gitlab authentication using HTTP_REMOTE_USER environment variable

debian apache-2.2 ruby-on-rails gitlab

I've recently been butting my head up against the very same problem, but I've managed to get it to work. This is a very hacky solution so you may want to refine it yourself. I make use of LDAP to provide the email address and user account information, gaining the user name from the HTTP_REMOTE_USER variable which is populated by kerberos via apache.

The following works off a clean install of gitlab with apache running as the webserver. LDAP omniauth should be enabled and properly configured.

First off, we have to make the header available to ruby so, in the virtual host (httpd.conf) add the line:

RequestHeader set REMOTE-USER %{REMOTE_USER}s

After that, I modified a few files to make this work, first up /home/git/gitlab/vendor/bundle/ruby/2.0.0/gems/gitlab_omniauth-ldap-1.0.3/lib/omniauth/strategies/ldap.rb

I modified lines 43-49 to read:

# Dont allow blank password for ldap auth
      #if request['username'].nil? || request['username'].empty? || request['password'].nil? || request['password'].empty?
      #  raise MissingCredentialsError.new(env.to_a)#"Missing login credentials")
      #end

      @ldap_user_info = @adaptor.bind_as(:filter => Net::LDAP::Filter.eq(@adaptor.uid, @options[:name_proc].call(request.env['HTTP_REMOTE_USER'].split('@')[0])),:size => 1, :username => "__ldap-user__", :password => "__User-Password__")
      return fail!(:invalid_credentials) if !@ldap_user_info

Replacing __ldap-user__ and __user-Password__ with the credentials for a gitlab user I made for ldap.

We then need to allow the bind_as function to take a username. I modified lines 86-86 of /home/git/gitlab/vendor/bundle/ruby/2.0.0/gems/gitlab_omniauth-ldap-1.0.3/lib/omniauth-ldap/adaptor.rb to read:

  def bind_as(args = {})
    result = false
    @connection.open do |me|
      rs = me.search args
      if rs and rs.first and dn = rs.first.dn
        password = args[:password]
        username = args[:username]
        method = args[:method] || @method
        password = password.call if password.respond_to?(:call)
        if method == 'sasl'
        result = rs.first if me.bind(sasl_auths({:username => username, :password => password}).first)
        else
        result = rs.first if me.bind(:method => :simple, :username => username,
                            :password => password)
        end
      end
    end
    result
  end

and finally I modified the ldap login dialogue to direct the page straight to the callback by deleting everything in /home/git/gitlab/app/views/devise/sessions/_new_ldap.html.haml and adding

%script
  window.location.href = '/users/auth/ldap/callback'

I hope this helps!

Warning: if the mail attribute is not set in the user's LDAP entry, the script will loop.

Related

How to block PROPFIND (or any other method) on Apache
Do TCP/UDP connections add to the Windows incoming connection limit?
Having two subdomains on one public IP addres behind pFsense router
Odd mdadm output: --examine shows array state failed, --detail shows everything clean
Supervisord inet_http_server behind nginx
KVM network bridge with public static IP for both host and guests
How to set up a BIND DNS server to respond a single IP address to any request on Windows?
Why does a DNS section contain NS and A records at the same time?
IIS7 hundreds of connections in CLOSE_WAIT
How domain name system is controlled?
Running swap on RAID10 or RAID5?
MySQL database backup over network