LDAP Integration for GitLab-CE
First I install GitLab-CE with a docker-composer stack, that i found at stackfiles.io as described in my blog post.
Go to your OpenLDAP Server and create a user to use bind_dn named _gitlab-search, and check if you can search with this user
~# ldapsearch -LLL -H ldaps://ldap.mycompany.com -D uid=gitlab-search,ou=people,ou=mycompany,dc=com -b ou=people,ou=mycompany,dc=com -W
Enter LDAP Password:
To enable LDAP edit gitlab.rb, as decribed in gitlab setting-up-ldap-sign-in.
~# vi /etc/gitlab/gitlab.rb
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'LDAP'
host: 'ldap.mycompany.com'
port: 389
uid: 'uid'
method: 'tls' # "tls" or "ssl" or "plain"
bind_dn: 'cn=gitlab-search,ou=people,ou=mycompany,dc=com'
password: 'the_password_of_the_bind_user'
active_directory: false
allow_username_or_email_login: false
block_auto_created_users: false
base: 'ou=people,ou=mycompany,dc=com'
user_filter: 'uid'
attributes:
username: ['uid', 'userid', 'sAMAccountName']
email: ['mail', 'email', 'userPrincipalName']
name: 'cn'
first_name: 'givenName'
last_name: 'sn'
## EE only
group_base: ''
admin_group: ''
sync_ssh_keys: false
If your OpenLDAP support anonymous search edit your gitlab.rb, and put a empty fields on bind_dn and password.
~# vi /etc/gitlab/gitlab.rb
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'LDAP'
host: 'ldap.mycompany.com'
port: 389
uid: 'uid'
method: 'tls' # "tls" or "ssl" or "plain"
bind_dn: ''
password: ''
active_directory: false
allow_username_or_email_login: false
block_auto_created_users: false
base: 'ou=people,ou=mycompany,dc=com'
user_filter: ''
attributes:
username: ['uid', 'userid', 'sAMAccountName']
email: ['mail', 'email', 'userPrincipalName']
name: 'cn'
first_name: 'givenName'
last_name: 'sn'
## EE only
group_base: ''
admin_group: ''
sync_ssh_keys: false
Install Your Company CA Certificate
~# cd /usr/share/ca-certificates/
~# wget http://mycompany.com/ca/MyCompany_Class_3_Root.crt
~# apt-get install --reinstall ca-certificates
~# dpkg-reconfigure ca-certificates
Check date and timezone on gitlab and ldap servers, it must be the same
Go to OpenLDAP machine
ldap:~# date
Wed Feb 17 11:32:33 WET 2016
ldap :~# cat /etc/timezone
Europe/Lisbon
Go to GitLab machine
gitlab:~# date
Wed Feb 17 11:32:23 UTC 2016
gitlab:~# cat /etc/timezone
Etc/UTC
Let’s put gitlab host date and timezone ok.
For RedHat and similar follow [redhat] docs
~# timedatectl set-timezone Europe/Lisbon
On Debian/Ubunt if you have this warning "_Warning: ignoring the TZ variable..._",
check TZ var first and put it empty,
~# timedatectl status
Warning: ignoring the TZ variable, reading the system's timezone setting only.
~# echo $TZ
Australia/Adelaide
~# TZ=""
~# echo "Europe/Lisbon" | sudo tee /etc/timezone
~# dpkg-reconfigure --frontend noninteractive tzdata
~# date
Wed Feb 17 11:32:33 WET 2016
~# cat /etc/timezone
Europe/Lisbon
~# timedatectl status
Local time: Thu 2016-02-18 14:04:35 WET
You may need to restart daemons and other long-running programs to get them to use new timezone info. Examples of such programs include apache, bind, cron, etc as refered here on debian wiki.
In my case i have a Ubuntu, and just need to restart cron and rsyslog.
~# service cron restart
~# service rsyslog restart
Go to you GitLab and check if you can search your LDAP Server
~# ldapsearch -H ldaps://ldap.mycompany.com -x -b "ou=people,ou=mycompany,dc=com"
Reconfigure gitlab stuff
~# gitlab-ctl reconfigure
Check out the logs
~# gitlab-ctl tail
If you have a issue about invalid credentials, you can check more about it as described in serverfault.
~# gitlab-rake gitlab:ldap:check RAILS_ENV=production