From c9e47f3435389ffdebbd89cc35bbe2cb016fcee2 Mon Sep 17 00:00:00 2001
From: Drew Blessing <drew@blessing.io>
Date: Wed, 30 Sep 2020 16:16:11 -0500
Subject: [PATCH] Add Kerberos LDAP mapping to gitlab.yml.example

Add `simple_ldap_linking_allowed_realms` configuration option
and brief explanation to the `gitlab.yml.example` file.
---
 config/gitlab.yml.example | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index 86df39830df4..cce627fa5407 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -854,6 +854,12 @@ production: &base
     # (default: accept any service name in keytab file)
     # service_principal_name: HTTP/gitlab.example.com@EXAMPLE.COM
 
+    # Kerberos realms/domains that are allowed to automatically link LDAP identities.
+    # By default, GitLab accepts a realm that matches the domain derived from the
+    # LDAP `base` DN. For example, `ou=users,dc=example,dc=com` would allow users
+    # with a realm matching `example.com`.
+    # simple_ldap_linking_allowed_realms: ['example.com','kerberos.example.com']
+
     # Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails.
     # To support both Basic and Negotiate methods with older versions of Git, configure
     # nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines
-- 
GitLab