ldap account going through approval process ?

[T.J. Yang]

Hi

I have ldap backend server configured and one can create gitlab account automatically if the ldap account is valid.

Is it possible the auto-create still going through administrator's approval first then auto-create ?

tj

[Aleksey Tsalolikhin]

I was just in my /etc/gitlab/gitlab.rb yesterday and I remember seeing a setting like that...

Check

block_auto_created_users

in your ldap server definition.

--
You received this message because you are subscribed to the Google Groups "GitLab" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gitlabhq+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gitlabhq/1c792fac-a493-42de-aed7-6e8fb9642718%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[T.J. Yang]

Thanks for the pointer to setting of block_auto_created_users.

1. set it to true and restart gilab 8.12.6

[root@re02 ~]# grep block_auto_created_users /etc/gitlab/gitlab.rb

  block_auto_created_users: true

#     block_auto_created_users: false

# gitlab_rails['omniauth_block_auto_created_users'] = true

[root@ilclsre02 ~]# gitlab-ctl restart

ok: run: gitlab-workhorse: (pid 6661) 1s

ok: run: logrotate: (pid 6673) 0s

ok: run: nginx: (pid 6679) 0s

ok: run: postgresql: (pid 6688) 1s

ok: run: redis: (pid 6698) 0s

ok: run: sidekiq: (pid 6714) 1s

ok: run: unicorn: (pid 6719) 0s

[root@re02 ~]#

2. Delete userA  from admin console

3. Ask userA to login again

     3.1  step 2 and 3 are a few minutes apart. 

4. userA was able to login and gitlab account auto recreated again.

     4.1 from userA's profile page, userA is not locked.

So this setting is not working,

[Aleksey Tsalolikhin]

Perhaps run "sudo gitlab-ctl reconfigure" ?

ᐧ

-- 

Need training on CFEngine, Git or Time Management?  Email trai...@verticalsysadmin.com.

--

You received this message because you are subscribed to the Google Groups "GitLab" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gitlabhq+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/gitlabhq/e6361112-aa85-4d57-8ae2-1def435c0a67%40googlegroups.com.

[T.J. Yang]

I went through a few runs of version gitlab CE since 10/15/2016.

Now the auto account creation is created locked mode. 

Administrator will need to unlock the newly created account. 

To unsubscribe from this group and stop receiving emails from it, send an email to gitlabhq+u...@googlegroups.com.

[Aleksey Tsalolikhin]

Sorry, tj, cold you please remind me what you are trying to accomplish?  Do you want anyone with an LDAP account to be able to sign up for GitLab without administrator involvement?

On Tue, Nov 15, 2016 at 2:43 AM, T.J. Yang <tjyan...@gmail.com> wrote:

I went through a few runs of version gitlab CE since 10/15/2016.

Now the auto account creation is created locked mode. 

Administrator will need to unlock the newly created account. 

On Saturday, October 15, 2016 at 8:40:25 AM UTC-5, Aleksey Tsalolikhin wrote:

Perhaps run "sudo gitlab-ctl reconfigure" ?

ᐧ

To unsubscribe from this group and stop receiving emails from it, send an email to gitlabhq+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gitlabhq/3c54a299-7a15-4e4a-9cba-42e8a9c76ea9%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

ᐧ

[T.J. Yang]

Hi Aleksey

On Tuesday, November 15, 2016 at 7:42:54 AM UTC-6, Aleksey Tsalolikhin wrote:

Sorry, tj, cold you please remind me what you are trying to accomplish?  Do you want anyone with an LDAP account to be able to sign up for GitLab without administrator involvement?

I (as gitlab admin) am trying to gain ability to grant or deny a newly created gitlab account.

I also change sign-in page to info new user, extra email sending to gitla...@xxx.xxx for further approval.

tj 

To view this discussion on the web visit https://groups.google.com/d/msgid/gitlabhq/3c54a299-7a15-4e4a-9cba-42e8a9c76ea9%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

ᐧ

[Aleksey Tsalolikhin]

On Tuesday, October 11, 2016 at 3:36:53 PM UTC-5, T.J. Yang wrote:

Hi

I have ldap backend server configured and one can create gitlab account automatically if the ldap account is valid.

Is it possible the auto-create still going through administrator's approval first then auto-create ?

and

On Tue, Nov 15, 2016 at 1:35 PM, T.J. Yang <tjyan...@gmail.com> wrote:

I (as gitlab admin) am trying to gain ability to grant or deny a newly created gitlab account.

I also change sign-in page to info new user, extra email sending to gitla...@xxx.xxx for further approval.

Hey, T.J.   Take a look at https://gitlab.com/gitlab-org/gitlab-ce/issues/14508  -- would that solve your problem?  It provides a way to "gateway" access for local users. (Where an admin has to approve access.)  It seems like you are asking for something similar but for LDAP users.

If studying 14508 doesn't help, you might want to open a similar issue, e.g., "admin approval for LDAP users", or something like that.

HTH,

Aleksey

 

ᐧ

[T.J. Yang]

https://gitlab.com/gitlab-org/gitlab-ce/issues/25239