diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index 78d2196fbbe82c21305f90b09747dedbcca1f80e..ff1d1b13cc994b9f8799feac8ad64b717445d306 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -70,5 +70,24 @@ module Gitlab
def log
Gitlab::AppLogger
end
+
+ def ldap_auth(login, password)
+ # Check user against LDAP backend if user is not authenticated
+ # Only check with valid login and password to prevent anonymous bind results
+ return nil unless ldap_conf.enabled && !login.blank? && !password.blank?
+
+ ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
+ ldap_user = ldap.bind_as(
+ filter: Net::LDAP::Filter.eq(ldap.uid, login),
+ size: 1,
+ password: password
+ )
+
+ User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap') if ldap_user
+ end
+
+ def ldap_conf
+ @ldap_conf ||= Gitlab.config.ldap
+ end
end
end
diff --git a/lib/gitlab/backend/grack_auth.rb b/lib/gitlab/backend/grack_auth.rb
index 6a411aabcc63e4b44a67716fe7485719559ed2af..4f3f7b02a5beb70852093b8abf06363a325a5281 100644
--- a/lib/gitlab/backend/grack_auth.rb
+++ b/lib/gitlab/backend/grack_auth.rb
@@ -32,20 +32,11 @@ module Grack
if @auth.provided?
# Authentication with username and password
login, password = @auth.credentials
- self.user = User.find_by_email(login) || User.find_by_username(login)
-
- # If the provided login was not a known email or username
- # then user is nil
- if user.nil?
- # Second chance - try LDAP authentication
- return false unless Gitlab.config.ldap.enabled
- ldap_auth(login,password)
- return false unless !user.nil?
- else
- return false unless user.valid_password?(password)
- end
-
- Gitlab::ShellEnv.set_env(user)
+
+ @user = authenticate(login, password)
+ return false unless @user
+
+ Gitlab::ShellEnv.set_env(@user)
end
# Git upload and receive
@@ -58,21 +49,35 @@ module Grack
end
end
+ def authenticate(login, password)
+ user = User.find_by_email(login) || User.find_by_username(login)
+
+ # If the provided login was not a known email or username
+ # then user is nil
+ if user.nil? || user.ldap_user?
+ # Second chance - try LDAP authentication
+ return nil unless ldap_conf.enabled
+
+ auth = Gitlab::Auth.new
+ auth.ldap_auth(login, password)
+ else
+ return user if user.valid_password?(password)
+ end
+ end
+
def ldap_auth(login, password)
# Check user against LDAP backend if user is not authenticated
# Only check with valid login and password to prevent anonymous bind results
- gl = Gitlab.config
- if gl.ldap.enabled && !login.blank? && !password.blank?
- ldap = OmniAuth::LDAP::Adaptor.new(gl.ldap)
- ldap_user = ldap.bind_as(
- filter: Net::LDAP::Filter.eq(ldap.uid, login),
- size: 1,
- password: password
- )
- if ldap_user
- self.user = User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap')
- end
- end
+ return nil unless ldap_conf.enabled && !login.blank? && !password.blank?
+
+ ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf)
+ ldap_user = ldap.bind_as(
+ filter: Net::LDAP::Filter.eq(ldap.uid, login),
+ size: 1,
+ password: password
+ )
+
+ User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap') if ldap_user
end
def validate_get_request
@@ -139,5 +144,9 @@ module Grack
abilities
end
end
+
+ def ldap_conf
+ @ldap_conf ||= Gitlab.config.ldap
+ end
end# Auth
end# Grack