Feature Request: Make git http access compatible with ldap authentication
Closed
Feature Request: Make git http access compatible with ldap authentication
Created by: sharpyy
It seems that the git http access currently does not work properly when using ldap authentication.
It would be nice also to have a way to enable/disable the 2 different protocols. Some people might want to only use http while other prefers to use the git protocol.
Thank you in advance.
Created by: elvanja
I've tried investigating on how to implement this. Located the clone/push authorization logic in /lib/gitlab/backend/grack_auth.rb. It seamed easy enough, the flow would be something on the lines of:
- get user by username / email
- if user has providers, try authenticating with Devise
- otherwise see if the password matches
I believe this is quite enough. This part needs not create users from LDAP, just authenticate them if the user is of LDAP type. It means people will need to login once to Gitlab, but that is OK in my opinion.
I had trouble figuring out how this works. Correct me if I am wrong, but Grack route is the one that uses this code? If so, it bypasses Devise totally. Tried to figure out how to invoke Devise authentication but it seams that there is no easy way of doing this - Devise requires callback controller, which is outside of this code's scope.
The solutions that came to mind:
- somehow use Devise authentication outside of regular Rails controller scope
- use Omniauth directly
- use some other LDAP specific gem
- make Gitolite HTTP accessible: https://github.com/sitaramc/gitolite-doc/blob/master/contrib/ssh-and-http.mkd
Unfortunately, couldn't figure out a way to use any of those. I'd like to use Devise if possible, since it will ensure other providers behave the same (not just LDAP).
Also, haven't figured why this auth code is called twice during a http clone action?
I'd really like to help and wouldn't mind giving a hand, but am totally lost and some help or a push in the right direction would be great!
By Administrator on 2012-12-01T16:40:41 (imported from GitLab project)
Created by: elvanja
Found a way to enable LDAP authentication for HTTP.
Fix for latest version: https://gist.github.com/4195057 Fix for stable version: https://gist.github.com/4195080
The main idea is to use http://net-ldap.rubyforge.org/Net/LDAP.html to authenticate user directly against LDAP, while using Gitlab provided LDAP settings. Latest version assumes username for the User is filled in when user is added after first time login (or updated later). Stable fix works a bit differently, it first tries to authenticate user with LDAP and uses the provided user email to continue. More details can be found in the provided gists.
If you find this useful, I will create a pull request easily. The stable fix is currently operational in my organisation and it works nicely. Mind you, it would probably be best to unify access (ssh or http) and use the same providers in both cases, then this wouldn't be needed at all, but that is probably topic for another time and place.
Let me know how you feel about this :-)
By Administrator on 2012-12-03T13:42:45 (imported from GitLab project)
Created by: elvanja
Sure thing, opened up pull request https://github.com/gitlabhq/gitlabhq/pull/2167 Let me know how it goes...
By Administrator on 2012-12-04T10:20:48 (imported from GitLab project)
Created by: senny
We don't use the Github issue tracker for feature requests. Please use http://feedback.gitlab.com/ for this purpose. Have a look at the contribution guidelines for more information.
I'm closing this one as it is a feature request. We still have the PR's to remember us.
By Administrator on 2013-04-18T09:09:40 (imported from GitLab project)
