I have no idea why, but this weekend I redeployed everything I have in DigitalOcean - not permanently, just to try I guess...
Well, it did leave me with a lot of documentation at least! You'd be surprised how much stuff I just do and leave to the pages of history. This time was different, this time, I typed.
One of the things that has always gotten me is how to properly integrate LDAP into different things - every application has a different way of interacting and filtering the schema. GitLab is no exception, but today, I have finally mastered their thought of LDAP integration.
1. LDAP Setup
First off, I'll be using Red Hat Identity Management, or FreeIPA, as the LDAP server. Honestly it's LDAP with a bunch of other things but either way, there are a couple assumptions being made:
- You have a
gitlabusers
Group in IDM/IPA - You have a
gitlabadmins
Group in IDM/IPA - You have a set of users assigned to those groups
- You have a bind user dedicated to GitLab LDAP Binding
How do you make a dedicated Bind DN for your LDAP server? Make a file called gitlabbdn.update
with the following contents:
dn: uid=gitlabbdn,cn=users,cn=accounts,dc=example,dc=com
add:objectclass:account
add:objectclass:simplesecurityobject
add:uid:gitlabbdn
add:userPassword:s3cr3tP455w0rdHERE
add:passwordExpirationTime:20380119031407Z
add:nsIdleTimeout:0
Then on your IPA server, as the admin user, run the following command:
ipa-ldap-updater gitlab-bind.update
Now you can use the Bind DN of uid=gitlabbdn,cn=users,cn=accounts,dc=example,dc=com and the s3cr3tP455w0rdHERE password you set to securely bind to the LDAP server.
2. GitLab Configuration
Next, we'll modify the LDAP section of the /etc/gitlab/gitlab.rb
file to look something like this:
### LDAP Settings
###! Docs: https://docs.gitlab.com/omnibus/settings/ldap.html
###! **Be careful not to break the indentation in the ldap_servers block. It is
###! in yaml format and the spaces must be retained. Using tabs will not work.**
gitlab_rails['ldap_enabled'] = true
gitlab_rails['prevent_ldap_sign_in'] = false
###! **remember to close this block with 'EOS' below**
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main:
label: 'My LDAP'
host: 'ipa.example.com'
port: 389
uid: 'uid'
bind_dn: 'uid=gitlabbdn,cn=users,cn=accounts,dc=example,dc=com'
password: 's3cr3tP455w0rdHERE'
encryption: 'start_tls'
verify_certificates: false
smartcard_auth: false
active_directory: false
allow_username_or_email_login: false
lowercase_usernames: false
block_auto_created_users: false
base: 'cn=accounts,dc=example,dc=com'
user_filter: '(memberof=CN=gitlabusers,CN=groups,CN=accounts,DC=example,DC=com)'
attributes:
username: ['uid']
email: ['mail']
name: 'displayName'
first_name: 'givenName'
last_name: 'sn'
EOS
Outside of replacing the domain/credentials with yours, that should do it. Any LDAP user in the gitlabusers group will be able to access.
Run gitlab-ctl reconfigure
and enjoy the new centralized authentication!
Top comments (0)