Skip to content

WIP: Pass thru omniauth options from gitlab configuration file to LDAP adapter

David Kleszyk requested to merge dkleszyk/gitlab:21589-ldap-sasl-bind into master

What does this MR do?

Part of a fix for gitlab#21589. The omniauth side is covered by omniauth-ldap!17 (closed).

The omniauth LDAP adapter (theoretically) supports SASL authentication, and the use of SASL is mentioned in the gitlab docs. However, the current LDAP config sequence does not set the necessary options.

This MR updates the LDAP config sequence to pass additional configuration keys from gitlab.rb to the omniauth LDAP adapter.

The list of keys to pass thru is decoupled from the full list of keys supported by the omniauth ldap module. This is meant to provide flexibility for gitlab.rb; however, it does introduce a maintenance burden (if the omniauth ldap module is updated, config.rb will have to be kept in sync).

/cc @dblessing

/cc @gitlab-com/gl-security/appsec

This MR affects LDAP authentication.

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

There is a chance that this will break LDAP authentication for users who had specified :try_sasl in gitlab.rb, expecting it to work. Before this fix, binds would silently succeed as simple binds. After this fix, SASL binds may fail until other configuration options are updated.

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by 🤖 GitLab Bot 🤖

Merge request reports