Experience of adding multi LDAP domain authentication support to subvision-edge and gitlab-ce

Time:2019-11-12

background

At present, the company uses SVN and git as version management configuration tools. With the increase of the number of service projects, the pressure of a single server is increasing. Cluster deployment has become an inevitable choice (SVN, nginx cluster of GIT will be built and written later). The most troublesome part of cluster deployment is to ensure the consistency of permission data. While it is feasible to use local file / database mode and then synchronize, using LDAP domain authentication has advantages in the following aspects:

  • Both SVN cluster and git server use the same user name / password
  • Sensitive password information will not land and there is no risk of theft
  • Failure (resignation) of user information can take effect in a timely manner

                          .
   * PS: Based on the unified authentication system, the single sign on authentication mode between multiple systems is more convenient if only one user password is input. However, since SVN and git are not production systems, LDAP domain authentication is still used.

Add multi LDAP domain support to SVN

  • Configuring LDAP domain authentication on subversion edge management side

                                .
Experience of adding multi LDAP domain authentication support to subvision-edge and gitlab-ce
Verify that LDAP domain can work normally after configuration, but this obviously does not meet the requirements of multi domain authentication, which requires further background configuration transformation!

  • Multi LDAP domain configuration transformation

As long as httpd supports, modifying httpd’s configuration file directly should be able to realize multi domain. Therefore, searching httpd multiple LDAP on the Internet can find the configuration method https://www.linuxquestions.or
Edit the background httpd.conf file directly by referring to the online method as follows: (note that in httpd.conf, you need to comment out the import “data / conf / SVN” viewvc “httpd. Conf”, otherwise you will directly use the subversion edge management side configuration, and the configuration will not take effect.)
Experience of adding multi LDAP domain authentication support to subvision-edge and gitlab-ce
Verify again! Failure! Is the Internet fooling? This time, I went to the official website of Apache httpd to search carefully. After a lot of hard work, I finally found that this is because there was a bug before Apache httpd2.4.7. The configuration did not report an error, but it did not take effect! You need to upgrade to version 2.4.7 to work! This open source software is also a pit!
                        ! C open source is not unreasonable…) So I directly upgraded subversion edge to the latest version. Thank goodness, it uses exactly httpd2.4.7!
   the test result is OK, SVN finally supports multi LDAP domain authentication!

Gitlab-ce community free edition adds multi LDAP domain support

                              
Experience of adding multi LDAP domain authentication support to subvision-edge and gitlab-ce
Verification is OK, too.
   next, the support of multi LDAP domain configuration is a small challenge, because multi domain support is a feature marked by gitlab-ee charging version:
Experience of adding multi LDAP domain authentication support to subvision-edge and gitlab-ce

                       !!!
There’s no money but to do it yourself. LDAP multi domain authentication, shouldn’t it be something like adding a branch when authenticating? Ruby, a scripting language project, doesn’t need to be built. It’s OK to directly locate the code modification! The two beliefs of credentials and the level of their own half hung ror start the LDAP authentication positioning.
Don’t talk about the specific process of searching.. All kinds of ugly print logs were tracked, but I finally found the file:
/opt/gitlab/embedded/lib/ruby/gems/2.3.0/gems/gitlab_omniauth-ldap-1.2.1/lib/omniauth/strategies/ldap.rb

def callback_phase
        #An LDAP related information
        @options.host=''
        @options.password=''
        @options.bind_dn=''
        @adaptor = OmniAuth::LDAP::Adaptor.new @options

        return fail!(:missing_credentials) if missing_credentials?
        begin
          @ldap_user_info = @adaptor.bind_as(:filter => filter(@adaptor), :size => 1, :password => request['password'])
          #Add and modify the second LDAP domain authentication support
          if [email protected]_user_info
            @options.host=''
            @options.password=''
            @options.bind_dn=''
            @adaptor = OmniAuth::LDAP::Adaptor.new @options
            @ldap_user_info = @adaptor.bind_as(:filter => filter(@adaptor), :size => 1, :password => request['password'])
          end
          return fail!(:invalid_credentials) if [email protected]_user_info

          @user_info = self.class.map_user(@@config, @ldap_user_info)
          super
        rescue Exception => e
          return fail!(:ldap_error, e)
        end
      end

We need to add additional domain branches when authenticating! Just a few lines of code. It’s simple, but somehow it supports multi domain authentication. It saves money:)
                                
/Opt / gitlab / embedded / service / gitlab rails / lib / gitlab / LDAP / access.rb, after modification, the re certification finally passed!


Finally, both SVN and git support multi domain authentication!! End and scatter flowers!!!