Hi, everything is O.K. ... we are in process of setting test environment with last master source, and will do test , and create patches if necessary. In short i will send message with more information.
Regards, Dubravko Penezic On Thu, Feb 6, 2014 at 2:42 PM, Sytse Sijbrandij <[email protected]> wrote: > Hi Dubravko, > > Sorry for the misunderstanding. > > I've reopened https://github.com/gitlabhq/gitlabhq/issues/5495 but > please provide a short description of the security exploit if that is > possible. The security implications are hard to understand at the > moment. > > Best regards, > Sytse > > On Thu, Feb 6, 2014 at 1:24 PM, Dubravko Penezic <[email protected]> > wrote: > > Hi Sytse, > > > > Thanks for answer. I believe that implement properly suggest mechanism > will > > solve also multiple LDAP domain, and any other multiple domain > > authentication systems. > > > > My collogue tell me that you close issue 5495 with same reason, how ever > > issue 5495 is security bug, not request for new feature, so my opinion is > > that need to be fix, or well documented. > > > > We still would like to change existing system (not only for us, but also > for > > some other national high education network in Europe). Where we may found > > some documentation for developers for GitLab, we will found some people > to > > implement that. > > > > Hope you will include that fix to central repository. > > > > Regards, > > Dubravko Penezic > > > > On Thursday, February 6, 2014 11:46:17 AM UTC+1, Sytse Sijbrandij wrote: > >> > >> Hi Dubravko, > >> > >> This is a lot of work. We'll probably only make something this complex > >> for a paying subscriber if at all. Before this we would first do > >> multiple LDAP domains which is a popular request. > >> > >> Sorry, > >> Sytse > >> > >> On Fri, Jan 31, 2014 at 12:33 PM, Dubravko Penezic <[email protected]> > >> wrote: > >> > Dear all, > >> > > >> > please check issue https://github.com/gitlabhq/gitlabhq/issues/5495. To > >> > be > >> > more precise we (AAI@EduHr, http://www.aaiedu.hr/) have 200+ IdP (cca > >> > 650000 > >> > users) and 300+ services which actively use SSO service, so chance > that > >> > two > >> > or more user with same name have same uid parts of username is great. > >> > > >> > We think that follow fact of GitLab is O.K.: > >> > * uniqueness of email address on authentication system (like is now) > >> > * uniqueness of username on authentication system (like is now) > >> > > >> > We think that handling outer authentication method (oauth) need to be > >> > change. > >> > > >> > Our proposal is as follow : > >> > 1. keep existing local authentication system like is > >> > 2. use outer authentication mechanism like additional authentication > >> > possibility > >> > > >> > We suggest follow implementation : > >> > A. local authentication and system is intact > >> > B. outer authentication > >> > B.1. user come for first time > >> > - select on login screen outer authentication button (or maybe > >> > select > >> > from list one of outer authentication method) > >> > - authenticate against outer authentication system > >> > - system admin in GitLab configuration file define from which > >> > attribute GitLab get email address > >> > - GitLab chech email address, and if address is unique create > new > >> > user > >> > - new user will got username base on email on the way that @ > sign > >> > is > >> > change with dot (.) ([email protected] -> username : pero.pero.tld) > >> > - in parallel one line in new database table is add with > >> > information > >> > of GitLab username, SSO username, SSO type (prime key is combination > of > >> > that > >> > 3 parameters) > >> > - all other system in GitLab may now accure > >> > > >> > B.2. user try to login in to GitLab > >> > - select on login screen outer authentication button (or maybe > >> > select > >> > from list one of outer authentication method) > >> > - authenticate against outer authentication system > >> > - system admin in GitLab configuration file define from which > >> > attribute GitLab get email address > >> > - GitLab check if email exist > >> > - if not exist that is new user do B.1. > >> > - if exist find GitLab username > >> > - check in database table if exist entry for GitLab username, > SSO > >> > username, SSO type, if so user is authorized if not give user warning > >> > message > >> > - all other system in GitLab may now accure > >> > > >> > I hope, i explain basic scenario for outer authentication model we > >> > suggest. > >> > > >> > Unfortunately we dont have enough program knowledge to do that changes > >> > like > >> > patch to GitLab source code, but we will help with all of our > knowledge. > >> > > >> > Regards, > >> > Dubravko Penezic > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "GitLab" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > > You received this message because you are subscribed to the Google Groups > > "GitLab" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > -- > You received this message because you are subscribed to a topic in the > Google Groups "GitLab" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/gitlabhq/jrpRWDaGxw4/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "GitLab" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
