LDAP on GitLab with Red Hat Identity Management (FreeIPA)

I have no idea why, but this weekend I redeployed everything I have in DigitalOcean - not permanently, just to try I guess...

Well, it did leave me with a lot of documentation at least! You'd be surprised how much stuff I just do and leave to the pages of history. This time was different, this time, I typed.

One of the things that has always gotten me is how to properly integrate LDAP into different things - every application has a different way of interacting and filtering the schema. GitLab is no exception, but today, I have finally mastered their thought of LDAP integration.

1. LDAP Setup

First off, I'll be using Red Hat Identity Management, or FreeIPA, as the LDAP server. Honestly it's LDAP with a bunch of other things but either way, there are a couple assumptions being made:

1. You have a gitlabusers Group in IDM/IPA
2. You have a gitlabadmins Group in IDM/IPA
3. You have a set of users assigned to those groups
4. You have a bind user dedicated to GitLab LDAP Binding

How do you make a dedicated Bind DN for your LDAP server? Make a file called gitlabbdn.update with the following contents:

dn: uid=gitlabbdn,cn=users,cn=accounts,dc=example,dc=com add:objectclass:account add:objectclass:simplesecurityobject add:uid:gitlabbdn add:userPassword:s3cr3tP455w0rdHERE add:passwordExpirationTime:20380119031407Z add:nsIdleTimeout:0 

Then on your IPA server, as the admin user, run the following command:

ipa-ldap-updater gitlab-bind.update 

Now you can use the Bind DN of uid=gitlabbdn,cn=users,cn=accounts,dc=example,dc=com and the s3cr3tP455w0rdHERE password you set to securely bind to the LDAP server.

2. GitLab Configuration

Next, we'll modify the LDAP section of the /etc/gitlab/gitlab.rb file to look something like this:

### LDAP Settings ###! Docs: https://docs.gitlab.com/omnibus/settings/ldap.html ###! **Be careful not to break the indentation in the ldap_servers block. It is ###! in yaml format and the spaces must be retained. Using tabs will not work.** gitlab_rails['ldap_enabled'] = true gitlab_rails['prevent_ldap_sign_in'] = false ###! **remember to close this block with 'EOS' below** gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' main: label: 'My LDAP' host: 'ipa.example.com' port: 389 uid: 'uid' bind_dn: 'uid=gitlabbdn,cn=users,cn=accounts,dc=example,dc=com' password: 's3cr3tP455w0rdHERE' encryption: 'start_tls' verify_certificates: false smartcard_auth: false active_directory: false allow_username_or_email_login: false lowercase_usernames: false block_auto_created_users: false base: 'cn=accounts,dc=example,dc=com' user_filter: '(memberof=CN=gitlabusers,CN=groups,CN=accounts,DC=example,DC=com)' attributes: username: ['uid'] email: ['mail'] name: 'displayName' first_name: 'givenName' last_name: 'sn' EOS 

Outside of replacing the domain/credentials with yours, that should do it. Any LDAP user in the gitlabusers group will be able to access.

Run gitlab-ctl reconfigure and enjoy the new centralized authentication!