Commit bf5683f8 authored by Drew Blessing's avatar Drew Blessing

Block LDAP user when they are no longer found in the LDAP server

parent 14165e59
...@@ -23,6 +23,7 @@ v 8.3.0 (unreleased) ...@@ -23,6 +23,7 @@ v 8.3.0 (unreleased)
- Run custom Git hooks when branch is created or deleted. - Run custom Git hooks when branch is created or deleted.
- Fix bug when simultaneously accepting multiple MRs results in MRs that are of "merged" status, but not merged to the target branch - Fix bug when simultaneously accepting multiple MRs results in MRs that are of "merged" status, but not merged to the target branch
- Add languages page to graphs - Add languages page to graphs
- Block LDAP user when they are no longer found in the LDAP server
v 8.2.3 v 8.2.3
- Fix application settings cache not expiring after changes (Stan Hu) - Fix application settings cache not expiring after changes (Stan Hu)
......
...@@ -13,6 +13,12 @@ An LDAP user who is allowed to change their email on the LDAP server can [take o ...@@ -13,6 +13,12 @@ An LDAP user who is allowed to change their email on the LDAP server can [take o
We recommend against using GitLab LDAP integration if your LDAP users are allowed to change their 'mail', 'email' or 'userPrincipalName' attribute on the LDAP server. We recommend against using GitLab LDAP integration if your LDAP users are allowed to change their 'mail', 'email' or 'userPrincipalName' attribute on the LDAP server.
If a user is deleted from the LDAP server, they will be blocked in GitLab as well.
Users will be immediately blocked from logging in. However, there is an LDAP check
cache time of one hour. The means users that are already logged in or are using Git
over SSH will still be able to access GitLab for up to one hour. Manually block
the user in the GitLab Admin area to immediately block all access.
## Configuring GitLab for LDAP integration ## Configuring GitLab for LDAP integration
To enable GitLab LDAP integration you need to add your LDAP server settings in `/etc/gitlab/gitlab.rb` or `/home/git/gitlab/config/gitlab.yml`. To enable GitLab LDAP integration you need to add your LDAP server settings in `/etc/gitlab/gitlab.rb` or `/home/git/gitlab/config/gitlab.yml`.
...@@ -192,4 +198,4 @@ Not supported by GitLab's configuration options. ...@@ -192,4 +198,4 @@ Not supported by GitLab's configuration options.
When setting `method: ssl`, the underlying authentication method used by When setting `method: ssl`, the underlying authentication method used by
`omniauth-ldap` is `simple_tls`. This method establishes TLS encryption with `omniauth-ldap` is `simple_tls`. This method establishes TLS encryption with
the LDAP server before any LDAP-protocol data is exchanged but no validation of the LDAP server before any LDAP-protocol data is exchanged but no validation of
the LDAP server's SSL certificate is performed. the LDAP server's SSL certificate is performed.
\ No newline at end of file
...@@ -37,13 +37,15 @@ module Gitlab ...@@ -37,13 +37,15 @@ module Gitlab
# Block user in GitLab if he/she was blocked in AD # Block user in GitLab if he/she was blocked in AD
if Gitlab::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter) if Gitlab::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter)
user.block unless user.blocked? user.block
false false
else else
user.activate if user.blocked? && !ldap_config.block_auto_created_users user.activate if user.blocked? && !ldap_config.block_auto_created_users
true true
end end
else else
# Block the user if they no longer exist in LDAP/AD
user.block
false false
end end
rescue rescue
......
...@@ -13,6 +13,11 @@ describe Gitlab::LDAP::Access do ...@@ -13,6 +13,11 @@ describe Gitlab::LDAP::Access do
end end
it { is_expected.to be_falsey } it { is_expected.to be_falsey }
it 'should block user in GitLab' do
access.allowed?
expect(user).to be_blocked
end
end end
context 'when the user is found' do context 'when the user is found' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment