Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • G gitlabhq1
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 21
    • Issues 21
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 12
    • Merge requests 12
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Infrastructure Registry
  • Analytics
    • Analytics
    • CI/CD
    • Repository
    • Value stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • gpt
  • large_projects
  • gitlabhq1
  • Issues
  • #2591

Closed
Open
Created Jan 15, 2013 by Administrator@rootOwner

LDAP Authentication in /Session endpoint of API

Created by: mphuff

Hi--

Currently, the API does not support LDAP authentication when trying to make a POST request to the /sessions endpoint for example. As a result, because our gitlab installation is solely using LDAP, we cannot authenticate users in automated scripts.

The RESTful API should support LDAP authentication as well as the standard authentication when requests are made.

I understand that the API in general uses the private_token value for each and every request. The ONE exception to this is this signature: "POST /session" which is meant to "authenticate" a user. Currently, the only authentication that is performed is with the call to "User.find_for_database_authentication". I would propose that instead of returning unauthorized solely after checking this call, we would also check to see if a) if ldap is enabled and b) if it is enabled, does the value for email exist in ldap as well as the password match in ldap.

The problem we are facing is that all of our users are configured as ldap users but when we try to allow them to authenticate via command-line scripts that we are using, they cannot because the api does not allow us to authenticate them in using their LDAP credentials. Our goal is for them to authenticate in so that our script can get their private_token value and make all subsequent requests using that token rather than some hard-coded value.

It may not be a bad idea either to include an optional parameter in the POST request that would indicate whether or not we should fall back to LDAP authentication (ldap_authenticate for example).

I am opening this issue here but I would be happy to make this feature enhancement and open a pull request for it.

Thank you, Micah

Assignee
Assign to
Time tracking