Add rudimentary LDAP group support

[stertingen]

Continuation of #7349, which was closed after the commits were moved to a different branch and the master branch was reset to the original master branch.

Targeting #2212.

Features:

• Restrict automatic registration with a group filter
• Allow admin access based on a group filter
• Arbitrary kinds of LDAP groups are supported (custom filter with custom user attribute)

Sub-tasks

• Add configuration options for the admin backend
• Extend login code with new group options
• Tests for new options suitable for the test OpenLDAP server
• Test with another LDAP setup (not using dn as user attribute in group)
• Refactor LDAP code to remove duplication (esp. SearchEntry and SearchEntries)
• Add CLI options (see Add CLI commands to manage LDAP authentication source #6681)
• Test CLI options

[codecov-io]

Codecov Report

Merging #8814 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #8814   +/-   ##
=======================================
  Coverage   43.94%   43.94%           
=======================================
  Files         607      607           
  Lines       86968    86968           
=======================================
  Hits        38215    38215           
  Misses      44051    44051           
  Partials     4702     4702           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f3fe882...f3fe882. Read the comment docs.

[stertingen]

All subtasks done for now. Have I missed something?

[lafriks]

I don't see point in these attributes:

"--member-group-filter", "(cn=user-group)",
"--admin-group-filter", "(cn=admin-group)",

member-group-filter - can be already set using user filter
admin-group-filter - can be already set using admin filter

[stertingen]

I don't see point in these attributes:

"--member-group-filter", "(cn=user-group)",
"--admin-group-filter", "(cn=admin-group)",

member-group-filter - can be already set using user filter
admin-group-filter - can be already set using admin filter

No, it cannot. On some LDAP servers it's not possible to determine the user's group by a user query, the only way to know wether a user is in a group is by a group query. (EDIT: there is no memberOf attribute)

In my case, I want to restrict access to members of a group.

[KaiMartin]

Just a heads-up from me. I am happy to see this feature being worked on. Looking forward to see this in one of the next releases.

[vaab]

As general comments,

• I don't feel the relations between all 6 conditions fields is clearly managed and explicited, I'm taking about: Filter/MemberGroupFilter, AdminFilter/AdminGroupFilter, RestrictedFilter/RestrictedGroupFilter and their relation in pairs (if both provided), and in between each 3 couple of conditions.
  This is why I have this feeling:
  • All the behavior do not seem documented and maybe should as it is different for each pair.
    • Is it clear that user should satisfy both Filter and MemberFilter conditions (if provided) ?
    • Is it clear that admins and restricted user should satisfy user conditions ? Do we want that ?
    • Is it clear that restricted user should NOT satisfy admins conditions ?
  • In current code and current behavior, we issue useless LDAP queries
    • no need to check RestrictedGroupFilter if user is admin
    • no need to check AdminGroupFilter if AdminFilter is already satisfied (because you chose to or both conditions, which I'm not sure is the best).
• There are no tests in integrations/auth_ldap_test.go for restricted users. I think it could be important, especially considered what behavior we want to stick in light of the previous questions.

Many thanks for your contribution. I have developed a similar working code and went through these consideration myself before actually discovering your PR. I would be happy to help to get your code included as soon as possible.
I hope my remarks are helpful, and sorry if I missed some obvious points.

[vaab]

Let me put blocking points here about this implementation in my perspective :

• the current implementation is making 4 additional LDAP queries per user which might be costly in large user list. Which could be ok if there were no other solution, but there are solutions allowing way less LDAP queries : do up to 3 LDAP queries for membership, admin, restricted groups, only once, then check uid membership in these groups locally with Go for each user.
• relations between Group/NonGroup and Member/Admin/Restricted are not explicited nor tested, nor used to remove useless LDAP queries
• Documentation is missing

I'll be happy to move forward by addressing these points. Not sure when though.

[stertingen]

@vaab I made some improvements regarding the relations of the six different user/group filters.

• The user filter and the group filter are now always ANDed
• Notes on that behavior are added to CLI help and to the configuration backend.

[6543]

What is the Status?

[codecov-commenter]

Codecov Report

Merging #8814 into master will increase coverage by 0.14%.
The diff coverage is 81.20%.

@@            Coverage Diff             @@
##           master    #8814      +/-   ##
==========================================
+ Coverage   43.79%   43.94%   +0.14%     
==========================================
  Files         607      607              
  Lines       86876    86968      +92     
==========================================
+ Hits        38045    38215     +170     
+ Misses      44133    44051      -82     
- Partials     4698     4702       +4     

Impacted Files	Coverage Δ
modules/auth/auth_form.go	100.00% <ø> (ø)
modules/auth/ldap/ldap.go	58.72% <77.06%> (+4.45%)	⬆️
cmd/admin_auth_ldap.go	81.50% <100.00%> (+1.82%)	⬆️
routers/admin/auths.go	32.55% <100.00%> (+1.37%)	⬆️
services/pull/update.go	52.54% <0.00%> (-6.78%)	⬇️
modules/process/manager.go	74.69% <0.00%> (-3.62%)	⬇️
services/pull/temp_repo.go	31.62% <0.00%> (-2.57%)	⬇️
modules/git/repo.go	51.88% <0.00%> (ø)
models/repo.go	52.59% <0.00%> (+0.44%)	⬆️
models/issue.go	52.41% <0.00%> (+0.46%)	⬆️
... and 9 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 28f8308...f3fe882. Read the comment docs.

[stertingen]

What is the Status?

As our LDAP infrastructure changed (supporting the MemberOf attribute), this PR is no longer needed for us and I won't do any work on this for now. (I wonder what was missing because it did not get merged for some reason.)

So, if there's interest in working on that feature, you may submit a new PR or merge this one.

[stale]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 months. Thank you for your contributions.

[techknowlogick]

Closing in favour of other PR