Add LDAP config options

6dbff966 · Michael Kozono · 8ab29d56 · 6dbff966 · 6dbff966
Commit 6dbff966 authored Jun 06, 2017 by Michael Kozono
Hide whitespace changes
Inline Side-by-side

Showing with 34 additions and 1 deletion

config/gitlab.yml.example config/gitlab.yml.example +29 -1

config/initializers/1_settings.rb config/initializers/1_settings.rb +5 -0

No files found.
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -254,10 +254,38 @@ production: &base
        host: '_your_ldap_server'
        port: 389
        uid: 'sAMAccountName'
-        method: 'plain' # "tls" or "ssl" or "plain"
        bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
        password: '_the_password_of_the_bind_user'

+        # Encryption method. The "method" key is deprecated in favor of
+        # "encryption".
+        #
+        #   Examples: "start_tls" or "simple_tls" or "plain"
+        #
+        #   Deprecated values: "tls" was replaced with "start_tls" and "ssl" was
+        #   replaced with "simple_tls".
+        #
+        encryption: 'plain'
+
+        # Enables SSL certificate verification if encryption method is
+        # "start_tls" or "simple_tls". (Defaults to false for backward-
+        # compatibility)
+        verify_certificates: false
+
+        # Specifies the path to a file containing a PEM-format CA certificate,
+        # e.g. if you need to use an internal CA.
+        #
+        #   Example: '/etc/ca.pem'
+        #
+        ca_cert: ''
+
+        # Specifies the SSL version for OpenSSL to use, if the OpenSSL default
+        # is not appropriate.
+        #
+        #   Example: 'TLSv1_1'
+        #
+        ssl_version: ''
+
        # Set a timeout, in seconds, for LDAP queries. This helps avoid blocking
        # a request if the LDAP server becomes unresponsive.
        # A value of 0 means there is no timeout.

--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -145,6 +145,11 @@ if Settings.ldap['enabled'] || Rails.env.test?
    server['attributes'] = {} if server['attributes'].nil?
    server['provider_name'] ||= "ldap#{key}".downcase
    server['provider_class'] = OmniAuth::Utils.camelize(server['provider_name'])
+    server['encryption'] ||= server['method'] # for backwards compatibility
+
+    # Certificates are not verified for backwards compatibility.
+    # This default should be flipped to true in 9.5.
+    server['verify_certificates'] = false if server['verify_certificates'].nil?
  end
 end