LDAP Changes for 9.0
This is a rough list of things we may want to evaluate as major/breaking changes for GitLab 9.0.
-
method
- This is currently dictated by omniauth-ldap.ssl
maps tosimple_tls
andtls
maps tostart_tls
. This is awful. Let's fix the issue in omniauth-ldap and use the real settings ofsimple_tls
andstart_tls
. Those are MUCH less ambiguous. -
sync_time
- This sounds like it would be related to group sync. It's not. It dictates how often GitLab checks to see if the user is still valid in LDAP and will expire the user session if needed. Rename it to something more descriptive. -
Improve derived username. Currently I think we use the email address and strip off the @ domain. LDAP HAS a username/uid. I've seen various requests that we use this instead of short email. But this is also complicated by theTurns out this is already the behavior. I'm not sure why I thought it to be otherwise.allow_username_or_email_login
. Thename_proc
we pass to omniauth just lops off the domain. There's probably a better way - filters and such. No reason we can't allow username or email login all the time and get rid of the config. We can fix half a dozen oddities here. - In Omnibus and docs, change from YAML to something more manageable. YAML is really fragile because of indentation. Because of Omnibus it's also becoming more and more foreign shoved in the middle of Ruby syntax. It's also difficult for support because customers will copy/paste the YAML in their email client and the indentation is lost. This makes it impossible for us to tell if they have an actual configuration issue or if it's syntax/indentation.
- Group links with full DN https://gitlab.com/gitlab-org/gitlab-ee/issues/1197
- Remove ability to set group links with CN-only via API - Related to https://gitlab.com/gitlab-org/gitlab-ee/issues/1197
- LDAP failover support https://gitlab.com/gitlab-org/gitlab-ee/issues/139
Where possible, make decisions about these things prior to 9.0 and add deprecation warnings.