From bd6c982bf1dce111d8aa17d7c4c5acd073051a38 Mon Sep 17 00:00:00 2001
From: Julio <guerr@julio.in>
Date: Thu, 24 Sep 2015 12:03:23 +0000
Subject: [PATCH] Documentation of omniauth-ldap limitations

Further documentation about limitations directly impacting settings of
users' LDAP servers.
---
 doc/integration/ldap.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/doc/integration/ldap.md b/doc/integration/ldap.md
index 3bc5df21ef42..9b7d8fa39696 100644
--- a/doc/integration/ldap.md
+++ b/doc/integration/ldap.md
@@ -173,3 +173,23 @@ Tip: if you want to limit access to the nested members of an Active Directory gr
 ```
 
 Please note that GitLab does not support the custom filter syntax used by omniauth-ldap.
+
+## Limitations
+
+GitLab's LDAP client is based on [omniauth-ldap](https://gitlab.com/gitlab-org/omniauth-ldap)
+which encapsulates Ruby's `Net::LDAP` class. It provides a pure-Ruby implementation
+of the LDAP client protocol. As a result, GitLab is limited by `omniauth-ldap` and may impact your LDAP 
+server settings.
+
+### TLS Client Authentication  
+Not implemented by `Net::LDAP`.  
+So you should disable anonymous LDAP authentication and enable simple or SASL 
+authentication. TLS client authentication setting in your LDAP server cannot be
+mandatory and clients cannot be authenticated with the TLS protocol. 
+
+### TLS Server Authentication  
+Not supported by GitLab's configuration options.  
+When setting `method: ssl`, the underlying authentication method used by 
+`omniauth-ldap` is `simple_tls`.  This method establishes TLS encryption with 
+the LDAP server before any LDAP-protocol data is exchanged but no validation of
+the LDAP server's SSL certificate is performed.
\ No newline at end of file
-- 
GitLab