Merge branch 'ldap-email-attribute' into 'master'

LDAP users should not control their LDAP email If they can, they can take over arbitrary GitLab accounts. See merge request !1837

Merge branch 'ldap-email-attribute' into 'master'
LDAP users should not control their LDAP email If they can, they can take over arbitrary GitLab accounts. See merge request !1837
8d24b935 · Job van der Voort · 79aac2c1 · 98ff4131 · 8d24b935
Commit 8d24b935 authored Jun 03, 2015 by Job van der Voort
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

doc/integration/ldap.md doc/integration/ldap.md +7 -0

No files found.
--- a/doc/integration/ldap.md
+++ b/doc/integration/ldap.md
@@ -6,6 +6,13 @@ The first time a user signs in with LDAP credentials, GitLab will create a new G

 GitLab user attributes such as nickname and email will be copied from the LDAP user entry.

+## Security
+
+GitLab assumes that LDAP users are not able to change their LDAP 'mail', 'email' or 'userPrincipalName' attribute.
+An LDAP user who is allowed to change their email on the LDAP server can [take over any account](#enabling-ldap-sign-in-for-existing-gitlab-users) on your GitLab server.
+
+We recommend against using GitLab LDAP integration if your LDAP users are allowed to change their 'mail', 'email' or 'userPrincipalName'  attribute on the LDAP server.
+
 ## Configuring GitLab for LDAP integration

 To enable GitLab LDAP integration you need to add your LDAP server settings in `/etc/gitlab/gitlab.rb` or `/home/git/gitlab/config/gitlab.yml`.