Hi Dubravko, Sorry for the misunderstanding.
I've reopened https://github.com/gitlabhq/gitlabhq/issues/5495 but please provide a short description of the security exploit if that is possible. The security implications are hard to understand at the moment. Best regards, Sytse On Thu, Feb 6, 2014 at 1:24 PM, Dubravko Penezic <[email protected]> wrote: > Hi Sytse, > > Thanks for answer. I believe that implement properly suggest mechanism will > solve also multiple LDAP domain, and any other multiple domain > authentication systems. > > My collogue tell me that you close issue 5495 with same reason, how ever > issue 5495 is security bug, not request for new feature, so my opinion is > that need to be fix, or well documented. > > We still would like to change existing system (not only for us, but also for > some other national high education network in Europe). Where we may found > some documentation for developers for GitLab, we will found some people to > implement that. > > Hope you will include that fix to central repository. > > Regards, > Dubravko Penezic > > On Thursday, February 6, 2014 11:46:17 AM UTC+1, Sytse Sijbrandij wrote: >> >> Hi Dubravko, >> >> This is a lot of work. We'll probably only make something this complex >> for a paying subscriber if at all. Before this we would first do >> multiple LDAP domains which is a popular request. >> >> Sorry, >> Sytse >> >> On Fri, Jan 31, 2014 at 12:33 PM, Dubravko Penezic <[email protected]> >> wrote: >> > Dear all, >> > >> > please check issue https://github.com/gitlabhq/gitlabhq/issues/5495 . To >> > be >> > more precise we (AAI@EduHr, http://www.aaiedu.hr/) have 200+ IdP (cca >> > 650000 >> > users) and 300+ services which actively use SSO service, so chance that >> > two >> > or more user with same name have same uid parts of username is great. >> > >> > We think that follow fact of GitLab is O.K.: >> > * uniqueness of email address on authentication system (like is now) >> > * uniqueness of username on authentication system (like is now) >> > >> > We think that handling outer authentication method (oauth) need to be >> > change. >> > >> > Our proposal is as follow : >> > 1. keep existing local authentication system like is >> > 2. use outer authentication mechanism like additional authentication >> > possibility >> > >> > We suggest follow implementation : >> > A. local authentication and system is intact >> > B. outer authentication >> > B.1. user come for first time >> > - select on login screen outer authentication button (or maybe >> > select >> > from list one of outer authentication method) >> > - authenticate against outer authentication system >> > - system admin in GitLab configuration file define from which >> > attribute GitLab get email address >> > - GitLab chech email address, and if address is unique create new >> > user >> > - new user will got username base on email on the way that @ sign >> > is >> > change with dot (.) ([email protected] -> username : pero.pero.tld) >> > - in parallel one line in new database table is add with >> > information >> > of GitLab username, SSO username, SSO type (prime key is combination of >> > that >> > 3 parameters) >> > - all other system in GitLab may now accure >> > >> > B.2. user try to login in to GitLab >> > - select on login screen outer authentication button (or maybe >> > select >> > from list one of outer authentication method) >> > - authenticate against outer authentication system >> > - system admin in GitLab configuration file define from which >> > attribute GitLab get email address >> > - GitLab check if email exist >> > - if not exist that is new user do B.1. >> > - if exist find GitLab username >> > - check in database table if exist entry for GitLab username, SSO >> > username, SSO type, if so user is authorized if not give user warning >> > message >> > - all other system in GitLab may now accure >> > >> > I hope, i explain basic scenario for outer authentication model we >> > suggest. >> > >> > Unfortunately we dont have enough program knowledge to do that changes >> > like >> > patch to GitLab source code, but we will help with all of our knowledge. >> > >> > Regards, >> > Dubravko Penezic >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "GitLab" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. > > -- > You received this message because you are subscribed to the Google Groups > "GitLab" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "GitLab" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
