Skip to content

✨ Password Policy for LDAP Directories #105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 6, 2025
Merged

✨ Password Policy for LDAP Directories #105

merged 2 commits into from
Nov 6, 2025

Conversation

@pboling
Copy link
Member

@pboling pboling commented Nov 6, 2025
edited
Loading

Password Policy for LDAP Directories

Implements and closes #44

@pboling pboling self-assigned this Nov 6, 2025
Copilot AI review requested due to automatic review settings November 6, 2025 05:42
@pboling pboling mentioned this pull request Nov 6, 2025
Closed
@codecov
Copy link

codecov bot commented Nov 6, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 95.45455% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 97.33%. Comparing base (1115b69) to head (75864cd).
⚠️ Report is 3 commits behind head on main.

Files with missing lines Patch % Lines
lib/omniauth-ldap/adaptor.rb 91.42% 3 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #105      +/-   ##
==========================================
- Coverage   97.55%   97.33%   -0.22%     
==========================================
  Files           4        4              
  Lines         245      300      +55     
  Branches       67      106      +39     
==========================================
+ Hits          239      292      +53     
- Misses          6        8       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Copilot AI reviewed Nov 6, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds password policy support to the OmniAuth LDAP strategy by implementing the LDAP Password Policy request/response control (OID 1.3.6.1.4.1.42.2.27.8.5.1). This allows applications to receive detailed information about password-related authentication failures (e.g., expired passwords, account locked, grace logins remaining).

Key Changes:

  • Added password_policy configuration option to enable password policy control requests
  • Modified bind_as to attach password policy controls to bind requests when enabled
  • Exposed last_operation_result and last_password_policy_response accessors on the adaptor
  • Added attach_password_policy_env helper to expose policy information via Rack env

Reviewed Changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
lib/omniauth-ldap/adaptor.rb Added password policy control request logic to bind_as, control capture via capture_password_policy, and exposed accessors for operation result and policy response
lib/omniauth/strategies/ldap.rb Added attach_password_policy_env and extract_password_policy helpers to expose password policy information via Rack env on authentication success/failure
sig/omniauth/ldap/adaptor.rbs Updated type signatures: renamed constant from METHOD to ENCRYPTION_METHOD, added password policy accessors and helper method signatures, added missing instance variable declarations
sig/rbs/net-ldap.rbs Added type signatures for get_operation_result, LDAP control classes, and PDU
sig/rbs/net-ntlm.rbs Added target_name= writer signature and removed trailing blank line
sig/omniauth/strategies/ldap.rbs Added method signatures for uid, info, and extra
sig/omniauth-ldap.rbs Added OmniAuth::LDAP module declaration
spec/omniauth/strategies/ldap_spec.rb Added comprehensive tests for password policy functionality and POST redirect behavior
spec/omniauth-ldap/adaptor_spec.rb Added tests for password policy control attachment to binds and control capture
README.md Added documentation and example for the password_policy option
CHANGELOG.md Documented the new password policy feature
Comments suppressed due to low confidence (2)

sig/omniauth/ldap/adaptor.rbs:1

  • The instance variable @bind_method is set in lib/omniauth-ldap/adaptor.rb line 92 and used in lines 98, 100, and 123, but is not declared in the RBS type signature file. Add @bind_method: Symbol? to the instance variable declarations section (after line 69) to maintain type signature completeness.
module OmniAuth

sig/omniauth/ldap/adaptor.rbs:1

  • Several instance variables from VALID_ADAPTER_CONFIGURATION_KEYS are used in the adaptor code but are not declared in the RBS file. Based on the code in lib/omniauth-ldap/adaptor.rb lines 82-84 and 171, add missing instance variable declarations for @encryption, @method, @hosts, @host, and @port to maintain consistency with the runtime behavior.
module OmniAuth

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pboling pboling force-pushed the feat/draft-behera-ldap-password-policy-11 branch from 4adbd81 to 75864cd Compare November 6, 2025 05:53
@github-actions
Copy link

github-actions bot commented Nov 6, 2025

Code Coverage

Package Line Rate Branch Rate Health
omniauth-ldap 98% 80%
Summary 98% (279 / 284) 80% (94 / 118)

Minimum allowed line rate is 97%

@pboling pboling merged commit c4d782d into main Nov 6, 2025
34 of 40 checks passed
@pboling pboling deleted the feat/draft-behera-ldap-password-policy-11 branch November 6, 2025 05:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@pboling pboling

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Please add support for in-directory password policies

2 participants

@pboling