Option to prevent LDAP sign in
What
Adds prevent_ldap_sign_in setting to prevent using LDAP for sign in.
Continuation of gitlab-foss!31316 (closed) with tests added
Why
When using another system such as SAML for authentication it can be desirable to disable LDAP for authentication. In particular LDAP can be a useful technology for synchronizing group membership, while being a security risk for sign in due to the way passwords are handled. Additionally it can allow users to bypass 2FA policies.
Closes #15626 (closed)
Screenshots
With LDAP sign in allowed |
With LDAP sign in prevented |
|---|---|
 |
 |
Does this MR meet the acceptance criteria?
Todo / follow up
-
Changelog entry -
Documentation created/updated or follow-up review issue created -
Create omnibus MR for the gitlab.rb setting -
Find out if LDAP can be used for API/Git/Token sign in and ensure those are covered => See #15626 (comment 232200150)
Risks and testing
If we get the default value for prevent_ldap_sign_in wrong this could lead to users being unable to sign in to their instance.
Future changes that break this or allow it to be bypassed would be considered security flaws. I've included tests at multiple levels including controller, routing, and config to help mitigate this risk.
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Add QA test. I need to find out how to run the orchestrated tests locally, and how to run them with a different configuration
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec -
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team