Add omniauth pam authentication support

Note that currenlty ruby19-pam + pam_unix can't authenticate users if not executed as root. So currently pam can be used with other kind of pam modules (ldap, sssd, krb, ...). Check out canweriotnow/rpam-ruby19#5 for more information.
RinkuDas7857 · Mar 25, 2013 · e1df2ab · e1df2ab
1 parent d62e719
commit e1df2ab
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 1 deletion.
diff --git a/.travis.yml b/.travis.yml
@@ -2,7 +2,7 @@ language: ruby
 env:
   - DB=mysql TRAVIS=true
 before_install:
-  - sudo apt-get install libicu-dev -y
+  - sudo apt-get install libicu-dev libpam0g-dev -y
   - gem install charlock_holmes -v="0.6.9"
 branches:
   only:

diff --git a/Gemfile b/Gemfile
@@ -20,6 +20,7 @@ gem 'omniauth', "~> 1.1.3"
 gem 'omniauth-google-oauth2'
 gem 'omniauth-twitter'
 gem 'omniauth-github'
+gem "omniauth-pam", "~> 1.1.0"
 
 # Extracting information from a git repository
 gem "gitlab-grit", '~> 1.0.0', require: 'grit'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -134,6 +134,7 @@ GEM
       activesupport (>= 3.2)
     erubis (2.7.0)
     escape_utils (0.2.4)
+    etc (0.2.0)
     eventmachine (1.0.0)
     execjs (1.4.0)
       multi_json (~> 1.0)
@@ -286,6 +287,10 @@ GEM
     omniauth-oauth2 (1.1.1)
       oauth2 (~> 0.8.0)
       omniauth (~> 1.0)
+    omniauth-pam (1.1.0)
+      etc
+      omniauth (~> 1.0)
+      rpam-ruby19 (~> 1.2.1)
     omniauth-twitter (0.0.14)
       multi_json (~> 1.3)
       omniauth-oauth (~> 1.0)
@@ -379,6 +384,7 @@ GEM
     request_store (1.0.5)
     rest-client (1.6.7)
       mime-types (>= 1.16)
+    rpam-ruby19 (1.2.1)
     rspec (2.12.0)
       rspec-core (~> 2.12.0)
       rspec-expectations (~> 2.12.0)
@@ -547,6 +553,7 @@ DEPENDENCIES
   omniauth (~> 1.1.3)
   omniauth-github
   omniauth-google-oauth2
+  omniauth-pam (~> 1.1.0)
   omniauth-twitter
   pg
   poltergeist (= 1.1.0)

diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
@@ -135,6 +135,19 @@ production: &base
         #allow_single_sign_on: true
         #block_auto_created_users: false
 
+      pam:
+        # Currently unix_pam do not work as expected, so pam works only with modules like ldap, sssd, krb
+        # or you need to run gitlab as root (NOT RECOMMENDED!)
+        # REad more from: https://github.com/canweriotnow/rpam-ruby19/issues/5
+        enabled: false
+        label: 'MyLocalHost'
+        #email_domain: 'example.org' # if gecos do not provide email, you need to use this option
+        gecos_map: ['name', 'location', 'phone', 'home_phone', 'email']
+        service: 'gitlab' # what pam service to use
+        # For authentication to work as you expect, uncomment these
+        #allow_single_sign_on: true
+        #block_auto_created_users: false
+
 
 
   #

diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
@@ -205,6 +205,11 @@
   #   manager.default_strategies(:scope => :user).unshift :some_external_strategy
   # end
 
+  # For good reason omniauth-pam requires gecos_map to be symbols
+  if !Gitlab.config.omniauth.providers['pam'].nil? && !Gitlab.config.omniauth.providers.pam['gecos_map'].nil?
+    Gitlab.config.omniauth.providers.pam.gecos_map.map! { |item| item.to_sym }
+  end
+
   Gitlab.config.omniauth['icon_providers'] = []
   Gitlab.config.omniauth['form_providers'] = []
   Gitlab.config.omniauth.providers.each_pair do |provider, options|