LDAP users should not control their LDAP email

author: Jacob Vosmaer <contact@jacobvosmaer.nl> 2015-06-03 13:40:47 +0200
committer: Jacob Vosmaer <contact@jacobvosmaer.nl> 2015-06-03 13:40:47 +0200
commit: 98ff4131cd82933b28989df33256f1eb75af1a14 (patch)
tree: 5fbe5ac21e34b81ab18d58602e3d6ca39005f76a
parent: 79aac2c128e0c2fa8fd657af273fbd219002f39c (diff)
download: gitlab-ce-98ff4131cd82933b28989df33256f1eb75af1a14.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/doc/integration/ldap.md b/doc/integration/ldap.md
index b67f793c591..904d5d7fee2 100644
--- a/doc/integration/ldap.md
+++ b/doc/integration/ldap.md
@@ -6,6 +6,13 @@ The first time a user signs in with LDAP credentials, GitLab will create a new G
 
 GitLab user attributes such as nickname and email will be copied from the LDAP user entry.
 
+## Security
+
+GitLab assumes that LDAP users are not able to change their LDAP 'mail', 'email' or 'userPrincipalName' attribute.
+An LDAP user who is allowed to change their email on the LDAP server can [take over any account](#enabling-ldap-sign-in-for-existing-gitlab-users) on your GitLab server.
+
+We recommend against using GitLab LDAP integration if your LDAP users are allowed to change their 'mail', 'email' or 'userPrincipalName'  attribute on the LDAP server.
+
 ## Configuring GitLab for LDAP integration
 
 To enable GitLab LDAP integration you need to add your LDAP server settings in `/etc/gitlab/gitlab.rb` or `/home/git/gitlab/config/gitlab.yml`.
author	Jacob Vosmaer <contact@jacobvosmaer.nl>	2015-06-03 13:40:47 +0200
committer	Jacob Vosmaer <contact@jacobvosmaer.nl>	2015-06-03 13:40:47 +0200
commit	98ff4131cd82933b28989df33256f1eb75af1a14 (patch)
tree	5fbe5ac21e34b81ab18d58602e3d6ca39005f76a
parent	79aac2c128e0c2fa8fd657af273fbd219002f39c (diff)
download	gitlab-ce-98ff4131cd82933b28989df33256f1eb75af1a14.tar.gz