BigW Consortium Gitlab
Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
gitlab-ce
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Forest Godfrey
gitlab-ce
Commits
dd3e7ff0
Commit
dd3e7ff0
authored
Aug 29, 2017
by
Michael Kozono
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Default LDAP config verify_certificates to true
parent
cbaa015c
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
13 additions
and
18 deletions
+13
-18
gitlab.yml.example
config/gitlab.yml.example
+2
-3
1_settings.rb
config/initializers/1_settings.rb
+5
-12
ldap.md
doc/administration/auth/ldap.md
+6
-3
No files found.
config/gitlab.yml.example
View file @
dd3e7ff0
...
@@ -273,9 +273,8 @@ production: &base
...
@@ -273,9 +273,8 @@ production: &base
encryption: 'plain'
encryption: 'plain'
# Enables SSL certificate verification if encryption method is
# Enables SSL certificate verification if encryption method is
# "start_tls" or "simple_tls". (Defaults to false for backward-
# "start_tls" or "simple_tls". Defaults to true.
# compatibility)
verify_certificates: true
verify_certificates: false
# Specifies the path to a file containing a PEM-format CA certificate,
# Specifies the path to a file containing a PEM-format CA certificate,
# e.g. if you need to use an internal CA.
# e.g. if you need to use an internal CA.
...
...
config/initializers/1_settings.rb
View file @
dd3e7ff0
...
@@ -155,18 +155,11 @@ if Settings.ldap['enabled'] || Rails.env.test?
...
@@ -155,18 +155,11 @@ if Settings.ldap['enabled'] || Rails.env.test?
server
[
'encryption'
]
=
'simple_tls'
if
server
[
'encryption'
]
==
'ssl'
server
[
'encryption'
]
=
'simple_tls'
if
server
[
'encryption'
]
==
'ssl'
server
[
'encryption'
]
=
'start_tls'
if
server
[
'encryption'
]
==
'tls'
server
[
'encryption'
]
=
'start_tls'
if
server
[
'encryption'
]
==
'tls'
# Certificates are not verified for backwards compatibility.
# Certificate verification was added in 9.4.2, and defaulted to false for
# This default should be flipped to true in 9.5.
# backwards-compatibility.
if
server
[
'verify_certificates'
].
nil?
#
server
[
'verify_certificates'
]
=
false
# Since GitLab 10.0, verify_certificates defaults to true for security.
server
[
'verify_certificates'
]
=
true
if
server
[
'verify_certificates'
].
nil?
message
=
<<-
MSG
.
strip_heredoc
LDAP SSL certificate verification is disabled for backwards-compatibility.
Please add the "verify_certificates" option to gitlab.yml for each LDAP
server. Certificate verification will be enabled by default in GitLab 9.5.
MSG
Rails
.
logger
.
warn
(
message
)
end
Settings
.
ldap
[
'servers'
][
key
]
=
server
Settings
.
ldap
[
'servers'
][
key
]
=
server
end
end
...
...
doc/administration/auth/ldap.md
View file @
dd3e7ff0
...
@@ -87,9 +87,12 @@ main: # 'main' is the GitLab 'provider ID' of this LDAP server
...
@@ -87,9 +87,12 @@ main: # 'main' is the GitLab 'provider ID' of this LDAP server
encryption: 'plain'
encryption: 'plain'
# Enables SSL certificate verification if encryption method is
# Enables SSL certificate verification if encryption method is
# "start_tls" or "simple_tls". (Defaults to false for backward-
# "start_tls" or "simple_tls". Defaults to true since GitLab 10.0 for
# compatibility)
# security. This may break installations upon upgrade to 10.0, that did
verify_certificates: false
# not know their LDAP SSL certificates were not setup properly. For
# example, when using self-signed certificates, the ca_file path may
# need to be specified.
verify_certificates: true
# Specifies the path to a file containing a PEM-format CA certificate,
# Specifies the path to a file containing a PEM-format CA certificate,
# e.g. if you need to use an internal CA.
# e.g. if you need to use an internal CA.
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment