Hi Sytse, Thanks for answer. I believe that implement properly suggest mechanism will solve also multiple LDAP domain, and any other multiple domain authentication systems.
My collogue tell me that you close issue 5495 with same reason, how ever issue 5495 is security bug, not request for new feature, so my opinion is that need to be fix, or well documented. We still would like to change existing system (not only for us, but also for some other national high education network in Europe). Where we may found some documentation for developers for GitLab, we will found some people to implement that. Hope you will include that fix to central repository. Regards, Dubravko Penezic On Thursday, February 6, 2014 11:46:17 AM UTC+1, Sytse Sijbrandij wrote: > > Hi Dubravko, > > This is a lot of work. We'll probably only make something this complex > for a paying subscriber if at all. Before this we would first do > multiple LDAP domains which is a popular request. > > Sorry, > Sytse > > On Fri, Jan 31, 2014 at 12:33 PM, Dubravko Penezic > <[email protected]<javascript:>> > wrote: > > Dear all, > > > > please check issue https://github.com/gitlabhq/gitlabhq/issues/5495 . > To be > > more precise we (AAI@EduHr, http://www.aaiedu.hr/) have 200+ IdP (cca > 650000 > > users) and 300+ services which actively use SSO service, so chance that > two > > or more user with same name have same uid parts of username is great. > > > > We think that follow fact of GitLab is O.K.: > > * uniqueness of email address on authentication system (like is now) > > * uniqueness of username on authentication system (like is now) > > > > We think that handling outer authentication method (oauth) need to be > > change. > > > > Our proposal is as follow : > > 1. keep existing local authentication system like is > > 2. use outer authentication mechanism like additional authentication > > possibility > > > > We suggest follow implementation : > > A. local authentication and system is intact > > B. outer authentication > > B.1. user come for first time > > - select on login screen outer authentication button (or maybe > select > > from list one of outer authentication method) > > - authenticate against outer authentication system > > - system admin in GitLab configuration file define from which > > attribute GitLab get email address > > - GitLab chech email address, and if address is unique create new > user > > - new user will got username base on email on the way that @ sign > is > > change with dot (.) ([email protected] -> username : pero.pero.tld) > > - in parallel one line in new database table is add with > information > > of GitLab username, SSO username, SSO type (prime key is combination of > that > > 3 parameters) > > - all other system in GitLab may now accure > > > > B.2. user try to login in to GitLab > > - select on login screen outer authentication button (or maybe > select > > from list one of outer authentication method) > > - authenticate against outer authentication system > > - system admin in GitLab configuration file define from which > > attribute GitLab get email address > > - GitLab check if email exist > > - if not exist that is new user do B.1. > > - if exist find GitLab username > > - check in database table if exist entry for GitLab username, SSO > > username, SSO type, if so user is authorized if not give user warning > > message > > - all other system in GitLab may now accure > > > > I hope, i explain basic scenario for outer authentication model we > suggest. > > > > Unfortunately we dont have enough program knowledge to do that changes > like > > patch to GitLab source code, but we will help with all of our knowledge. > > > > Regards, > > Dubravko Penezic > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "GitLab" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "GitLab" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
