diff options
| author | Pavel Shutsin <pshutsin@gitlab.com> | 2019-06-06 23:00:31 +0300 |
|---|---|---|
| committer | Pavel Shutsin <pshutsin@gitlab.com> | 2019-06-13 20:29:23 +0300 |
| commit | 7b1b66416b5287e5e5f928a276440d9b1e4badb5 (patch) | |
| tree | 4c68e8f04a0e40b0bc36614318c5af1f4caba2ed | |
| parent | 63e565153149eb740c08407649ea35a2ed4d128e (diff) | |
| download | gitlab-ce-4354-lock-memberships-to-ldap-sync-part-1.tar.gz | |
EE port: add app-wide LDAP membership lock field4354-lock-memberships-to-ldap-sync-part-1
| -rw-r--r-- | db/migrate/20190604091310_add_ldap_membership_lock.rb | 20 | ||||
| -rw-r--r-- | db/schema.rb | 1 | ||||
| -rw-r--r-- | doc/administration/auth/ldap-ee.md | 9 |
3 files changed, 30 insertions, 0 deletions
diff --git a/db/migrate/20190604091310_add_ldap_membership_lock.rb b/db/migrate/20190604091310_add_ldap_membership_lock.rb new file mode 100644 index 00000000000..1afc6aeefd5 --- /dev/null +++ b/db/migrate/20190604091310_add_ldap_membership_lock.rb @@ -0,0 +1,20 @@ +# frozen_string_literal: true + +# See http://doc.gitlab.com/ce/development/migration_style_guide.html +# for more information on how to write migrations for GitLab. + +class AddLdapMembershipLock < ActiveRecord::Migration[5.1] + include Gitlab::Database::MigrationHelpers + + DOWNTIME = false + + disable_ddl_transaction! + + def up + add_column_with_default(:application_settings, :lock_memberships_to_ldap, :boolean, default: false) + end + + def down + remove_column(:application_settings, :lock_memberships_to_ldap) + end +end diff --git a/db/schema.rb b/db/schema.rb index 392edf89430..7a9274e1e77 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -195,6 +195,7 @@ ActiveRecord::Schema.define(version: 20190611161641) do t.text "encrypted_lets_encrypt_private_key_iv" t.boolean "dns_rebinding_protection_enabled", default: true, null: false t.boolean "default_project_deletion_protection", default: false, null: false + t.boolean "lock_memberships_to_ldap", default: false, null: false t.index ["usage_stats_set_by_user_id"], name: "index_application_settings_on_usage_stats_set_by_user_id", using: :btree end diff --git a/doc/administration/auth/ldap-ee.md b/doc/administration/auth/ldap-ee.md index 30095d35705..15f093bb62d 100644 --- a/doc/administration/auth/ldap-ee.md +++ b/doc/administration/auth/ldap-ee.md @@ -183,6 +183,15 @@ group, as opposed to the full DN. 1. [Restart GitLab][restart] for the changes to take effect. +## Global group memberships lock + +"Lock memberships to LDAP synchronization" setting allows instance administrators +to lock down user abilities to invite new members to a group. When enabled following happens: + +1. Only administrator can manage memberships of any group including access levels. +2. Users are not allowed to share project with other groups or invite members to a project created in a group. + + ## Adjusting LDAP user sync schedule > Introduced in GitLab Enterprise Edition Starter. |