diff --git a/db/migrate/20190604091310_add_ldap_membership_lock.rb b/db/migrate/20190604091310_add_ldap_membership_lock.rb new file mode 100644 index 0000000000000000000000000000000000000000..1afc6aeefd59902c215def586d0bbfb3504396be --- /dev/null +++ b/db/migrate/20190604091310_add_ldap_membership_lock.rb @@ -0,0 +1,20 @@ +# frozen_string_literal: true + +# See http://doc.gitlab.com/ce/development/migration_style_guide.html +# for more information on how to write migrations for GitLab. + +class AddLdapMembershipLock < ActiveRecord::Migration[5.1] + include Gitlab::Database::MigrationHelpers + + DOWNTIME = false + + disable_ddl_transaction! + + def up + add_column_with_default(:application_settings, :lock_memberships_to_ldap, :boolean, default: false) + end + + def down + remove_column(:application_settings, :lock_memberships_to_ldap) + end +end diff --git a/db/schema.rb b/db/schema.rb index 86a099d28b2751f8b484798cec804c3b44d7699a..4ed7c0cb248a9336569d75de8814dadc02420029 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -195,6 +195,7 @@ ActiveRecord::Schema.define(version: 20190611161641) do t.text "encrypted_lets_encrypt_private_key_iv" t.boolean "dns_rebinding_protection_enabled", default: true, null: false t.boolean "default_project_deletion_protection", default: false, null: false + t.boolean "lock_memberships_to_ldap", default: false, null: false t.index ["usage_stats_set_by_user_id"], name: "index_application_settings_on_usage_stats_set_by_user_id", using: :btree end diff --git a/doc/administration/auth/ldap-ee.md b/doc/administration/auth/ldap-ee.md index 30095d357051c4321733621c26a0a9752a65fc75..15f093bb62d4ef4c295b26305e9c2fb47d95fa67 100644 --- a/doc/administration/auth/ldap-ee.md +++ b/doc/administration/auth/ldap-ee.md @@ -183,6 +183,15 @@ group, as opposed to the full DN. 1. [Restart GitLab][restart] for the changes to take effect. +## Global group memberships lock + +"Lock memberships to LDAP synchronization" setting allows instance administrators +to lock down user abilities to invite new members to a group. When enabled following happens: + +1. Only administrator can manage memberships of any group including access levels. +2. Users are not allowed to share project with other groups or invite members to a project created in a group. + + ## Adjusting LDAP user sync schedule > Introduced in GitLab Enterprise Edition Starter.