Snippets Groups Projects

Add option for LDAP-only authentication to a GitLab instance

Description

Some enterprise customers, especially in heavy compliance industries, need to have strict controls over who can access systems and data, including GitLab. Some would like to enforce access to GitLab through their primary authentication platform for all major systems - LDAP. However it is possible for group master/owners to add users who are not part of the central LDAP groups. This means they do not have truly centralized control over who can access critical information.

Benefit: This would allow the customer to confidently state that they have a clear and reliable process to manage access to information in GitLab, the same as they do with other critical business systems. It would also greatly reduce labor and process needed to audit access controls.

Proposal

Add an option for a GitLab instance to authenticate only LDAP users, so that GitLab owners and masters cannot add users around an organizations centralized access management in LDAP. It would be acceptable for a "root" user to remain if needed, however that user should not have the ability to invite/add new users who are not in LDAP groups so long as LDAP is enabled with this new setting.

Links / references

Customers

https://gitlab.my.salesforce.com/00161000004yxTT

Designs

Child items ...

Activity

Mark Fletcher @markglenfletcher · 6 years ago

Contributor

/cc @jeremy_
Mark Fletcher added ~2278658 ldap settings labels 6 years ago

added ~2278658 ldap settings labels
Drew Blessing @dblessing · 6 years ago

Maintainer
@pharlan To be clear, the request isn't to restrict LDAP authentication, which can already be done by disabling other sign in methods, but to restrict the ability for group/project masters to change membership so it can be restricted to group sync only?

We sort of discussed this a while back in https://gitlab.com/gitlab-org/gitlab-ee/issues/918. We added the option to restrict group admins to https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/2529 as a 'solution' to this.

To fully restrict then it looks like the following:

Restrict group admins to global GitLab admins

Restrict the ability for project owners to change/add membership.

I'm not saying we shouldn't discuss this but wanted to make sure we recall that previous discussion.
Patrick Harlan @pharlan · 6 years ago

Author

Yes, that is correct. Sorry I misunderstood the request.

Should we create a new issue or modify this one?
Drew Blessing @dblessing · 6 years ago

Maintainer

@pharlan Modifying this is fine.
🤖 GitLab Bot 🤖 added Manage [DEPRECATED] label 6 years ago

added Manage [DEPRECATED] label
🤖 GitLab Bot 🤖 added devopsmanage label 5 years ago

added devopsmanage label
🤖 GitLab Bot 🤖 added [deprecated] Accepting merge requests label 5 years ago

added [deprecated] Accepting merge requests label
🤖 GitLab Bot 🤖 removed [deprecated] Accepting merge requests label 5 years ago

removed [deprecated] Accepting merge requests label
🤖 GitLab Bot 🤖 added groupauthentication and authorization [DEPRECATED] label 5 years ago

added groupauthentication and authorization [DEPRECATED] label
🤖 GitLab Bot 🤖 added Enterprise Edition label 5 years ago

added Enterprise Edition label
🤖 GitLab Bot 🤖 added sectiondev label 4 years ago

added sectiondev label
🤖 GitLab Bot 🤖 added customer label 4 years ago

added customer label
Hannah Sutor @hsutor · 1 year ago

Developer

I think this is a problem that's already solved (5 years later). I'm going to close this one
Hannah Sutor closed 1 year ago

closed

Please register or sign in to reply

Due date

None

Health status

None

Confidentiality

Confidentiality controls have moved to the issue actions menu () at the top of the page.

0 Participants