Add LDAP_PREVENT_LDAP_SIGN_IN configuration parameter

l00v3 · l00v3 · commit 9b7536a32ebe · 2021-03-12T11:59:03.000+01:00
Committer: l00v3 &lt;love@localhost.localdomain&gt;
diff --git a/README.md b/README.md
@@ -1015,6 +1015,7 @@ Below is the complete list of available options that can be used to customize yo
 | `LDAP_USER_ATTRIBUTE_FIRSTNAME` | Attribute field for the forename of a user. Default to `givenName` |
 | `LDAP_USER_ATTRIBUTE_LASTNAME` |  Attribute field for the surname of a user. Default to `sn` |
 | `LDAP_LOWERCASE_USERNAMES` | GitLab will lower case the username for the LDAP Server. Defaults to `false` |
+| `LDAP_PREVENT_LDAP_SIGN_IN` | Set to `true` to [Disable LDAP web sign in](https://docs.gitlab.com/ce/administration/auth/ldap/#disable-ldap-web-sign-in), defaults to `false` |
 | `OAUTH_ENABLED` | Enable OAuth support. Defaults to `true` if any of the support OAuth providers is configured, else defaults to `false`. |
 | `OAUTH_AUTO_SIGN_IN_WITH_PROVIDER` | Automatically sign in with a specific OAuth provider without showing GitLab sign-in page. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default. |
 | `OAUTH_ALLOW_SSO` | Comma separated list of oauth providers for single sign-on. This allows users to login without having a user account. The account is created automatically when authentication is successful. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default. |
diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml
@@ -593,7 +593,7 @@ production: &base
   #   bundle exec rake gitlab:ldap:check RAILS_ENV=production
   ldap:
     enabled: {{LDAP_ENABLED}}
-    prevent_ldap_sign_in: false
+    prevent_ldap_sign_in: {{LDAP_PREVENT_LDAP_SIGN_IN}}
 
     # This setting controls the number of seconds between LDAP permission checks
     # for each user. After this time has expired for a given user, their next
diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults
@@ -344,6 +344,7 @@ LDAP_USER_ATTRIBUTE_LASTNAME=${LDAP_USER_ATTRIBUTE_LASTNAME:-sn}
 LDAP_LOWERCASE_USERNAMES="${LDAP_LOWERCASE_USERNAMES:-false}"
 LDAP_LABEL=${LDAP_LABEL:-LDAP}
 LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-}
+LDAP_PREVENT_LDAP_SIGN_IN=${LDAP_PREVENT_LDAP_SIGN_IN:-false}
 case ${LDAP_UID} in
   userPrincipalName) LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-false} ;;
   *) LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-true}
diff --git a/assets/runtime/functions b/assets/runtime/functions
@@ -439,7 +439,8 @@ gitlab_configure_ldap() {
     LDAP_USER_ATTRIBUTE_NAME \
     LDAP_USER_ATTRIBUTE_FIRSTNAME \
     LDAP_USER_ATTRIBUTE_LASTNAME \
-    LDAP_LABEL
+    LDAP_LABEL \
+    LDAP_PREVENT_LDAP_SIGN_IN
 }
 
 gitlab_configure_oauth_cas3() {

Original file line number	Diff line number	Diff line change
`@@ -439,7 +439,8 @@ gitlab_configure_ldap() {`
`439`	`439`	`LDAP_USER_ATTRIBUTE_NAME \`
`440`	`440`	`LDAP_USER_ATTRIBUTE_FIRSTNAME \`
`441`	`441`	`LDAP_USER_ATTRIBUTE_LASTNAME \`
`442`		`- LDAP_LABEL`
	`442`	`+ LDAP_LABEL \`
	`443`	`+ LDAP_PREVENT_LDAP_SIGN_IN`
`443`	`444`	`}`
`444`	`445`
`445`	`446`	`gitlab_configure_oauth_cas3() {`