Commit bc8a875df1609728f1c7674abef46c01168a0d20
1 parent
4c47a89f
Exists in
master
and in
4 other branches
When looking up a user by DN, use single scope
The blocked? method is used to check whether a user exists in LDAP. Prior to this change, if the LDAP server had more objects below the one pointed to by the DN, those objects would also be picked up by the search, causing the method to determine the user should be blocked. One case where this can happen is when using Active Directory and a user have a mobile phone assigned. In this case, Exchange will add an entry called ExchangeActiveSyncDevices under the users entry. The user-visible behaviour is then that a user loses Gitlab access when he enables a mobile device. This fix sets the search scope to BaseObject in order to ensure that only the user itself is returned.
Showing
1 changed file
with
1 additions
and
1 deletions
Show diff stats
lib/gitlab/ldap/user.rb
| @@ -78,7 +78,7 @@ module Gitlab | @@ -78,7 +78,7 @@ module Gitlab | ||
| 78 | # * when ldap account was deactivated by change of OU membership in 'dn' | 78 | # * when ldap account was deactivated by change of OU membership in 'dn' |
| 79 | def blocked?(dn) | 79 | def blocked?(dn) |
| 80 | ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf) | 80 | ldap = OmniAuth::LDAP::Adaptor.new(ldap_conf) |
| 81 | - ldap.connection.search(base: dn, size: 1).blank? | 81 | + ldap.connection.search(base: dn, scope: Net::LDAP::SearchScope_BaseObject, size: 1).blank? |
| 82 | end | 82 | end |
| 83 | 83 | ||
| 84 | private | 84 | private |