Merge pull request #3758 from fredowski/master

Authenticate LDAP users in the grack module - fixed problems - tested code

lib/gitlab/backend/grack_auth.rb

 require_relative 'shell_env'
+require 'omniauth-ldap'
 
 module Grack
   class Auth < Rack::Auth::Basic
@@ -32,8 +33,18 @@ module Grack
         # Authentication with username and password
         login, password = @auth.credentials
         self.user = User.find_by_email(login) || User.find_by_username(login)
-        return false unless user.try(:valid_password?, password)
 
+        # If the provided login was not a known email or username
+        # then user is nil
+        if user.nil? 
+          # Second chance - try LDAP authentication
+          return false unless Gitlab.config.ldap.enabled         
+          ldap_auth(login,password)
+          return false unless !user.nil?
+        else
+          return false unless user.valid_password?(password)
+        end
+           
         Gitlab::ShellEnv.set_env(user)
       end
 
@@ -47,6 +58,23 @@ module Grack
       end
     end
 
+    def ldap_auth(login, password)
+      # Check user against LDAP backend if user is not authenticated
+      # Only check with valid login and password to prevent anonymous bind results
+      gl = Gitlab.config
+      if gl.ldap.enabled && !login.blank? && !password.blank?
+        ldap = OmniAuth::LDAP::Adaptor.new(gl.ldap)
+        ldap_user = ldap.bind_as(
+          filter: Net::LDAP::Filter.eq(ldap.uid, login),
+          size: 1,
+          password: password
+        )
+        if ldap_user
+          self.user = User.find_by_extern_uid_and_provider(ldap_user.dn, 'ldap')
+        end
+      end
+    end
+
     def validate_get_request
       project.public || can?(user, :download_code, project)
     end