Merge branch 'rs-issue-364' into 'master'

Update settings and documentation for per-install LDAP sync time The setting is now per-install, rather than per-server. Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/364 See merge request !266

Merge branch 'rs-issue-364' into 'master'
Update settings and documentation for per-install LDAP sync time The setting is now per-install, rather than per-server. Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/364 See merge request !266
0dba8e20 · Robert Speicher · 7e1b23f3 · b7436e39 · 0dba8e20 · 0dba8e20
Commit 0dba8e20 authored Mar 17, 2016 by Robert Speicher
Showing with 25 additions and 35 deletions

config/gitlab.yml.example config/gitlab.yml.example +12 -8

config/initializers/1_settings.rb config/initializers/1_settings.rb +0 -1

doc/integration/ldap.md doc/integration/ldap.md +13 -26

No files found.
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -228,6 +228,18 @@ production: &base
  ldap:
    enabled: false

+    # This setting controls the number of seconds between LDAP permission checks
+    # for each user. After this time has expired for a given user, their next
+    # interaction with GitLab (a click in the web UI, a git pull, etc.) will be
+    # slower because the LDAP permission check is being performed. How much
+    # slower depends on your LDAP setup, but it is not uncommon for this check
+    # to add seconds of waiting time. The default value is to have a "slow
+    # click" once every 3600 seconds (i.e., once per hour).
+    #
+    # Warning: if you set this value too low, every click in GitLab will be a
+    # "slow click" for all of your LDAP users.
+    # sync_time: 3600
+
    servers:
      ##########################################################################
      #
@@ -295,14 +307,6 @@ production: &base
        #
        user_filter: ''

-        # This setting controls the amount of time between LDAP permission checks for each user.
-        # After this time has expired for a given user, their next interaction with GitLab (a click in the web UI, a git pull etc.) will be slower because the LDAP permission check is being performed.
-        # How much slower depends on your LDAP setup, but it is not uncommon for this check to add seconds of waiting time.
-        # The default value is to have a 'slow click' once every 3600 seconds, i.e. once per hour.
-        #
-        # Warning: if you set this value too low, every click in GitLab will be a 'slow click' for all of your LDAP users.
-        # sync_time: 3600
-
        # Base where we can search for groups
        #
        #   Ex. ou=Groups,dc=gitlab,dc=example

--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -156,7 +156,6 @@ if Settings.ldap['enabled'] || Rails.env.test?
    server['active_directory'] = true if server['active_directory'].nil?
    server['attributes'] = {} if server['attributes'].nil?
    server['provider_name'] ||= "ldap#{key}".downcase
-    server['sync_time'] = 3600 if server['sync_time'].nil?
    server['provider_class'] = OmniAuth::Utils.camelize(server['provider_name'])
    Settings.ldap['servers'][key] = server
  end

--- a/doc/integration/ldap.md
+++ b/doc/integration/ldap.md
@@ -404,40 +404,27 @@ LDAP membership is checked for a GitLab user:

 - when they sign in to the GitLab instance
 - on a daily basis
- on any request that they do, once the LDAP cache has expired (default 1 hour, configurable, cache is per user)
+- on any request once the LDAP cache has expired (configurable; default is 60
+  minutes; cache is per-user)

-If you want a shorter or longer LDAP sync time, you can easily set this with the `sync_time` attribute in your config.
+If you want a shorter or longer LDAP sync time, you can set this with the
+`sync_time` attribute in your config.

-For Omnibus package installations, simply add `"sync_time"` in `/etc/gitlab/gitlab.rb` to your LDAP config.
-A typical LDAP configuration for GitLab installed with an Omnibus package might look like this:
+For Omnibus package installations, provide an `ldap_sync_time` value in
+`/etc/gitlab/gitlab.rb`:

 ```ruby
-gitlab_rails['ldap_servers'] = YAML.load <<-EOS
-main:
-  label: 'LDAP'
-  host: '_your_ldap_server'
-  port: 636
-  uid: 'sAMAccountName'
-  method: 'ssl' # "tls" or "ssl" or "plain"
-  bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
-  password: '_the_password_of_the_bind_user'
-  active_directory: true
-  allow_username_or_email_login: false
-  base: ''
-  user_filter: ''
-  sync_time: 1800
-  ## EE only
-  group_base: ''
-  admin_group: ''
-  sync_ssh_keys: false
-EOS
+gitlab_rails['ldap_sync_time'] = 1800
 ```

-Here, `sync_time` is set to `1800` seconds, meaning the LDAP cache will expire every 30 minutes.
+Here, `ldap_sync_time` is set to `1800` seconds, meaning the LDAP cache will
+expire every 30 minutes, rather than the default of 60 minutes.

-For manual GitLab installations, simply uncomment the `sync_time` entry in your `gitlab.yml` and set it to the value you desire.
+For manual GitLab installations, simply uncomment the `sync_time` entry in your
+`gitlab.yml` and set it to the value you desire.

-Please note that changing the LDAP sync time can influence the performance of your GitLab instance.
+Please note that changing the LDAP sync time can influence the performance of
+your GitLab instance.

 ## What sort of queries can my LDAP server expect from GitLab EE?