diff options
author | Evan Read <eread@gitlab.com> | 2019-08-02 06:32:04 +0000 |
---|---|---|
committer | Evan Read <eread@gitlab.com> | 2019-08-02 06:32:04 +0000 |
commit | cb497dd4bcb3b67dcef70d62a9a1b8fbc6d95c09 (patch) | |
tree | 34fd9545755babf9e11f9012fbdaf79af143a522 | |
parent | 919ff576110341ac80a2ff520b7478f4affbf195 (diff) | |
parent | 3519111296c9f05ec7202b1a9c75cb09c65948d3 (diff) | |
download | gitlab-ce-cb497dd4bcb3b67dcef70d62a9a1b8fbc6d95c09.tar.gz |
Merge branch 'georgekoltsov/64501-update-ldap-doc' into 'master'
Update ldap#security section
See merge request gitlab-org/gitlab-ce!31335
-rw-r--r-- | doc/administration/auth/ldap.md | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/doc/administration/auth/ldap.md b/doc/administration/auth/ldap.md index beacaa99d60..186bf4c4825 100644 --- a/doc/administration/auth/ldap.md +++ b/doc/administration/auth/ldap.md @@ -33,15 +33,18 @@ information services over an Internet Protocol (IP) network. ## Security -GitLab assumes that LDAP users are not able to change their LDAP 'mail', 'email' -or 'userPrincipalName' attribute. An LDAP user who is allowed to change their -email on the LDAP server can potentially -[take over any account](#enabling-ldap-sign-in-for-existing-gitlab-users) -on your GitLab server. +GitLab assumes that LDAP users: + +- Are not able to change their LDAP `mail`, `email`, or `userPrincipalName` attribute. + An LDAP user who is allowed to change their email on the LDAP server can potentially + [take over any account](#enabling-ldap-sign-in-for-existing-gitlab-users) + on your GitLab server. +- Have unique email addresses, otherwise it is possible for LDAP users with the same + email address to share the same GitLab account. We recommend against using LDAP integration if your LDAP users are -allowed to change their 'mail', 'email' or 'userPrincipalName' attribute on -the LDAP server. +allowed to change their 'mail', 'email' or 'userPrincipalName' attribute on +the LDAP server or share email addresses. ### User deletion |