diff options
| author | Stan Hu <stanhu@gmail.com> | 2019-06-14 17:49:13 +0000 |
|---|---|---|
| committer | Stan Hu <stanhu@gmail.com> | 2019-06-14 17:49:13 +0000 |
| commit | 26ae8788218037c3ec7e12efc67ea3baa237972a (patch) | |
| tree | 209efca8e1d043b2f9470137b6c4625a0a41a11f | |
| parent | 34b8231d49c880fc07f63c0b48f916a4f864e9c5 (diff) | |
| parent | 7b1b66416b5287e5e5f928a276440d9b1e4badb5 (diff) | |
| download | gitlab-ce-26ae8788218037c3ec7e12efc67ea3baa237972a.tar.gz | |
Merge branch '4354-lock-memberships-to-ldap-sync-part-1' into 'master'
EE migration port: add app-wide LDAP membership lock field
See merge request gitlab-org/gitlab-ce!29302
| -rw-r--r-- | db/migrate/20190604091310_add_ldap_membership_lock.rb | 20 | ||||
| -rw-r--r-- | db/schema.rb | 1 | ||||
| -rw-r--r-- | doc/administration/auth/ldap-ee.md | 9 |
3 files changed, 30 insertions, 0 deletions
diff --git a/db/migrate/20190604091310_add_ldap_membership_lock.rb b/db/migrate/20190604091310_add_ldap_membership_lock.rb new file mode 100644 index 00000000000..1afc6aeefd5 --- /dev/null +++ b/db/migrate/20190604091310_add_ldap_membership_lock.rb @@ -0,0 +1,20 @@ +# frozen_string_literal: true + +# See http://doc.gitlab.com/ce/development/migration_style_guide.html +# for more information on how to write migrations for GitLab. + +class AddLdapMembershipLock < ActiveRecord::Migration[5.1] + include Gitlab::Database::MigrationHelpers + + DOWNTIME = false + + disable_ddl_transaction! + + def up + add_column_with_default(:application_settings, :lock_memberships_to_ldap, :boolean, default: false) + end + + def down + remove_column(:application_settings, :lock_memberships_to_ldap) + end +end diff --git a/db/schema.rb b/db/schema.rb index 86a099d28b2..4ed7c0cb248 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -195,6 +195,7 @@ ActiveRecord::Schema.define(version: 20190611161641) do t.text "encrypted_lets_encrypt_private_key_iv" t.boolean "dns_rebinding_protection_enabled", default: true, null: false t.boolean "default_project_deletion_protection", default: false, null: false + t.boolean "lock_memberships_to_ldap", default: false, null: false t.index ["usage_stats_set_by_user_id"], name: "index_application_settings_on_usage_stats_set_by_user_id", using: :btree end diff --git a/doc/administration/auth/ldap-ee.md b/doc/administration/auth/ldap-ee.md index 30095d35705..15f093bb62d 100644 --- a/doc/administration/auth/ldap-ee.md +++ b/doc/administration/auth/ldap-ee.md @@ -183,6 +183,15 @@ group, as opposed to the full DN. 1. [Restart GitLab][restart] for the changes to take effect. +## Global group memberships lock + +"Lock memberships to LDAP synchronization" setting allows instance administrators +to lock down user abilities to invite new members to a group. When enabled following happens: + +1. Only administrator can manage memberships of any group including access levels. +2. Users are not allowed to share project with other groups or invite members to a project created in a group. + + ## Adjusting LDAP user sync schedule > Introduced in GitLab Enterprise Edition Starter. |