DEV Community

loading...

LDAP on GitLab with Red Hat Identity Management (FreeIPA)

kenmoini profile image Ken Moini ・2 min read

I have no idea why, but this weekend I redeployed everything I have in DigitalOcean - not permanently, just to try I guess...

Well, it did leave me with a lot of documentation at least! You'd be surprised how much stuff I just do and leave to the pages of history. This time was different, this time, I typed.

One of the things that has always gotten me is how to properly integrate LDAP into different things - every application has a different way of interacting and filtering the schema. GitLab is no exception, but today, I have finally mastered their thought of LDAP integration.

1. LDAP Setup

First off, I'll be using Red Hat Identity Management, or FreeIPA, as the LDAP server. Honestly it's LDAP with a bunch of other things but either way, there are a couple assumptions being made:

  1. You have a gitlabusers Group in IDM/IPA
  2. You have a gitlabadmins Group in IDM/IPA
  3. You have a set of users assigned to those groups
  4. You have a bind user dedicated to GitLab LDAP Binding

How do you make a dedicated Bind DN for your LDAP server? Make a file called gitlabbdn.update with the following contents:

dn: uid=gitlabbdn,cn=users,cn=accounts,dc=example,dc=com
add:objectclass:account
add:objectclass:simplesecurityobject
add:uid:gitlabbdn
add:userPassword:s3cr3tP455w0rdHERE
add:passwordExpirationTime:20380119031407Z
add:nsIdleTimeout:0

Then on your IPA server, as the admin user, run the following command:

ipa-ldap-updater gitlab-bind.update

Now you can use the Bind DN of uid=gitlabbdn,cn=users,cn=accounts,dc=example,dc=com and the s3cr3tP455w0rdHERE password you set to securely bind to the LDAP server.

2. GitLab Configuration

Next, we'll modify the LDAP section of the /etc/gitlab/gitlab.rb file to look something like this:

### LDAP Settings
###! Docs: https://docs.gitlab.com/omnibus/settings/ldap.html
###! **Be careful not to break the indentation in the ldap_servers block. It is
###!   in yaml format and the spaces must be retained. Using tabs will not work.**

gitlab_rails['ldap_enabled'] = true
gitlab_rails['prevent_ldap_sign_in'] = false

###! **remember to close this block with 'EOS' below**
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
  main:
    label: 'My LDAP'
    host: 'ipa.example.com'
    port: 389
    uid: 'uid'
    bind_dn: 'uid=gitlabbdn,cn=users,cn=accounts,dc=example,dc=com'
    password: 's3cr3tP455w0rdHERE'
    encryption: 'start_tls'
    verify_certificates: false
    smartcard_auth: false
    active_directory: false
    allow_username_or_email_login: false
    lowercase_usernames: false
    block_auto_created_users: false
    base: 'cn=accounts,dc=example,dc=com'
    user_filter: '(memberof=CN=gitlabusers,CN=groups,CN=accounts,DC=example,DC=com)'
    attributes:
      username: ['uid']
      email: ['mail']
      name: 'displayName'
      first_name: 'givenName'
      last_name: 'sn'
EOS

Outside of replacing the domain/credentials with yours, that should do it. Any LDAP user in the gitlabusers group will be able to access.

Run gitlab-ctl reconfigure and enjoy the new centralized authentication!

Discussion

pic
Editor guide