summaryrefslogtreecommitdiff
path: root/lib/system_check/ldap_check.rb
blob: 3d71edbc2565ba65cd190b3f206bd6f68c53a8f4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# frozen_string_literal: true

module SystemCheck
  # Used by gitlab:ldap:check rake task
  class LdapCheck < BaseCheck
    set_name 'LDAP:'

    def multi_check
      if Gitlab::Auth::Ldap::Config.enabled?
        # Only show up to 100 results because LDAP directories can be very big.
        # This setting only affects the `rake gitlab:check` script.
        limit = ENV['LDAP_CHECK_LIMIT']
        limit = 100 if limit.blank?

        check_ldap(limit)
      else
        $stdout.puts 'LDAP is disabled in config/gitlab.yml'
      end
    end

    private

    def check_ldap(limit)
      servers = Gitlab::Auth::Ldap::Config.providers

      servers.each do |server|
        $stdout.puts "Server: #{server}"

        begin
          Gitlab::Auth::Ldap::Adapter.open(server) do |adapter|
            check_ldap_auth(adapter)

            $stdout.puts "LDAP users with access to your GitLab server (only showing the first #{limit} results)"

            users = adapter.users(adapter.config.uid, '*', limit)

            if should_sanitize?
              $stdout.puts "\tUser output sanitized. Found #{users.length} users of #{limit} limit."
            else
              users.each do |user|
                $stdout.puts "\tDN: #{user.dn}\t #{adapter.config.uid}: #{user.uid}"
              end
            end
          end
        rescue Net::LDAP::ConnectionRefusedError, Errno::ECONNREFUSED => e
          $stdout.puts "Could not connect to the LDAP server: #{e.message}".color(:red)
        end
      end
    end

    def check_ldap_auth(adapter)
      auth = adapter.config.has_auth?

      message = if auth && adapter.ldap.bind
                  'Success'.color(:green)
                elsif auth
                  'Failed. Check `bind_dn` and `password` configuration values'.color(:red)
                else
                  'Anonymous. No `bind_dn` or `password` configured'.color(:yellow)
                end

      $stdout.puts "LDAP authentication... #{message}"
    end
  end
end