Skip to content

Fix admin mode when authenticating with LDAP

Drew Blessing requested to merge dblessing_ldap_admin_mode_fix into master

What does this MR do?

Fixes #331108 (closed)

The LDAP spec says that DNs are case-insensitive and that whitespace doesn't matter. Sometimes LDAP servers do weird things and return DNs in differing cases or with differing whitespace. In GitLab we normalize DNs before storing and should similarly always do case-insentive, normalized lookups.

This changes the User#matches_identity? method to use the existing scope which does these things.

Rails console examples:

Before:

user.matches_identity?('ldapmain','uid=john,ou=people,dc=example,dc=com')
=> true
user.matches_identity?('ldapmain','uid=john,ou=people,dc=example, dc=com')
=> false
user.matches_identity?('ldapmain','uid=john,ou=people,dc=example,DC=com')
=> false

After:

user.matches_identity?('ldapmain','uid=john,ou=people,dc=example,dc=com')
=> true
user.matches_identity?('ldapmain','uid=john,ou=people,dc=example, dc=com')
=> true
user.matches_identity?('ldapmain','uid=john,ou=people,dc=example,DC=com')
=> true

SQL Query:

Before:

SELECT
    1 AS one
FROM
    "identities"
WHERE
    "identities"."user_id" = 104
    AND "identities"."provider" = 'ldapmain'
    AND "identities"."extern_uid" = 'uid=john,ou=people,dc=example, dc=com'
LIMIT 1

After:

SELECT
    1 AS one
FROM
    "identities"
WHERE
    "identities"."user_id" = 104
    AND (LOWER("identities"."extern_uid") = LOWER('uid=john,ou=people,dc=example,dc=com'))
    AND "identities"."provider" = 'ldapmain'
LIMIT 1

Screenshots (strongly suggested)

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Drew Blessing

Merge request reports

Loading