Commit 976413ad authored by Douwe Maan's avatar Douwe Maan

Merge branch 'fj-22607-lowercase-usernames-from-ldap' into 'master'

Added ldap config setting to lower case usernames

Closes #22607

See merge request gitlab-org/gitlab-ce!16791
parents 7c8e7a8d cd461400
---
title: Added ldap config setting to lower case the username
merge_request: 16791
author:
type: added
...@@ -370,6 +370,9 @@ production: &base ...@@ -370,6 +370,9 @@ production: &base
first_name: 'givenName' first_name: 'givenName'
last_name: 'sn' last_name: 'sn'
# If lowercase_usernames is enabled, GitLab will lower case the username.
lowercase_usernames: false
# GitLab EE only: add more LDAP servers # GitLab EE only: add more LDAP servers
# Choose an ID made of a-z and 0-9 . This ID will be stored in the database # Choose an ID made of a-z and 0-9 . This ID will be stored in the database
# so that GitLab can remember which LDAP server a user belongs to. # so that GitLab can remember which LDAP server a user belongs to.
......
...@@ -151,6 +151,7 @@ if Settings.ldap['enabled'] || Rails.env.test? ...@@ -151,6 +151,7 @@ if Settings.ldap['enabled'] || Rails.env.test?
server['allow_username_or_email_login'] = false if server['allow_username_or_email_login'].nil? server['allow_username_or_email_login'] = false if server['allow_username_or_email_login'].nil?
server['active_directory'] = true if server['active_directory'].nil? server['active_directory'] = true if server['active_directory'].nil?
server['attributes'] = {} if server['attributes'].nil? server['attributes'] = {} if server['attributes'].nil?
server['lowercase_usernames'] = false if server['lowercase_usernames'].nil?
server['provider_name'] ||= "ldap#{key}".downcase server['provider_name'] ||= "ldap#{key}".downcase
server['provider_class'] = OmniAuth::Utils.camelize(server['provider_name']) server['provider_class'] = OmniAuth::Utils.camelize(server['provider_name'])
......
...@@ -181,6 +181,10 @@ main: # 'main' is the GitLab 'provider ID' of this LDAP server ...@@ -181,6 +181,10 @@ main: # 'main' is the GitLab 'provider ID' of this LDAP server
first_name: 'givenName' first_name: 'givenName'
last_name: 'sn' last_name: 'sn'
# If lowercase_usernames is enabled, GitLab will lower case the username.
lowercase_usernames: false
## EE only ## EE only
# Base where we can search for groups # Base where we can search for groups
...@@ -290,6 +294,41 @@ In other words, if an existing GitLab user wants to enable LDAP sign-in for ...@@ -290,6 +294,41 @@ In other words, if an existing GitLab user wants to enable LDAP sign-in for
themselves, they should check that their GitLab email address matches their themselves, they should check that their GitLab email address matches their
LDAP email address, and then sign into GitLab via their LDAP credentials. LDAP email address, and then sign into GitLab via their LDAP credentials.
## Enabling LDAP username lowercase
Some LDAP servers, depending on their configurations, can return uppercase usernames. This can lead to several confusing issues like, for example, creating links or namespaces with uppercase names.
GitLab can automatically lowercase usernames provided by the LDAP server by enabling
the configuration option `lowercase_usernames`. By default, this configuration option is `false`.
**Omnibus configuration**
1. Edit `/etc/gitlab/gitlab.rb`:
```ruby
gitlab_rails['ldap_servers'] = YAML.load <<-EOS
main:
# snip...
lowercase_usernames: true
EOS
```
2. [Reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure) for the changes to take effect.
**Source configuration**
1. Edit `config/gitlab.yaml`:
```yaml
production:
ldap:
servers:
main:
# snip...
lowercase_usernames: true
```
2. [Restart GitLab](../restart_gitlab.md#installations-from-source) for the changes to take effect.
## Encryption ## Encryption
### TLS Server Authentication ### TLS Server Authentication
......
...@@ -7,6 +7,12 @@ module Gitlab ...@@ -7,6 +7,12 @@ module Gitlab
@uid ||= Gitlab::LDAP::Person.normalize_dn(super) @uid ||= Gitlab::LDAP::Person.normalize_dn(super)
end end
def username
super.tap do |username|
username.downcase! if ldap_config.lowercase_usernames
end
end
private private
def get_info(key) def get_info(key)
......
...@@ -139,6 +139,10 @@ module Gitlab ...@@ -139,6 +139,10 @@ module Gitlab
options['allow_username_or_email_login'] options['allow_username_or_email_login']
end end
def lowercase_usernames
options['lowercase_usernames']
end
def name_proc def name_proc
if allow_username_or_email_login if allow_username_or_email_login
proc { |name| name.gsub(/@.*\z/, '') } proc { |name| name.gsub(/@.*\z/, '') }
......
...@@ -82,7 +82,9 @@ module Gitlab ...@@ -82,7 +82,9 @@ module Gitlab
# be returned. We need only one for username. # be returned. We need only one for username.
# Ex. `uid` returns only one value but `mail` may # Ex. `uid` returns only one value but `mail` may
# return an array of multiple email addresses. # return an array of multiple email addresses.
[username].flatten.first [username].flatten.first.tap do |username|
username.downcase! if config.lowercase_usernames
end
end end
def email def email
......
require 'spec_helper' require 'spec_helper'
describe Gitlab::LDAP::AuthHash do describe Gitlab::LDAP::AuthHash do
include LdapHelpers
let(:auth_hash) do let(:auth_hash) do
described_class.new( described_class.new(
OmniAuth::AuthHash.new( OmniAuth::AuthHash.new(
...@@ -83,4 +85,26 @@ describe Gitlab::LDAP::AuthHash do ...@@ -83,4 +85,26 @@ describe Gitlab::LDAP::AuthHash do
end end
end end
end end
describe '#username' do
context 'if lowercase_usernames setting is' do
let(:given_uid) { 'uid=John Smith,ou=People,dc=example,dc=com' }
before do
raw_info[:uid] = ['JOHN']
end
it 'enabled the username attribute is lower cased' do
stub_ldap_config(lowercase_usernames: true)
expect(auth_hash.username).to eq 'john'
end
it 'disabled the username attribute is not lower cased' do
stub_ldap_config(lowercase_usernames: false)
expect(auth_hash.username).to eq 'JOHN'
end
end
end
end end
...@@ -139,6 +139,27 @@ describe Gitlab::LDAP::Person do ...@@ -139,6 +139,27 @@ describe Gitlab::LDAP::Person do
expect(person.username).to eq(attr_value) expect(person.username).to eq(attr_value)
end end
end end
context 'if lowercase_usernames setting is' do
let(:username_attribute) { 'uid' }
before do
entry[username_attribute] = 'JOHN'
@person = described_class.new(entry, 'ldapmain')
end
it 'enabled the username attribute is lower cased' do
stub_ldap_config(lowercase_usernames: true)
expect(@person.username).to eq 'john'
end
it 'disabled the username attribute is not lower cased' do
stub_ldap_config(lowercase_usernames: false)
expect(@person.username).to eq 'JOHN'
end
end
end end
def assert_generic_test(test_description, got, expected) def assert_generic_test(test_description, got, expected)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment