Commit d5232a09 authored by Christopher Schenk's avatar Christopher Schenk Committed by Drew Blessing

Make mapping between ldap and kerberos configurable

parent 4a1667c4
...@@ -731,6 +731,7 @@ Gitlab.ee do ...@@ -731,6 +731,7 @@ Gitlab.ee do
Settings['kerberos'] ||= Settingslogic.new({}) Settings['kerberos'] ||= Settingslogic.new({})
Settings.kerberos['enabled'] = false if Settings.kerberos['enabled'].nil? Settings.kerberos['enabled'] = false if Settings.kerberos['enabled'].nil?
Settings.kerberos['keytab'] = nil if Settings.kerberos['keytab'].blank? # nil means use default keytab Settings.kerberos['keytab'] = nil if Settings.kerberos['keytab'].blank? # nil means use default keytab
Settings.kerberos['simple_ldap_linking_allowed_realms'] = [] if Settings.kerberos['simple_ldap_linking_allowed_realms'].blank?
Settings.kerberos['service_principal_name'] = nil if Settings.kerberos['service_principal_name'].blank? # nil means any SPN in keytab Settings.kerberos['service_principal_name'] = nil if Settings.kerberos['service_principal_name'].blank? # nil means any SPN in keytab
Settings.kerberos['use_dedicated_port'] = false if Settings.kerberos['use_dedicated_port'].nil? Settings.kerberos['use_dedicated_port'] = false if Settings.kerberos['use_dedicated_port'].nil?
Settings.kerberos['https'] = Settings.gitlab.https if Settings.kerberos['https'].nil? Settings.kerberos['https'] = Settings.gitlab.https if Settings.kerberos['https'].nil?
......
---
title: Add simple_ldap_linking kerberos options to make the mapping between ldap and
kerberos configureable
merge_request:
author: Christopher Schenk
type: added
...@@ -31,12 +31,22 @@ module EE ...@@ -31,12 +31,22 @@ module EE
uid, domain = principal.split('@', 2) uid, domain = principal.split('@', 2)
return unless uid && domain return unless uid && domain
if ::Gitlab.config.kerberos.simple_ldap_linking_allowed_realms.blank?
# In multi-forest setups, there may be several users with matching # In multi-forest setups, there may be several users with matching
# uids but differing DNs, so skip adapters configured to connect to # uids but differing DNs, so skip adapters configured to connect to
# non-matching domains # non-matching domains
return unless domain.casecmp(domain_from_dn(adapter.config.base)) == 0 return unless domain.casecmp(domain_from_dn(adapter.config.base)) == 0
find_by_uid(uid, adapter) find_by_uid(uid, adapter)
else
::Gitlab.config.kerberos.simple_ldap_linking_allowed_realms.each do |realm|
if domain.casecmp(realm) == 0
return find_by_uid(uid, adapter)
end
end
end
end end
# Extracts the rightmost unbroken set of domain components from an # Extracts the rightmost unbroken set of domain components from an
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment