Encrypted ldap POC: Rails encrypted credentials
Two different (but similar) implementation options
Rails encrypted config
This involves introducing the option for the master key to rails, and update ldap to optionally check the
Rails.application.encrypted for the ldap credential. Users can edit the credentials using
rails encrypted:edit <password-file> (
gitlab-rails encrypted:edit <passwordfile> from omnibus).
Using the lockbox gem
The railscodebase is already using lockbox for encrypting/decrypting the tfstate files. gitlab!26619 (merged)
Introduce an optional config for providing an encyrpted password file to ldap. Read the file using lockbox. And introduce some rake commands for writing the secret.
Sidenote: The ldap password code is located here: https://gitlab.com/gitlab-org/gitlab/-/blob/63d934809641277edbf546fd7ae0610a475f002c/lib/gitlab/auth/ldap/config.rb#L273