Optimize LDAP and add a search timeout
This commit is contained in:
parent
a9800ce40b
commit
67aa0b8c4c
7 changed files with 37 additions and 11 deletions
|
@ -37,6 +37,7 @@ v 8.4.0 (unreleased)
|
|||
v 8.3.3 (unreleased)
|
||||
- Preserve CE behavior with JIRA integration by only calling API if URL is set
|
||||
- Fix duplicated branch creation/deletion events when using Web UI (Stan Hu)
|
||||
- Add configurable LDAP server query timeout
|
||||
- Get "Merge when build succeeds" to work when commits were pushed to MR target branch while builds were running
|
||||
- Suppress e-mails on failed builds if allow_failure is set (Stan Hu)
|
||||
- Fix project transfer e-mail sending incorrect paths in e-mail notification (Stan Hu)
|
||||
|
|
|
@ -204,6 +204,11 @@ production: &base
|
|||
bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
|
||||
password: '_the_password_of_the_bind_user'
|
||||
|
||||
# Set a timeout, in seconds, for LDAP queries. This helps avoid blocking
|
||||
# a request if the LDAP server becomes unresponsive.
|
||||
# A value of 0 means there is no timeout.
|
||||
timeout: 10
|
||||
|
||||
# This setting specifies if LDAP server is Active Directory LDAP server.
|
||||
# For non AD servers it skips the AD specific queries.
|
||||
# If your LDAP server is not AD, set this to false.
|
||||
|
|
|
@ -108,6 +108,7 @@ if Settings.ldap['enabled'] || Rails.env.test?
|
|||
|
||||
Settings.ldap['servers'].each do |key, server|
|
||||
server['label'] ||= 'LDAP'
|
||||
server['timeout'] ||= 10.seconds
|
||||
server['block_auto_created_users'] = false if server['block_auto_created_users'].nil?
|
||||
server['allow_username_or_email_login'] = false if server['allow_username_or_email_login'].nil?
|
||||
server['active_directory'] = true if server['active_directory'].nil?
|
||||
|
|
|
@ -48,6 +48,11 @@ main: # 'main' is the GitLab 'provider ID' of this LDAP server
|
|||
bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
|
||||
password: '_the_password_of_the_bind_user'
|
||||
|
||||
# Set a timeout, in seconds, for LDAP queries. This helps avoid blocking
|
||||
# a request if the LDAP server becomes unresponsive.
|
||||
# A value of 0 means there is no timeout.
|
||||
timeout: 10
|
||||
|
||||
# This setting specifies if LDAP server is Active Directory LDAP server.
|
||||
# For non AD servers it skips the AD specific queries.
|
||||
# If your LDAP server is not AD, set this to false.
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
module Gitlab
|
||||
module LDAP
|
||||
class Access
|
||||
attr_reader :adapter, :provider, :user
|
||||
attr_reader :provider, :user
|
||||
|
||||
def self.open(user, &block)
|
||||
Gitlab::LDAP::Adapter.open(user.ldap_identity.provider) do |adapter|
|
||||
|
@ -32,7 +32,7 @@ module Gitlab
|
|||
end
|
||||
|
||||
def allowed?
|
||||
if Gitlab::LDAP::Person.find_by_dn(user.ldap_identity.extern_uid, adapter)
|
||||
if ldap_user
|
||||
return true unless ldap_config.active_directory
|
||||
|
||||
# Block user in GitLab if he/she was blocked in AD
|
||||
|
@ -59,6 +59,10 @@ module Gitlab
|
|||
def ldap_config
|
||||
Gitlab::LDAP::Config.new(provider)
|
||||
end
|
||||
|
||||
def ldap_user
|
||||
@ldap_user ||= Gitlab::LDAP::Person.find_by_dn(user.ldap_identity.extern_uid, adapter)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -70,6 +70,8 @@ module Gitlab
|
|||
end
|
||||
|
||||
def ldap_search(*args)
|
||||
# Net::LDAP's `time` argument doesn't work. Use Ruby `Timeout` instead.
|
||||
Timeout.timeout(config.timeout) do
|
||||
results = ldap.search(*args)
|
||||
|
||||
if results.nil?
|
||||
|
@ -84,6 +86,10 @@ module Gitlab
|
|||
results
|
||||
end
|
||||
end
|
||||
rescue Timeout::Error
|
||||
Rails.logger.warn("LDAP search timed out after #{config.timeout} seconds")
|
||||
[]
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -88,6 +88,10 @@ module Gitlab
|
|||
options['attributes']
|
||||
end
|
||||
|
||||
def timeout
|
||||
options['timeout'].to_i
|
||||
end
|
||||
|
||||
protected
|
||||
def base_config
|
||||
Gitlab.config.ldap
|
||||
|
|
Loading…
Reference in a new issue