Support for LDAP authentication #562
Conversation
There is no need to fetch and rebase in separate commands. Pull accepts a --rebase switch which does the fetch and rebase operations in one command.
Fixed stats formatting on home page when download or package count is 0
Use git pull --rebase
Fixed problem with PUT and DELETE verbs not working on servers with WebDAV installed
Cherry picked from SaqibS@7aeb306
Misc tweaks
…llows caching of packages
* Modifying stats to only consider package registrations with at least one listed package
prerelease filtering * Fixing bug where using multiple IndexWriters would lock the index * Improving search perf by adding boosts to fields at index time * Removing the need to recreate index by updating the index when aggregate download counts are updated.
and ~/api/vX/package paths Work Item: #519
| @@ -11,7 +12,9 @@ public class MigrationsConfiguration : DbMigrationsConfiguration<EntitiesContext | |||
|
|
|||
| public MigrationsConfiguration() | |||
| { | |||
| AutomaticMigrationsEnabled = false; | |||
| bool enabledInConfig; | |||
There was a problem hiding this comment.
Could you send this as a separate PR? Seems unrelated.
There was a problem hiding this comment.
The LDAP stuff won't work without enabling here because of the extra property on User (DisplayName). It does make sense to disable by default though. Do you prefer that I comment out the code or disable from config (by default)?
There was a problem hiding this comment.
I am not entirely sure why that piece of code disables auto-migrations, but I'd rather not change it. That said something does kick off migration. @half-ogre \ @jeffhandley might have a better understanding of how that works.
| if (entry.NativeObject != null) | ||
| { | ||
| var searchResult = new DirectorySearcher(entry, string.Format("({0}={1})", ldapPropUsername, username), new[] { ldapPropUsername, ldapPropDisplayName, ldapPropEmail }).FindOne(); | ||
| var user = new User(GetStringProperty(searchResult, ldapPropUsername).ToLowerInvariant(), cryptoSvc.GenerateSaltedHash(password, Constants.PBKDF2HashAlgorithmId)) |
There was a problem hiding this comment.
We don't want to save the password in the gallery db. We always want to go against the current LDAP password not the one that was active when the account was created. In essence, the only information we ought to have in the db is a stub for the user (so the foreign keys work) but the rest of should be values that LDAP provides.
There was a problem hiding this comment.
Added support for changed password. System will silently update the database whenever a new password is used by a user logging in. Will investigate not storing the password at all.
There was a problem hiding this comment.
Done. LDAP password no longer stored.
(Implemented suggestions from pranavkm (#562))
|
Looks good. I'm probably going to revert the migration change and learn how that works. Additionally I'm going to squash your changes into a single commit just so that it's easier to manage it. Hope you don't mind losing out on a few commits :) |
|
@pranavkm please close this out during the next sprint |
|
We're definitely interested in multiple-auth scenarios, and when we have a cleaner auth mechanism, we'd be happy to consider a PR which adds LDAP support to that. However, for now I think we're going to close this out. If it's working in your fork, awesome, and we'll direct people towards that fork if they're interested in LDAP auth. |
ghost
mentioned this pull request
This fork resolves issue #554 - #554
For our internal enterprise NuGet Gallery, we required LDAP based authentication. This fork contains the bare minimum of that implementation and is configuration driven (if the web.config contains LDAP configuration, it is seamlessly used as the authentication mechanism, users are silently added to the NuGetGallery database on first login).
The implementation works out of the box but one feature yet to be implemented is the ability to quietly update the user password in the NuGet Gallery database whenever the LDAP user changes it.
UPDATE: User passwords are no longer stored.