1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
# frozen_string_literal: true
module SystemCheck
# Used by gitlab:ldap:check rake task
class LdapCheck < BaseCheck
set_name 'LDAP:'
def multi_check
if Gitlab::Auth::Ldap::Config.enabled?
# Only show up to 100 results because LDAP directories can be very big.
# This setting only affects the `rake gitlab:check` script.
limit = ENV['LDAP_CHECK_LIMIT']
limit = 100 if limit.blank?
check_ldap(limit)
else
$stdout.puts 'LDAP is disabled in config/gitlab.yml'
end
end
private
def check_ldap(limit)
servers = Gitlab::Auth::Ldap::Config.providers
servers.each do |server|
$stdout.puts "Server: #{server}"
begin
Gitlab::Auth::Ldap::Adapter.open(server) do |adapter|
check_ldap_auth(adapter)
$stdout.puts "LDAP users with access to your GitLab server (only showing the first #{limit} results)"
users = adapter.users(adapter.config.uid, '*', limit)
if should_sanitize?
$stdout.puts "\tUser output sanitized. Found #{users.length} users of #{limit} limit."
else
users.each do |user|
$stdout.puts "\tDN: #{user.dn}\t #{adapter.config.uid}: #{user.uid}"
end
end
end
rescue Errno::ECONNREFUSED => e
$stdout.puts Rainbow("Could not connect to the LDAP server: #{e.message}").red
end
end
end
def check_ldap_auth(adapter)
auth = adapter.config.has_auth?
message = if auth && adapter.ldap.bind
Rainbow('Success').green
elsif auth
Rainbow('Failed. Check `bind_dn` and `password` configuration values').red
else
Rainbow('Anonymous. No `bind_dn` or `password` configured').yellow
end
$stdout.puts "LDAP authentication... #{message}"
end
end
end
|
