diff options
| author | Drew Blessing <drew@gitlab.com> | 2015-12-08 18:47:42 +0300 |
|---|---|---|
| committer | Drew Blessing <drew@gitlab.com> | 2015-12-08 20:15:30 +0300 |
| commit | bf5683f8892c4aefc4c996812ece6291b701dada (patch) | |
| tree | 0d16e4ef7bd4232b83882fc210b84771f6ae0c81 | |
| parent | 14165e59726b0813af90f785037d96d0973adf6d (diff) | |
Block LDAP user when they are no longer found in the LDAP server
| -rw-r--r-- | CHANGELOG | 1 | ||||
| -rw-r--r-- | doc/integration/ldap.md | 8 | ||||
| -rw-r--r-- | lib/gitlab/ldap/access.rb | 4 | ||||
| -rw-r--r-- | spec/lib/gitlab/ldap/access_spec.rb | 5 |
4 files changed, 16 insertions, 2 deletions
diff --git a/CHANGELOG b/CHANGELOG index 7c0c94f4874..67f70e676c2 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -23,6 +23,7 @@ v 8.3.0 (unreleased) - Run custom Git hooks when branch is created or deleted. - Fix bug when simultaneously accepting multiple MRs results in MRs that are of "merged" status, but not merged to the target branch - Add languages page to graphs + - Block LDAP user when they are no longer found in the LDAP server v 8.2.3 - Fix application settings cache not expiring after changes (Stan Hu) diff --git a/doc/integration/ldap.md b/doc/integration/ldap.md index 7e2920b8865..845f588f913 100644 --- a/doc/integration/ldap.md +++ b/doc/integration/ldap.md @@ -13,6 +13,12 @@ An LDAP user who is allowed to change their email on the LDAP server can [take o We recommend against using GitLab LDAP integration if your LDAP users are allowed to change their 'mail', 'email' or 'userPrincipalName' attribute on the LDAP server. +If a user is deleted from the LDAP server, they will be blocked in GitLab as well. +Users will be immediately blocked from logging in. However, there is an LDAP check +cache time of one hour. The means users that are already logged in or are using Git +over SSH will still be able to access GitLab for up to one hour. Manually block +the user in the GitLab Admin area to immediately block all access. + ## Configuring GitLab for LDAP integration To enable GitLab LDAP integration you need to add your LDAP server settings in `/etc/gitlab/gitlab.rb` or `/home/git/gitlab/config/gitlab.yml`. @@ -192,4 +198,4 @@ Not supported by GitLab's configuration options. When setting `method: ssl`, the underlying authentication method used by `omniauth-ldap` is `simple_tls`. This method establishes TLS encryption with the LDAP server before any LDAP-protocol data is exchanged but no validation of -the LDAP server's SSL certificate is performed.
\ No newline at end of file +the LDAP server's SSL certificate is performed. diff --git a/lib/gitlab/ldap/access.rb b/lib/gitlab/ldap/access.rb index 16ff03c38d4..c438a3d167b 100644 --- a/lib/gitlab/ldap/access.rb +++ b/lib/gitlab/ldap/access.rb @@ -37,13 +37,15 @@ module Gitlab # Block user in GitLab if he/she was blocked in AD if Gitlab::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter) - user.block unless user.blocked? + user.block false else user.activate if user.blocked? && !ldap_config.block_auto_created_users true end else + # Block the user if they no longer exist in LDAP/AD + user.block false end rescue diff --git a/spec/lib/gitlab/ldap/access_spec.rb b/spec/lib/gitlab/ldap/access_spec.rb index c38f212b405..960547a0ad7 100644 --- a/spec/lib/gitlab/ldap/access_spec.rb +++ b/spec/lib/gitlab/ldap/access_spec.rb @@ -13,6 +13,11 @@ describe Gitlab::LDAP::Access do end it { is_expected.to be_falsey } + + it 'should block user in GitLab' do + access.allowed? + expect(user).to be_blocked + end end context 'when the user is found' do |