I have no idea why, but this weekend I redeployed everything I have in DigitalOcean - not permanently, just to try I guess...
Well, it did leave me with a lot of documentation at least! You'd be surprised how much stuff I just do and leave to the pages of history. This time was different, this time, I typed.
One of the things that has always gotten me is how to properly integrate LDAP into different things - every application has a different way of interacting and filtering the schema. GitLab is no exception, but today, I have finally mastered their thought of LDAP integration.
First off, I'll be using Red Hat Identity Management, or FreeIPA, as the LDAP server. Honestly it's LDAP with a bunch of other things but either way, there are a couple assumptions being made:
- You have a
gitlabusersGroup in IDM/IPA
- You have a
gitlabadminsGroup in IDM/IPA
- You have a set of users assigned to those groups
- You have a bind user dedicated to GitLab LDAP Binding
How do you make a dedicated Bind DN for your LDAP server? Make a file called
gitlabbdn.update with the following contents:
dn: uid=gitlabbdn,cn=users,cn=accounts,dc=example,dc=com add:objectclass:account add:objectclass:simplesecurityobject add:uid:gitlabbdn add:userPassword:s3cr3tP455w0rdHERE add:passwordExpirationTime:20380119031407Z add:nsIdleTimeout:0
Then on your IPA server, as the admin user, run the following command:
Now you can use the Bind DN of uid=gitlabbdn,cn=users,cn=accounts,dc=example,dc=com and the s3cr3tP455w0rdHERE password you set to securely bind to the LDAP server.
Next, we'll modify the LDAP section of the
/etc/gitlab/gitlab.rb file to look something like this:
### LDAP Settings ###! Docs: https://docs.gitlab.com/omnibus/settings/ldap.html ###! **Be careful not to break the indentation in the ldap_servers block. It is ###! in yaml format and the spaces must be retained. Using tabs will not work.** gitlab_rails['ldap_enabled'] = true gitlab_rails['prevent_ldap_sign_in'] = false ###! **remember to close this block with 'EOS' below** gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' main: label: 'My LDAP' host: 'ipa.example.com' port: 389 uid: 'uid' bind_dn: 'uid=gitlabbdn,cn=users,cn=accounts,dc=example,dc=com' password: 's3cr3tP455w0rdHERE' encryption: 'start_tls' verify_certificates: false smartcard_auth: false active_directory: false allow_username_or_email_login: false lowercase_usernames: false block_auto_created_users: false base: 'cn=accounts,dc=example,dc=com' user_filter: '(memberof=CN=gitlabusers,CN=groups,CN=accounts,DC=example,DC=com)' attributes: username: ['uid'] email: ['mail'] name: 'displayName' first_name: 'givenName' last_name: 'sn' EOS
Outside of replacing the domain/credentials with yours, that should do it. Any LDAP user in the gitlabusers group will be able to access.
gitlab-ctl reconfigure and enjoy the new centralized authentication!