Restricting access to LDAP users only, still allows login via confirmation link
- Dev: https://dev.gitlab.org/gitlab/gitlabhq/issues/1941
- Omnibus package / Source installation: Affects both
- GitLab version: Tested on 7.6.3 and 7.7.1
- Zendesk ticket: https://gitlab.zendesk.com/agent/tickets/1712
Description of Issue
If you want to allow only LDAP users to login to GitLab, you disable the login feature. This will deny access to any user that is not in the LDAP DB. But, if the admin creates a user via the UI and this user clicks on the confirmation link and sets a password, he will be granted access to the instance.
Result of Replication
I confirmed the bug on 7.6.3 and 7.7.1 and the steps to reproduce it are:
- Enable LDAP and disable login
- As admin create a new user with a valid email
- As that user, click on the confirmation link and set up a new password
- You are now logged in, even though you are not in LDAP
Concrete questions / Next steps
I know this might not be a security issue, since it requires an admin to first create a new account and, once you log out of that account, you can no longer log back in. But I think it is worth a look. Next step would be to get a developer involved.
Job
Hm seems like a minor issue. Why would the admin create a user if she disabled login? I say we either don't fix this or for a far away release. What do you think dzaporozhets?
Dmitriy
Yes it a bug but the same admin can enable sign-in and even signup. So I dont see a big deal with security here. We can put this issue to Backlog