Commit 976413ad authored by Douwe Maan's avatar Douwe Maan

Merge branch 'fj-22607-lowercase-usernames-from-ldap' into 'master'

Added ldap config setting to lower case usernames

Closes #22607

See merge request gitlab-org/gitlab-ce!16791
parents 7c8e7a8d cd461400
---
title: Added ldap config setting to lower case the username
merge_request: 16791
author:
type: added
......@@ -370,6 +370,9 @@ production: &base
first_name: 'givenName'
last_name: 'sn'
# If lowercase_usernames is enabled, GitLab will lower case the username.
lowercase_usernames: false
# GitLab EE only: add more LDAP servers
# Choose an ID made of a-z and 0-9 . This ID will be stored in the database
# so that GitLab can remember which LDAP server a user belongs to.
......
......@@ -151,6 +151,7 @@ if Settings.ldap['enabled'] || Rails.env.test?
server['allow_username_or_email_login'] = false if server['allow_username_or_email_login'].nil?
server['active_directory'] = true if server['active_directory'].nil?
server['attributes'] = {} if server['attributes'].nil?
server['lowercase_usernames'] = false if server['lowercase_usernames'].nil?
server['provider_name'] ||= "ldap#{key}".downcase
server['provider_class'] = OmniAuth::Utils.camelize(server['provider_name'])
......
......@@ -181,6 +181,10 @@ main: # 'main' is the GitLab 'provider ID' of this LDAP server
first_name: 'givenName'
last_name: 'sn'
# If lowercase_usernames is enabled, GitLab will lower case the username.
lowercase_usernames: false
## EE only
# Base where we can search for groups
......@@ -290,6 +294,41 @@ In other words, if an existing GitLab user wants to enable LDAP sign-in for
themselves, they should check that their GitLab email address matches their
LDAP email address, and then sign into GitLab via their LDAP credentials.
## Enabling LDAP username lowercase
Some LDAP servers, depending on their configurations, can return uppercase usernames. This can lead to several confusing issues like, for example, creating links or namespaces with uppercase names.
GitLab can automatically lowercase usernames provided by the LDAP server by enabling
the configuration option `lowercase_usernames`. By default, this configuration option is `false`.
**Omnibus configuration**
1. Edit `/etc/gitlab/gitlab.rb`:
```ruby
gitlab_rails['ldap_servers'] = YAML.load <<-EOS
main:
# snip...
lowercase_usernames: true
EOS
```
2. [Reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure) for the changes to take effect.
**Source configuration**
1. Edit `config/gitlab.yaml`:
```yaml
production:
ldap:
servers:
main:
# snip...
lowercase_usernames: true
```
2. [Restart GitLab](../restart_gitlab.md#installations-from-source) for the changes to take effect.
## Encryption
### TLS Server Authentication
......
......@@ -7,6 +7,12 @@ module Gitlab
@uid ||= Gitlab::LDAP::Person.normalize_dn(super)
end
def username
super.tap do |username|
username.downcase! if ldap_config.lowercase_usernames
end
end
private
def get_info(key)
......
......@@ -139,6 +139,10 @@ module Gitlab
options['allow_username_or_email_login']
end
def lowercase_usernames
options['lowercase_usernames']
end
def name_proc
if allow_username_or_email_login
proc { |name| name.gsub(/@.*\z/, '') }
......
......@@ -82,7 +82,9 @@ module Gitlab
# be returned. We need only one for username.
# Ex. `uid` returns only one value but `mail` may
# return an array of multiple email addresses.
[username].flatten.first
[username].flatten.first.tap do |username|
username.downcase! if config.lowercase_usernames
end
end
def email
......
require 'spec_helper'
describe Gitlab::LDAP::AuthHash do
include LdapHelpers
let(:auth_hash) do
described_class.new(
OmniAuth::AuthHash.new(
......@@ -83,4 +85,26 @@ describe Gitlab::LDAP::AuthHash do
end
end
end
describe '#username' do
context 'if lowercase_usernames setting is' do
let(:given_uid) { 'uid=John Smith,ou=People,dc=example,dc=com' }
before do
raw_info[:uid] = ['JOHN']
end
it 'enabled the username attribute is lower cased' do
stub_ldap_config(lowercase_usernames: true)
expect(auth_hash.username).to eq 'john'
end
it 'disabled the username attribute is not lower cased' do
stub_ldap_config(lowercase_usernames: false)
expect(auth_hash.username).to eq 'JOHN'
end
end
end
end
......@@ -139,6 +139,27 @@ describe Gitlab::LDAP::Person do
expect(person.username).to eq(attr_value)
end
end
context 'if lowercase_usernames setting is' do
let(:username_attribute) { 'uid' }
before do
entry[username_attribute] = 'JOHN'
@person = described_class.new(entry, 'ldapmain')
end
it 'enabled the username attribute is lower cased' do
stub_ldap_config(lowercase_usernames: true)
expect(@person.username).to eq 'john'
end
it 'disabled the username attribute is not lower cased' do
stub_ldap_config(lowercase_usernames: false)
expect(@person.username).to eq 'JOHN'
end
end
end
def assert_generic_test(test_description, got, expected)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment