{"id":10691,"date":"2021-10-16T14:41:53","date_gmt":"2021-10-16T11:41:53","guid":{"rendered":"https:\/\/kifarunix.com\/?p=10691"},"modified":"2024-03-18T13:33:33","modified_gmt":"2024-03-18T10:33:33","slug":"integrate-gitlab-with-openldap-for-authentication","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/integrate-gitlab-with-openldap-for-authentication\/","title":{"rendered":"Integrate Gitlab with OpenLDAP for Authentication"},"content":{"rendered":"\n

This tutorial will take you through how to integrate Gitlab with OpenLDAP for authentication. Gitlab supports LDAP authentication<\/a>.<\/p>\n\n\n\n

In our previous tutorials, we learnt how to install Gitlab on Debian\/Ubuntu;<\/p>\n\n\n\n

Install Gitlab CE on Debian 11<\/a><\/p>\n\n\n\n

Install Gitlab with SSL\/TLS Certificate on Ubuntu 20.04<\/a><\/p>\n\n\n\n

We also have tutorials on setting up OpenLDAP;<\/p>\n\n\n\n

Install and Setup OpenLDAP Server on Debian 11<\/a><\/p>\n\n\n\n

Install and Setup OpenLDAP on Rocky Linux 8<\/a><\/p>\n\n\n\n

Integrating Gitlab with OpenLDAP for Authentication<\/h2>\n\n\n\n

Assuming you already have a Gitlab and OpenLDAP servers setup and running, let us proceed.<\/p>\n\n\n\n

Create Gitlab Users OpenLDAP Member Group<\/h3>\n\n\n\n

In order to ensure only specific users can login to the Gitlab server via OpenLDAP, we will create a member group on our OpenLDAP server.<\/p>\n\n\n\n

How to create OpenLDAP member groups has been extensively described in the guide below;<\/p>\n\n\n\n

How to Create OpenLDAP Member Groups<\/a><\/p>\n\n\n\n

Let us assume we have the following users we want to allow them login to Gitlab server via OpenLDAP;<\/p>\n\n\n\n

ldapsearch -H ldapi:\/\/\/ -Y EXTERNAL -LLL -b \"dc=ldapmaster,dc=kifarunix-demo,dc=com\" uid=* dn -Q<\/code><\/pre>\n\n\n\n
dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\n\ndn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/code><\/pre>\n\n\n\n
Hence, create a group with any name of your preference. For example, let us create a group called gitlab<\/code><\/strong>.<\/p>\n\n\n\n
In our current LDAP server, we have a Group OU, ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/code><\/p>\n\n\n\n
To create a gitlab<\/strong> group and add the users, janedoe and johndoe, create an LDIF config file as shown below;<\/p>\n\n\n\n
cat > gitlab-group.ldif << EOL\ndn: cn=gitlab,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: groupOfNames\ncn: gitlab\nmember: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nmember: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nEOL<\/code><\/pre>\n\n\n\n
Update the above as per your organization’s OpenLDAP server setup.<\/p>\n\n\n\n
Next, run the command below on the OpenLDAP server terminal to create the group alongside the members of that group.<\/p>\n\n\n\n
ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -Q -f gitlab-group.ldif<\/code><\/pre>\n\n\n\n
Once the command has run, you can verify the group is available and members;<\/p>\n\n\n\n
ldapsearch -H ldapi:\/\/\/ -Y EXTERNAL -LLL -b \"dc=ldapmaster,dc=kifarunix-demo,dc=com\" cn=gitlab -Q<\/code><\/pre>\n\n\n\n
dn: cn=gitlab,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: groupOfNames\ncn: gitlab\nmember: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nmember: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/code><\/pre>\n\n\n\n
You can add more members to the group as described on the post above<\/a>.<\/p>\n\n\n\n
Integrating Gitlab with OpenLDAP<\/h3>\n\n\n\n
Once you have setup OpenLDAP group and added members, you can now configure Gitlab to use OpenLDAP for authentication.<\/p>\n\n\n\n
Open Gitlab configuration file for editing;<\/p>\n\n\n\n
vim \/etc\/gitlab\/gitlab.rb<\/code><\/pre>\n\n\n\n
Scroll down to LDAP settings configuration section;<\/p>\n\n\n\n
By default, LDAP configuration settings are commented out;<\/p>\n\n\n\n
\n### LDAP Settings\n###! Docs: https:\/\/docs.gitlab.com\/omnibus\/settings\/ldap.html\n###! **Be careful not to break the indentation in the ldap_servers block. It is\n###!   in yaml format and the spaces must be retained. Using tabs will not work.**\n# gitlab_rails['ldap_enabled'] = false\n# gitlab_rails['prevent_ldap_sign_in'] = false\n\n###! **remember to close this block with 'EOS' below**\n# gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'\n#   main: # 'main' is the GitLab 'provider ID' of this LDAP server\n#     label: 'LDAP'\n#     host: '_your_ldap_server'\n#     port: 389\n#     uid: 'sAMAccountName'\n#     bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'\n#     password: '_the_password_of_the_bind_user'\n#     encryption: 'plain' # \"start_tls\" or \"simple_tls\" or \"plain\"\n#     verify_certificates: true\n#     smartcard_auth: false\n#     active_directory: true\n#     allow_username_or_email_login: false\n#     lowercase_usernames: false\n#     block_auto_created_users: false\n#     base: ''\n#     user_filter: ''\n#     ## EE only\n#     group_base: ''\n#     admin_group: ''\n#     sync_ssh_keys: false\n#\n#   secondary: # 'secondary' is the GitLab 'provider ID' of second LDAP server\n#     label: 'LDAP'\n#     host: '_your_ldap_server'\n#     port: 389\n#     uid: 'sAMAccountName'\n#     bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'\n#     password: '_the_password_of_the_bind_user'\n#     encryption: 'plain' # \"start_tls\" or \"simple_tls\" or \"plain\"\n#     verify_certificates: true\n#     smartcard_auth: false\n#     active_directory: true\n#     allow_username_or_email_login: false\n#     lowercase_usernames: false\n#     block_auto_created_users: false\n#     base: ''\n#     user_filter: ''\n#     ## EE only\n#     group_base: ''\n#     admin_group: ''\n#     sync_ssh_keys: false\n# EOS\n<\/code><\/pre>\n\n\n\n
We will update this configuration section such that it looks like;<\/p>\n\n\n\n
\n### LDAP Settings\n\ngitlab_rails['ldap_enabled'] = true\ngitlab_rails['prevent_ldap_sign_in'] = false\n\ngitlab_rails['ldap_servers'] = {\n'main' => {\n  'label' => 'LDAP',\n  'host' =>  'ldap.kifarunix-demo.com',\n  'port' => 389,\n  'uid' => 'uid',\n  'encryption' => 'start_tls',\n  'verify_certificates' => false,\n  'tls_options' => {\n    'ca_file' => '\/etc\/ssl\/certs\/ldapca.pem'\n   # 'ssl_version' => '',\n   # 'ciphers' => '',\n   # 'cert' => '',\n   # 'key' => ''\n  },\n  'bind_dn' => 'cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com',\n  'password' => 'hacker',\n  'timeout' => 10,\n  'active_directory' => false,\n  'allow_username_or_email_login' => true,\n  'block_auto_created_users' => true,\n  'base' => 'dc=ldapmaster,dc=kifarunix-demo,dc=com',\n  'user_filter' => '(memberOf=cn=gitlab,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com)',\n  'attributes' => {\n    'username' => ['uid'],\n    'email' => ['Email'],\n    'name' => 'ui',\n    'first_name' => 'cn',\n    'last_name' => 'sn'\n  },\n  'lowercase_usernames' => false,\n\n  # EE Only\n  'group_base' => '',\n  'admin_group' => '',\n  'external_groups' => [],\n  'sync_ssh_keys' => false\n  }\n}\n<\/code><\/pre>\n\n\n\n
Be sure to replace:<\/p>\n\n\n\n