DEV Community

Ken Moini
Ken Moini

Posted on

8 1

LDAP on GitLab with Red Hat Identity Management (FreeIPA)

I have no idea why, but this weekend I redeployed everything I have in DigitalOcean - not permanently, just to try I guess...

Well, it did leave me with a lot of documentation at least! You'd be surprised how much stuff I just do and leave to the pages of history. This time was different, this time, I typed.

One of the things that has always gotten me is how to properly integrate LDAP into different things - every application has a different way of interacting and filtering the schema. GitLab is no exception, but today, I have finally mastered their thought of LDAP integration.

1. LDAP Setup

First off, I'll be using Red Hat Identity Management, or FreeIPA, as the LDAP server. Honestly it's LDAP with a bunch of other things but either way, there are a couple assumptions being made:

  1. You have a gitlabusers Group in IDM/IPA
  2. You have a gitlabadmins Group in IDM/IPA
  3. You have a set of users assigned to those groups
  4. You have a bind user dedicated to GitLab LDAP Binding

How do you make a dedicated Bind DN for your LDAP server? Make a file called gitlabbdn.update with the following contents:

dn: uid=gitlabbdn,cn=users,cn=accounts,dc=example,dc=com
add:objectclass:account
add:objectclass:simplesecurityobject
add:uid:gitlabbdn
add:userPassword:s3cr3tP455w0rdHERE
add:passwordExpirationTime:20380119031407Z
add:nsIdleTimeout:0

Then on your IPA server, as the admin user, run the following command:

ipa-ldap-updater gitlab-bind.update

Now you can use the Bind DN of uid=gitlabbdn,cn=users,cn=accounts,dc=example,dc=com and the s3cr3tP455w0rdHERE password you set to securely bind to the LDAP server.

2. GitLab Configuration

Next, we'll modify the LDAP section of the /etc/gitlab/gitlab.rb file to look something like this:

### LDAP Settings
###! Docs: https://docs.gitlab.com/omnibus/settings/ldap.html
###! **Be careful not to break the indentation in the ldap_servers block. It is
###!   in yaml format and the spaces must be retained. Using tabs will not work.**

gitlab_rails['ldap_enabled'] = true
gitlab_rails['prevent_ldap_sign_in'] = false

###! **remember to close this block with 'EOS' below**
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
  main:
    label: 'My LDAP'
    host: 'ipa.example.com'
    port: 389
    uid: 'uid'
    bind_dn: 'uid=gitlabbdn,cn=users,cn=accounts,dc=example,dc=com'
    password: 's3cr3tP455w0rdHERE'
    encryption: 'start_tls'
    verify_certificates: false
    smartcard_auth: false
    active_directory: false
    allow_username_or_email_login: false
    lowercase_usernames: false
    block_auto_created_users: false
    base: 'cn=accounts,dc=example,dc=com'
    user_filter: '(memberof=CN=gitlabusers,CN=groups,CN=accounts,DC=example,DC=com)'
    attributes:
      username: ['uid']
      email: ['mail']
      name: 'displayName'
      first_name: 'givenName'
      last_name: 'sn'
EOS

Outside of replacing the domain/credentials with yours, that should do it. Any LDAP user in the gitlabusers group will be able to access.

Run gitlab-ctl reconfigure and enjoy the new centralized authentication!

Image of Datadog

Create and maintain end-to-end frontend tests

Learn best practices on creating frontend tests, testing on-premise apps, integrating tests into your CI/CD pipeline, and using Datadog’s testing tunnel.

Download The Guide

Top comments (0)

nextjs tutorial video

Youtube Tutorial Series 📺

So you built a Next.js app, but you need a clear view of the entire operation flow to be able to identify performance bottlenecks before you launch. But how do you get started? Get the essentials on tracing for Next.js from @nikolovlazar in this video series 👀

Watch the Youtube series