Added ldap config setting to lower case usernames

9 files changed, 106 insertions, 1 deletions

diff --git a/changelogs/unreleased/fj-22607-lowercase-usernames-from-ldap.yml b/changelogs/unreleased/fj-22607-lowercase-usernames-from-ldap.yml
new file mode 100644
index 00000000000..77142528be2
--- /dev/null
+++ b/changelogs/unreleased/fj-22607-lowercase-usernames-from-ldap.yml
@@ -0,0 +1,5 @@
+---
+title: Added ldap config setting to lower case the username
+merge_request: 16791
+author:
+type: added
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index 33230b9355d..bbc2bcfb0cc 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -370,6 +370,9 @@ production: &base
           first_name: 'givenName'
           last_name:  'sn'
 
+        # If lowercase_usernames is enabled, GitLab will lower case the username.
+        lowercase_usernames: false
+
       # GitLab EE only: add more LDAP servers
       # Choose an ID made of a-z and 0-9 . This ID will be stored in the database
       # so that GitLab can remember which LDAP server a user belongs to.
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index 5ad46d47cb6..28e05bfc18d 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -151,6 +151,7 @@ if Settings.ldap['enabled'] || Rails.env.test?
     server['allow_username_or_email_login'] = false if server['allow_username_or_email_login'].nil?
     server['active_directory'] = true if server['active_directory'].nil?
     server['attributes'] = {} if server['attributes'].nil?
+    server['lowercase_usernames'] = false if server['lowercase_usernames'].nil?
     server['provider_name'] ||= "ldap#{key}".downcase
     server['provider_class'] = OmniAuth::Utils.camelize(server['provider_name'])
 
diff --git a/doc/administration/auth/ldap.md b/doc/administration/auth/ldap.md
index 881b6a827f4..63fbb24bac1 100644
--- a/doc/administration/auth/ldap.md
+++ b/doc/administration/auth/ldap.md
@@ -181,6 +181,10 @@ main: # 'main' is the GitLab 'provider ID' of this LDAP server
     first_name: 'givenName'
     last_name:  'sn'
 
+  # If lowercase_usernames is enabled, GitLab will lower case the username.
+  lowercase_usernames: false
+
+
   ## EE only
 
   # Base where we can search for groups
@@ -290,6 +294,41 @@ In other words, if an existing GitLab user wants to enable LDAP sign-in for
 themselves, they should check that their GitLab email address matches their
 LDAP email address, and then sign into GitLab via their LDAP credentials.
 
+## Enabling LDAP username lowercase
+
+Some LDAP servers, depending on their configurations, can return uppercase usernames. This can lead to several confusing issues like, for example, creating links or namespaces with uppercase names.
+
+GitLab can automatically lowercase usernames provided by the LDAP server by enabling
+the configuration option `lowercase_usernames`. By default, this configuration option is `false`.
+
+**Omnibus configuration**
+
+1. Edit `/etc/gitlab/gitlab.rb`:
+
+  ```ruby
+  gitlab_rails['ldap_servers'] = YAML.load <<-EOS
+  main:
+    # snip...
+    lowercase_usernames: true
+  EOS
+  ```
+
+2. [Reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure) for the changes to take effect.
+
+**Source configuration**
+
+1. Edit `config/gitlab.yaml`:
+
+  ```yaml
+  production:
+    ldap:
+      servers:
+        main:
+          # snip...
+          lowercase_usernames: true
+  ```
+2. [Restart GitLab](../restart_gitlab.md#installations-from-source) for the changes to take effect.
+
 ## Encryption
 
 ### TLS Server Authentication
diff --git a/lib/gitlab/ldap/auth_hash.rb b/lib/gitlab/ldap/auth_hash.rb
index 1bd0965679a..96171dc26c4 100644
--- a/lib/gitlab/ldap/auth_hash.rb
+++ b/lib/gitlab/ldap/auth_hash.rb
@@ -7,6 +7,12 @@ module Gitlab
         @uid ||= Gitlab::LDAP::Person.normalize_dn(super)
       end
 
+      def username
+        super.tap do |username|
+          username.downcase! if ldap_config.lowercase_usernames
+        end
+      end
+
       private
 
       def get_info(key)
diff --git a/lib/gitlab/ldap/config.rb b/lib/gitlab/ldap/config.rb
index cde60addcf7..47b3fce3e7a 100644
--- a/lib/gitlab/ldap/config.rb
+++ b/lib/gitlab/ldap/config.rb
@@ -139,6 +139,10 @@ module Gitlab
         options['allow_username_or_email_login']
       end
 
+      def lowercase_usernames
+        options['lowercase_usernames']
+      end
+
       def name_proc
         if allow_username_or_email_login
           proc { |name| name.gsub(/@.*\z/, '') }
diff --git a/lib/gitlab/ldap/person.rb b/lib/gitlab/ldap/person.rb
index e81cec6ba1a..b91757c2a4b 100644
--- a/lib/gitlab/ldap/person.rb
+++ b/lib/gitlab/ldap/person.rb
@@ -82,7 +82,9 @@ module Gitlab
         # be returned. We need only one for username.
         # Ex. `uid` returns only one value but `mail` may
         # return an array of multiple email addresses.
-        [username].flatten.first
+        [username].flatten.first.tap do |username|
+          username.downcase! if config.lowercase_usernames
+        end
       end
 
       def email
diff --git a/spec/lib/gitlab/ldap/auth_hash_spec.rb b/spec/lib/gitlab/ldap/auth_hash_spec.rb
index 1785094af10..9c30ddd7fe2 100644
--- a/spec/lib/gitlab/ldap/auth_hash_spec.rb
+++ b/spec/lib/gitlab/ldap/auth_hash_spec.rb
@@ -1,6 +1,8 @@
 require 'spec_helper'
 
 describe Gitlab::LDAP::AuthHash do
+  include LdapHelpers
+
   let(:auth_hash) do
     described_class.new(
       OmniAuth::AuthHash.new(
@@ -83,4 +85,26 @@ describe Gitlab::LDAP::AuthHash do
       end
     end
   end
+
+  describe '#username' do
+    context 'if lowercase_usernames setting is' do
+      let(:given_uid) { 'uid=John Smith,ou=People,dc=example,dc=com' }
+
+      before do
+        raw_info[:uid] = ['JOHN']
+      end
+
+      it 'enabled the username attribute is lower cased' do
+        stub_ldap_config(lowercase_usernames: true)
+
+        expect(auth_hash.username).to eq 'john'
+      end
+
+      it 'disabled the username attribute is not lower cased' do
+        stub_ldap_config(lowercase_usernames: false)
+
+        expect(auth_hash.username).to eq 'JOHN'
+      end
+    end
+  end
 end
diff --git a/spec/lib/gitlab/ldap/person_spec.rb b/spec/lib/gitlab/ldap/person_spec.rb
index ff29d9aa5be..b54d4000b53 100644
--- a/spec/lib/gitlab/ldap/person_spec.rb
+++ b/spec/lib/gitlab/ldap/person_spec.rb
@@ -139,6 +139,27 @@ describe Gitlab::LDAP::Person do
         expect(person.username).to eq(attr_value)
       end
     end
+
+    context 'if lowercase_usernames setting is' do
+      let(:username_attribute) { 'uid' }
+
+      before do
+        entry[username_attribute] = 'JOHN'
+        @person = described_class.new(entry, 'ldapmain')
+      end
+
+      it 'enabled the username attribute is lower cased' do
+        stub_ldap_config(lowercase_usernames: true)
+
+        expect(@person.username).to eq 'john'
+      end
+
+      it 'disabled the username attribute is not lower cased' do
+        stub_ldap_config(lowercase_usernames: false)
+
+        expect(@person.username).to eq 'JOHN'
+      end
+    end
   end
 
   def assert_generic_test(test_description, got, expected)