Skip to content

Ensure consistent behavior when LDAP encryption config missing

Drew Blessing requested to merge dblessing_fix_ldap_enc_config into master

What does this MR do and why?

Ensure consistent behavior when LDAP encryption config missing

Before this change, if the instance did not configure an LDAP encryption config value, web UI sign in via OmniAuth may work because OmniAuth LDAP defaults to plain encryption type. However, sign in via Git over HTTPS may fail with a 500 error because encryption is missing. This change defaults the encryption configuration to plain to ensure consistency between web UI sign in and Git over HTTPS.

For Web UI LDAP authentication, LDAP OmniAuth strategy defaults the encryption method to plain when not present. Note: method is the config option name in the OmniAuth LDAP Strategy. method and encryption can be used interchangeably, although method is deprecated. That's why we use encryption now. Don't worry about the config name difference here.

For Git authentication GitLab builds an OmniAuth LDAP adaptor and passes omniauth_options from Ldap::Config which is what's updated in this MR. Therefore, now encryption: 'plain' will be passed when building this OmniAuth LDAP adaptor.

Fixing this after seeing a user with the problem on Reddit. A quick Google search shows a handful of posts on StackOverflow and GitLab Forum over the last few years, but to my knowledge that never was captured as a GitLab issue.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Configure your GDK for LDAP - https://gitlab.com/gitlab-org/gitlab-development-kit/blob/main/doc/howto/ldap.md.
  2. Test that web sign in works. Load the sign in page, select the LDAP tab, and sign in with the GDK LDAP test account john and password password.
  3. Test that Git over HTTPS works by cloning a private project in your GDK: git clone https://john@gdk.test:3443/gitlab-org/gitlab-shell.git and you'll be prompted for password.
  4. Remove encryption: 'plain' from your GDK LDAP configuration and restart rails-web.
  5. Complete steps 2 and 3 again and note that a 500 occurs if you're running on master or that it works successfully if you're running code in this MR.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Drew Blessing

Merge request reports