gitblit icon indicating copy to clipboard operation
gitblit copied to clipboard
verified publisher icon gitblit-org

Ldap groups query and Admin groups

Open jvaleriano opened this issue 9 years ago • 6 comments

I configure LDAP with correctly. I logIn with my user of AD (with Adminstration group) ands work ok, but wen I going to create a new repository and asigned to a group of AD I only can see MY GROPUS OF AD. The query to show ldap groups is the same that is used to check if you are administrator (realm.ldap.groupMemberPattern) and if I change it to filter the groups that start with GIT_* any logger user became an administrator (because the admins group is GIT_ADMIN). I try diferent way to config that but really the dropbox to select a goup for a repository must query the LDAP with another filter to separate the authentication for the git_ administration.

jvaleriano avatar Nov 29 '16 18:11 jvaleriano

Can you provide your configuration of realm.ldap.groupMemberPattern and realm.ldap.groupBase? The realm.ldap.groupMemberPattern is used to search for all teams that a certain user is a member of. The teams and users with administrative rights are determined by full group or user names. Did you maybe not use the user name or DN in your realm.ldap.groupMemberPattern so that a user is always a member of all groups?

flaix avatar Nov 29 '16 21:11 flaix

This is my config realm.ldap.groupBase = OU=Grupos,OU=Argentina,DC=sis,DC=ad realm.ldap.groupMemberPattern = (&(objectClass=group)(member=${dn})) realm.ldap.admins = @GIT_ADMIN

Maybe i dont express well. The issue is if I'm administrator I want to see all groups of AD not only my groups. When I try to sort out the problem and see all groupstaht start with GIT_* in the selectbox.. I see that all user became an admin because realm.ldap.admins is GIT_*.... I can change that but the selectbox should show all groups not only where the admin is member.

jvaleriano avatar Nov 30 '16 14:11 jvaleriano

// EditRepositoryPage

final RegistrantPermissionsPanel teamsPalette = new RegistrantPermissionsPanel("teams", RegistrantType.TEAM, app().users().getAllTeamNames(), repositoryTeams, getAccessPermissions());

here it get the class to load on the selectbox

/**
 * Returns the list of all teams available _**to the login service.**_
 *
 * @return list of all teams
 * @since 0.8.0
 */
List<String> getAllTeamNames();

jvaleriano avatar Nov 30 '16 15:11 jvaleriano

I'm not entirely sure I understand your problem. From what I understand you created a new repository and want to add team permissions to the repository from the repository's edit page. You are using LDAP to connect to your active directory. You are missing teams in the drown-down list under "team permissions", for which you would like to assign permissions for this repository.

If I understand that correctly, then my guess is that you do not have LDAP synchronization enabled, do you?

If realm.ldap.synchronize is false, then Gitblit will only know about groups from LDAP for which members of the groups have already logged in to Gitblit once. The teams drop-down shows all teams that Gitblit knows about, not just the teams that you (as admin) belong to. Groups that do not show up in the drop-down are administrator groups, i.e. teams that have the "can admin" flag set. So if you are setting up a new Gitblit installation and you are the only one who has ever logged in to Gitblit, then you will only see the groups that you are a member of, because these are the only groups that Gitblit knows about, not because you only see your groups in the drop-down.

So in case I guessed right, you will have to turn on LDAP synchronization if you want to see all your groups in AD. This will also pull in all users under your account base.

I see that all user became an admin because realm.ldap.admins is GIT_*

The check for groups and users with administrative rights is verbose, not by pattern. I'm not sure what you mean by above statement, but you cannot set realm.ldap.admins to @GIT_* and have all groups starting with GIT_ become administrative groups.

flaix avatar Dec 05 '16 13:12 flaix

Hi, yes, maybe I can't be clear enough but, I cant syncronize all my repo. first at all becouse it is very Large and only a few e people is going to use git. And I need that the administrator could see all gropus that start with git_*. I added this functonability to gitblit in a fork https://github.com/jvaleriano/gitblit. pd: sorry for my poor english.

jvaleriano avatar Dec 05 '16 17:12 jvaleriano

I saw your commit. What it does is not change visibility, but it adds the admin to every group defined by that pattern, by default that is every group.

Are your admins and git_* groups rather static? Then you could achieve the same by adding the admin user to the git_* groups in AD.

Also, can you add all git users into one AD group like "git" or "gitaccess"? In that case you could set a filter for being a member of this group in your realm.ldap.accountPattern. This way only those users would get synchronized, not all AD users. Plus, only those users would be able to log in to your Gitblit.

Maybe it would help if only groups are synchronized but not users? Or would that also be too much groups?

flaix avatar Dec 05 '16 17:12 flaix