Merge branch 'improve/respect_ldap_filter' of /home/git/repositories/gitlab/gitlab-ee

e3bf87d3 · Dmitriy Zaporozhets · c4854635 · 8dc185c1 · e3bf87d3 · e3bf87d3
Commit e3bf87d3 authored Nov 02, 2013 by Dmitriy Zaporozhets
Showing with 18 additions and 14 deletions

app/views/layouts/devise.html.haml app/views/layouts/devise.html.haml +2 -2

lib/api/internal.rb lib/api/internal.rb +7 -1

lib/gitlab/ldap/user.rb lib/gitlab/ldap/user.rb +9 -11

No files found.
--- a/app/views/layouts/devise.html.haml
+++ b/app/views/layouts/devise.html.haml
@@ -13,5 +13,5 @@
            #{link_to "Sign in", new_user_session_path} or browse for #{link_to "public projects", public_projects_path}.
        %hr
        = yield
-        %center
-          %h5.cwhite Enterprise Edition
+        %center.prepend-top-20
+          %h6 Enterprise Edition
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -35,7 +35,13 @@ module API
          user = key.user

          return false if user.blocked?
-          return false if user.ldap_user? && Gitlab::LDAP::User.blocked?(user.extern_uid)
+
+          if user.ldap_user?
+            # Check if LDAP user exists and match LDAP user_filter
+            unless Gitlab::LDAP::Access.allowed?(user.extern_uid)
+              return false
+            end
+          end

          action = case git_cmd
                   when *DOWNLOAD_COMMANDS

--- a/lib/gitlab/ldap/user.rb
+++ b/lib/gitlab/ldap/user.rb
@@ -62,8 +62,16 @@ module Gitlab
          return nil unless ldap_conf.enabled && login.present? && password.present?

          ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
+          filter = Net::LDAP::Filter.eq(ldap.uid, login)
+
+          # Apply LDAP user filter if present
+          if ldap_conf['user_filter'].present?
+            user_filter = Net::LDAP::Filter.construct(ldap_conf['user_filter'])
+            filter = Net::LDAP::Filter.join(filter, user_filter)
+          end
+
          ldap_user = ldap.bind_as(
-            filter: Net::LDAP::Filter.eq(ldap.uid, login),
+            filter: filter,
            size: 1,
            password: password
          )
@@ -71,16 +79,6 @@ module Gitlab
          find_by_uid(ldap_user.dn) if ldap_user
        end

-        # Check LDAP user existance by dn. User in git over ssh check
-        #
-        # It covers 2 cases:
-        # * when ldap account was removed
-        # * when ldap account was deactivated by change of OU membership in 'dn'
-        def blocked?(dn)
-          ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
-          ldap.connection.search(base: dn, size: 1).blank?
-        end
-
        private

        def find_by_uid(uid)