Update ldap#security section

35191112 · George Koltsov · Evan Read · 919ff576 · 35191112
Commit 35191112 authored Aug 02, 2019 by George Koltsov Committed by Evan Read Aug 02, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 7 deletions

doc/administration/auth/ldap.md doc/administration/auth/ldap.md +10 -7

No files found.
--- a/doc/administration/auth/ldap.md
+++ b/doc/administration/auth/ldap.md
@@ -33,15 +33,18 @@ information services over an Internet Protocol (IP) network.

 ## Security

-GitLab assumes that LDAP users are not able to change their LDAP 'mail', 'email'
-or 'userPrincipalName' attribute. An LDAP user who is allowed to change their
-email on the LDAP server can potentially
-[take over any account](#enabling-ldap-sign-in-for-existing-gitlab-users)
-on your GitLab server.
+GitLab assumes that LDAP users:
+
+- Are not able to change their LDAP `mail`, `email`, or `userPrincipalName` attribute.
+  An LDAP user who is allowed to change their email on the LDAP server can potentially
+  [take over any account](#enabling-ldap-sign-in-for-existing-gitlab-users)
+  on your GitLab server.
+- Have unique email addresses, otherwise it is possible for LDAP users with the same
+  email address to share the same GitLab account.

 We recommend against using LDAP integration if your LDAP users are
-allowed to change their 'mail', 'email' or 'userPrincipalName'  attribute on
-the LDAP server.
+allowed to change their 'mail', 'email' or 'userPrincipalName' attribute on
+the LDAP server or share email addresses.

 ### User deletion