Gitlab (Linux – Installation from Source) and LDAP Windows Server 2012

Active Directory is running on Windows Server 2012 R2 Datacenter.
Gitlab installed from source in Linux /home/git/.

Windows Domain is called: ad.example.local
Windows Host is called: server01.ad.example.local
Windows Host has IP Address 192.168.0.1
I don’t use the dns name because of IP6 Problems.

Connection is ssl protected.

At first, you need a “bind” user. This user don’t need special rights. This user can be in any Organisation Unit or not.
With the ldap search string like ‘CN=bind,OU=Dummy,DC=ad,DC=example,DC=local’ I didn’t have success. You need username@domain:

bind_dn: 'bind@ad.example.local'

You need the server Certificate from Windows Server:

https://technet.microsoft.com/en-us/library/cc730988(v=ws.11).aspx

Certificate exported as x509.

As “base” I use all entries:

base: 'DC=ad,DC=example,DC=local'

But I only want the Group “Mitarbeiter” which is in the Organisation Unit “Gruppen”:

user_filter: '(memberOf=CN=Mitarbeiter,OU=Gruppen,DC=ad,DC=example,DC=local)'

In this Group should not exist more Groups.

The complete Configurationfile gitlab.yml in /home/git/gitlab/config/

## LDAP settings
  # You can test connections and inspect a sample of the LDAP users with login
  # access by running:
  #   bundle exec rake gitlab:ldap:check RAILS_ENV=production
  ldap:
    enabled: true
    servers:
      ##########################################################################
      #
      # Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab
      # Enterprise Edition now supports connecting to multiple LDAP servers.
      #
      # If you are updating from the old (pre-7.4) syntax, you MUST give your
      # old server the ID 'main'.
      #
      ##########################################################################
      main: # 'main' is the GitLab 'provider ID' of this LDAP server
        ## label
        #
        # A human-friendly name for your LDAP server. It is OK to change the label later,
        # for instance if you find out it is too large to fit on the web page.
        #
        # Example: 'Paris' or 'Acme, Ltd.'
        label: 'LDAP'

        # Example: 'ldap.mydomain.com'
        host: '192.168.0.1'
        # This port is an example, it is sometimes different but it is always an integer and not a string
        port: 636 # usually 636 for SSL, 389 for no SSL
        uid: 'sAMAccountName' # This should be the attribute, not the value that maps to uid.

        # Examples: 'america\\momo' or 'CN=Gitlab Git,CN=Users,DC=mydomain,DC=com'
        bind_dn: 'bind@ad.example.local'        
        password: '<HIDDEN>'

        # Encryption method. The "method" key is deprecated in favor of
        # "encryption".
        #
        #   Examples: "start_tls" or "simple_tls" or "plain"
        #
        #   Deprecated values: "tls" was replaced with "start_tls" and "ssl" was
        #   replaced with "simple_tls".
        #
        encryption: 'simple_tls'

        # Enables SSL certificate verification if encryption method is
        # "start_tls" or "simple_tls". Defaults to true.
        verify_certificates: false

        # Specifies the path to a file containing a PEM-format CA certificate,
        # e.g. if you need to use an internal CA.
        #
        #   Example: '/etc/ca.pem'
        #
        ca_file: '/etc/ssl/certs/server01.ad.example.local.cer'

        # Specifies the SSL version for OpenSSL to use, if the OpenSSL default
        # is not appropriate.
        #
        #   Example: 'TLSv1_1'
        #
        ssl_version: ''

        # Set a timeout, in seconds, for LDAP queries. This helps avoid blocking
        # a request if the LDAP server becomes unresponsive.
        # A value of 0 means there is no timeout.
        timeout: 10

        # This setting specifies if LDAP server is Active Directory LDAP server.
        # For non AD servers it skips the AD specific queries.
        # If your LDAP server is not AD, set this to false.
        active_directory: true

        # If allow_username_or_email_login is enabled, GitLab will ignore everything
        # after the first '@' in the LDAP username submitted by the user on login.
        #
        # Example:
        # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials;
        # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.
        #
        # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
        # disable this setting, because the userPrincipalName contains an '@'.
        allow_username_or_email_login: false

        # To maintain tight control over the number of active users on your GitLab installation,
        # enable this setting to keep new users blocked until they have been cleared by the admin
        # (default: false).
        block_auto_created_users: false

        # Base where we can search for users
        #
        #   Ex. 'ou=People,dc=gitlab,dc=example' or 'DC=mydomain,DC=com'
        #
        base: 'DC=ad,DC=example,DC=local'

        # Filter LDAP users
        #
        #   Format: RFC 4515 https://tools.ietf.org/search/rfc4515
        #   Ex. (employeeType=developer)
        #
        #   Note: GitLab does not support omniauth-ldap's custom filter syntax.
        #
        #   Example for getting only specific users:
        #   '(&(objectclass=user)(|(samaccountname=momo)(samaccountname=toto)))'
        #
        user_filter: '(memberOf=CN=Mitarbeiter,OU=Gruppen,DC=ad,DC=example,DC=local)'

        # LDAP attributes that GitLab will use to create an account for the LDAP user.
        # The specified attribute can either be the attribute name as a string (e.g. 'mail'),
        # or an array of attribute names to try in order (e.g. ['mail', 'email']).
        # Note that the user's LDAP login will always be the attribute specified as `uid` above.
        attributes:
          # The username will be used in paths for the user's own projects
          # (like `gitlab.example.com/username/project`) and when mentioning
          # them in issues, merge request and comments (like `@username`).
          # If the attribute specified for `username` contains an email address,
          # the GitLab username will be the part of the email address before the '@'.
          username: ['uid', 'userid', 'sAMAccountName']
          email:    ['mail', 'email', 'userPrincipalName']

          # If no full name could be found at the attribute specified for `name`,
          # the full name is determined using the attributes specified for
          # `first_name` and `last_name`.
          name:       'cn'
          first_name: 'givenName'
          last_name:  'sn'

      # GitLab EE only: add more LDAP servers
      # Choose an ID made of a-z and 0-9 . This ID will be stored in the database
      # so that GitLab can remember which LDAP server a user belongs to.
      # uswest2:
      #   label:
      #   host:
      #   ....

Important:

Don’t use tabs in config.yml!

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*
*