Gitlab LDAP Authentication

2
votes

I have a Gitlab server installed somewhere, and I am trying to get it working for my AD users. I have the following configuration:

label: 'LDAP'
host: 'myserver.com'
port: 389
#uid: ''
method: 'plain' # "tls" or "ssl" or "plain"
bind_dn: ''
#password: ''
active_directory: true
allow_username_or_email_login: true
block_auto_created_users: false
base: ''
user_filter: ''
## EE only
group_base: ''
admin_group: ''
sync_ssh_keys: false

But I can not login with provided settings.

I am not very familiar with LDAP settings, but this is a code in PHP which is used to login into our in-house systems, and works perfectly:

$ldap = ldap_connect("ldap://myserver.com/");
if(!ldap_bind($ldap, "DOMAIN\\$username", $password))  { 
    echo "Authentication Error";
} else {
        echo "OK";
}

I think I don't know where to put DOMAIN in Gitlab configuration.

I've gone through questions and googled about it, nothing worked.

I also tried loging in using username and DOMAIN\username and [email protected] and username@DOMAIN but none worked.

With some configuration (I don't remember exactly what, but I will find it if it is necessary), I get following error in logs:

ArgumentError (uid or filter MUST be provided):

EDIT:

This is how my config looks like now, still not working.

label: 'LDAP'
host: 'myserver.com'
port: 389
uid: 'sAMAccountName'
method: 'plain' # "tls" or "ssl" or "plain"
bind_dn: 'CN=gitldap,CN=Users,DC=myserver,DC=com'
password: 'thepassword'
active_directory: true
allow_username_or_email_login: true
#block_auto_created_users: false
base: 'ou=MyServer,dc=myserver,dc=com'
#user_filter: ''
### EE only
#group_base: ''
#admin_group: ''
#sync_ssh_keys: false

And for a reference, this is how an SVN server is using our AD:

SVNParentPath /var/svn
SSLRequireSSL
AuthType Basic
AuthName "MyServer Source Control System"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPBindDN "CN=svnldap,CN=Users,DC=myserver,DC=com"
AuthLDAPBindPassword 'thepassword'
AuthLDAPURL "ldap://dc-2.myserver.com:389/ou=MyServer,dc=myserver,dc=com?sAMAccountName" NONE
AuthzSVNAccessFile /etc/svn/dav_svn.authz
Require valid-user

And I have to mention that myserver.com and dc-2.myserver.com resolve to same machine.

2
ldapgitlab
Is gitldap an account authorized to read the LDAP forest, with its 'thepassword' account?VonC
I think so. I told the support guys to create an account just like svnldap. How could I check that, like with ldapsearch?vfsoraki
I would rather use ldapbind (docs.oracle.com/cd/B14099_19/idmanage.1012/b15883/…). See for instance superuser.com/a/708701/141VonC
Thank you. Problem is solved. I had to use Common Name, which is First Name + Last Name in bind dn. I was using username, by mistake. I used Git LDAP instead of gitldap and everything is working fine. Thank you.vfsoraki
Great! I have added an answer to conclude this question.VonC

2 Answers

1
votes

The first step is to check the binding to LDAP with ldapbind (see for instance "Using ldapbind to Authenticate").

As the OP mentions, that allows to detect if the user id is correct.

I had to use Common Name, which is First Name + Last Name in bind dn.
I was using username, by mistake.
I used Git LDAP instead of gitldap and everything is working fine

0
votes

You will need to create an AD user account ("service account") for GitLab, whose DN and password have to be specified in the GitLab config as bind_dn and password.

uid should be set to 'sAMAccountName'.

This is different from what you did in PHP. There you used the user's credentials to access the AD through LDAP. GitLab will use it's own user account and then lookup users.