10/29/2014 - 1:29 PM

gitlab active directory integration

gitlab active directory integration


[UPDATED] Howto enable LDAP filters in GitLab
Submitted by dimaj on Mon, 08/19/2013 - 09:52

For those of you, who are not familiar with what GitLab is, it is an amazing open source implementation of self-hosted Git Management application. The interface is somewhat what you see on GitHub. However, no matter what I say, I will not do it justice. So, why don't you head on over to their website and see for yourself!

For those of you who are familiar with GitLab know that while LDAP authentication is provided right off the bat, there is no way to specify a filter for checking whether user is granted access or not. A while back, I found a very messy way on how to integrate LDAP filters into the system and I had a discussion on GitLab's GitHub page about it. Recently I was updating my GitLab server to the latest version (5.4 stable) and as a result, I had to undo all my changes in order to switch branches for the install and thus I lost my filtred authentication. So, I decied to try to find a new way on including filter support and came up with this simple approach. So, without further adieu here it goes!

1) Install latest version of GitLab on your server by following install guide which could be found here

2) Edit /home/git/gitlab/Gemfile by replacing

gem 'gitlab_omniauth-ldap', '1.0.3', require: "omniauth-ldap"


gem 'omniauth-ldap', :git => 'https://github.com/webagecorp/omniauth-ldap.git', require: 'net-ldap'

This adds a patched version omniauth-ldap module that has been modified to include filter support to LDAP authentication

3) Edit /home/git/gitlab/config/gitlab.yml to make LDAP section look like this:

  ## LDAP settings
    enabled: true
    host: 'localhost'
    base: 'ou=people,dc=example,dc=com'
    port: 389
    # LDAP Settings
    filter: '(&(uid=%{username})(memberOf=cn=gitlabusers,ou=groups,dc=example,dc=com))'
    # ActiveDirectory Settings (Thanks reV)
    filter: '(&(sAMAccountName=%{username})(memberOf=cn=gitlabusers,ou=groups,dc=example,dc=com))'
    method: 'plain' # "ssl" or "plain"
    bind_dn: 'cn=user,dc=example,dc=com'
    password: 'ldap pa$$w0rd'

4) Edit /home/git/gitlab/config/initializers/devise.rb to make Gitlab.config.ldap.enabled section look like:

# If you are running GitLab 6.1, please uncomment the line that starts with 'require'
# Otherwise you will get a 'StrategyNotFound' error.
# Thank you Lucas Kahlert for the find and a fix
# require 'omniauth-ldap'
 if Gitlab.config.ldap.enabled
    config.omniauth :ldap,
      host:     Gitlab.config.ldap['host'],
      base:     Gitlab.config.ldap['base'],
      uid:      Gitlab.config.ldap['uid'],
      filter:   Gitlab.config.ldap['filter'], # Notice a new 'filter' line here
      port:     Gitlab.config.ldap['port'],
      method:   Gitlab.config.ldap['method'],
      bind_dn:  Gitlab.config.ldap['bind_dn'],
      password: Gitlab.config.ldap['password']

5) Make sure that all modules are properly installed by running the following command:

sudo -u git -H bundle install --without development test postgres --path vendor/bundle --no-deployment

Once above 5 steps have been completed, you should be able to authenticate users that meet your filter criteria!

UPDATE (02/16/2014)
Just wanted to give everyone an update on how to get LDAP filters to work with latest master code base of GitLab.

Thanks to jhollingsworth and his pull request (which was merged in not too long ago), filters can be enabled in a few easy steps.
1) Switch your GitLab instance from a stable branch to master
2) Follow main installation manual starting with section on installing gems. You can follow this direct link
3) Follow step 4 of my original manual

UPDATE (04/08/2014)
Another update on the subject...

Just tried testing this functionality with latest version of GitLab (v6.7.3) and it works out of the box!

Here's how to set it up:
1) Upgrade to latest version (6.7.3 in this case)
2) Update config/gitlab.yml to look similar to this:

    enabled: true
    host: 'localhost'
    port: 389
    uid: 'uid'
    method: 'plain' # "tls" or "ssl" or "plain"
    bind_dn: 'cn=admin,dc=example,dc=com'
    password: 'test'
    base: 'ou=Users,dc=example,dc=com'
    user_filter: '(memberOf=cn=gitlab,ou=Groups,dc=example,dc=com)'

Once you launch your instance of GitLab, your filters should just work!
(after putting machine into domain)

Now go to your Gitlab server, log in and become the git user:

sudo su - git

And edit the ~/gitlab/config/gitlab.yml file. (Assuming you followed the official installation guide, otherwise adapt path.). The relevant LDAP section should contain this:

    enabled: true
    host: 'pdc1.domain.tld'
    base: 'CN=Users,DC=Domain,DC=tld'
    port: 389
    uid: 'sAMAccountName'
    method: 'plain' # or "ssl"
    bind_dn: 'CN=Gitlab LDAP,CN=Users,DC=Domain,DC=tld'
    password: 'example_password'

It took me a while to find the correct bind_dn and base_dn. It appears that they are capital sensitive, cn=Users would not work, but CN=Users does. Also, the bind_dn does not use the users email address, but the Display Name. So CN=gitlab@domain.tld does not work, but CN=Gitlab LDAP does.