Are you aware of the Microsoft advisory ADV190023 and its potential effects on GitLab's interaction with AD via LDAP?
Microsoft has a knowledge base article and a corresponding advisory ADV190023 which describes how Microsoft's Active Directory Services will receive changed defaults for LDAP channel binding and LDAP signing.
Even now GitLab-CE doesn't appear to support SASL to the extent OmniAuth does. Clear text is supported out of the box.
Quote from advisory:
The security of a directory server can be significantly improved by configuring the server to reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) or to reject LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. SASLs may include protocols such as the Negotiate, Kerberos, NTLM, and Digest protocols. Unsigned network traffic is susceptible to replay attacks in which an intruder intercepts the authentication attempt and the issuance of a ticket. The intruder can reuse the ticket to impersonate the legitimate user. Additionally, unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures packets between the client and the server, changes the packets, and then forwards them to the server. If this occurs on an LDAP server, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client.
This likely means that the changed defaults (i.e. whenever the admin hasn't deliberately weakened or strengthened the settings), will make it impossible to authenticate via cleartext or SASL (without StartTLS) on port 389.
Given this change outside of GitLab which would affect GitLab, perhaps the documentation should mention the advisory?
What is the process to suggest documentation changes by way of a merge request?
Thanks.