summaryrefslogtreecommitdiff
path: root/doc/integration/ldap.md
diff options
context:
space:
mode:
Diffstat (limited to 'doc/integration/ldap.md')
-rw-r--r--doc/integration/ldap.md25
1 files changed, 25 insertions, 0 deletions
diff --git a/doc/integration/ldap.md b/doc/integration/ldap.md
index 62bb957d951..ee472ac3e3b 100644
--- a/doc/integration/ldap.md
+++ b/doc/integration/ldap.md
@@ -17,3 +17,28 @@ In other words, if an existing GitLab user wants to enable LDAP sign-in for them
GitLab recognizes the following LDAP attributes as email addresses: `mail`, `email` and `userPrincipalName`.
If multiple LDAP email attributes are present, e.g. `mail: foo@bar.com` and `email: foo@example.com`, then the first attribute found wins -- in this case `foo@bar.com`.
+
+## Using an LDAP filter to limit access to your GitLab server
+
+If you want to limit all GitLab access to a subset of the LDAP users on your LDAP server you can set up an LDAP user filter.
+The filter must comply with [RFC 4515](http://tools.ietf.org/search/rfc4515).
+
+```ruby
+# For omnibus-gitlab
+gitlab_rails['ldap_user_filter'] = '(employeeType=developer)'
+```
+
+```yaml
+# For installations from source
+production:
+ ldap:
+ user_filter: '(employeeType=developer)'
+```
+
+Tip: if you want to limit access to the nested members of an Active Directory group you can use the following syntax:
+
+```
+(memberOf:1.2.840.113556.1.4.1941:=CN=My Group,DC=Example,DC=com)
+```
+
+Please note that GitLab does not support the custom filter syntax used by omniauth-ldap.
View Lorry Controller Status