Gitlab Ldap Authentication Settings

Question

Current Environment:

• Gitlab Server: Centos 6.5
• Active Directory: Windows Server 2008 R2

Could anyone check these fictitious settings for Ldap authentication in Gitlab 7.1.1?

gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_host'] = 'myserver.dom.com.net'
gitlab_rails['ldap_port'] = 389
gitlab_rails['ldap_uid'] = 'sAMAccountName'
gitlab_rails['ldap_method'] = 'plain' # 'ssl' or 'plain'
gitlab_rails['ldap_bind_dn'] = 'OU=Users,DC=dom,DC=com,DC=net'
gitlab_rails['ldap_password'] = '????'
gitlab_rails['ldap_allow_username_or_email_login'] = true
gitlab_rails['ldap_base'] = 'DC=dom,DC=com,DC=net'

Which ldap_bind_dn has to be set in order to Gitlab works (user account equivalent)?

Which ldap_password has to be set in order to Gitlab works?

I followed suggestions from: @metaDiego and @heinglandreas. Both were in the right path. So I modified my settings in the lines:

Solution

gitlab_rails['ldap_bind_dn'] = 'CN=the_allowed_user_for_access_ldap,OU=Users,DC=dom,DC=com,DC=net'
gitlab_rails['ldap_password'] = 'the_password_of_allowed_user'

The ldap_bind_dn may vary according to the AD structure and the current level where the allowed user is located.

My company AD doesn't allow anonymous Ldap queries. So adding those parameters were mandatory.

Search help in the domain administrators, for getting those parameters.

Useful article from gitlabhq at Github

If gitlab_rails['ldap_allow_username_or_email_login'] = true, the login user could be with email format or only domain user.

Answer 1

The ldap_bind_dn has to be the DN of a user that has read access to the LDAP. As far as I can see you are pointing to a directory structure with OU=Users,DC=dom,DC=com,DC=net. You will have to use that users password as ```

So ldap_bind_dn should read something like uid=userid,OU=Users,DC=com,DC=com,DC=net and ldap_password should then be userids password.

On some LDAP-Servers ldap_bind_dn can be left empty as they allow anonymous bind. In that case the ldap_password has to be left empty also.

Does that make sense? Otherwise feel free to comment!

Answer 2

I have a working GitLab LDAP conf, and the password field have to match with the bind_dn user you choosed.

gitlab_rails['ldap_base'] = 'ou=somehting,dc=foo,dc=bar'
gitlab_rails['ldap_bind_dn'] = 'uid=SOMEONE,ou=somehting,dc=foo,dc=bar'
gitlab_rails['ldap_password'] = 'SOMEONE_PASSWORD'

• ldap_base is where you search for users

• ldap_bind_dn is "the user on the external LDAP server permitted to search the LDAP directory within the defined search base."

• ldap_password is the password for the bind_dn user. So in your case it has to match with the user OU=Users's password.