end