gitblit-org#247 allow enable/disable of ldap bind switch via config

RainerW · RainerW · commit f04f891211b0 · 2015-10-02T10:32:13.000+02:00
new config key : "realm.ldap.groupQueryWithUser"
diff --git a/src/main/distrib/data/gitblit.properties b/src/main/distrib/data/gitblit.properties
@@ -1624,6 +1624,13 @@ realm.ldap.username = cn=Directory Manager
 # SINCE 1.0.0
 realm.ldap.password = password
 
+# After sucessfull user ldap authentication
+# when true the group query will be executed with as the new user
+# when false the group query will be executed under the realm.ldap.username
+#
+# SINCE 1.6.3
+realm.ldap.groupQueryWithUser = false
+
 # Bind pattern for Authentication.
 # Allow to directly authenticate an user without LDAP Searches.
 # 
diff --git a/src/main/java/com/gitblit/auth/LdapAuthProvider.java b/src/main/java/com/gitblit/auth/LdapAuthProvider.java
@@ -321,7 +321,6 @@ public UserModel authenticate(String username, char[] password) {
 				if (result != null && result.getEntryCount() == 1) {
 					SearchResultEntry loggingInUser = result.getSearchEntries().get(0);
 					String loggingInUserDN = loggingInUser.getDN();
-
 					if (alreadyAuthenticated || isAuthenticated(ldapConnection, loggingInUserDN, new String(password))) {
 						logger.debug("LDAP authenticated: " + username);
 
@@ -438,7 +437,6 @@ private void setUserAttributes(UserModel user, SearchResultEntry userEntry) {
 
 	private void getTeamsFromLdap(LDAPConnection ldapConnection, String simpleUsername, SearchResultEntry loggingInUser, UserModel user) {
 		String loggingInUserDN = loggingInUser.getDN();
-
 		// Clear the users team memberships - we're going to get them from LDAP
 		user.teams.clear();
 
@@ -533,13 +531,22 @@ private SearchResult doSearch(LDAPConnection ldapConnection, String base, boolea
 	}
 
 	private boolean isAuthenticated(LDAPConnection ldapConnection, String userDn, String password) {
+	  LDAPConnection authldapConnection = getLdapConnection();
 		try {
-			// Binding will stop any LDAP-Injection Attacks since the searched-for user needs to bind to that DN
-			ldapConnection.bind(userDn, password);
+			if (settings.getBoolean(Keys.realm.ldap.groupQueryWithUser, false)
+					&& !StringUtils.isEmpty(settings.getString(Keys.realm.ldap.username, "")) ) {
+				// bind authConnection to user 
+				authldapConnection.bind(userDn, password);
+			} else {
+				// Binding will stop any LDAP-Injection Attacks since the searched-for user needs to bind to that DN
+				ldapConnection.bind(userDn, password);
+			}
 			return true;
 		} catch (LDAPException e) {
 			logger.error("Error authenticating user", e);
 			return false;
+		} finally {
+		  authldapConnection.close();
 		}
 	}
 
