Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

setting up gitlab LDAP-authentication without special gitlab user

Tags:

gitlab

ldap

I want to set up Gitlab with our company's LDAP as a demo. But unfortunately I have to put in an admin password in gitlab.yml to make gitlab access the LDAP service. The problem actually is the administration, as they don't want to setup another account just for Gitlab. Is there any way to circumvent this without filling in my own password? Is there a way to make Gitlab establish the LDAP connection with only the provided user credentials?

Any ideas beside logging in as anonymous?

Already posted here.

like image 511
Bubu Avatar asked Mar 10 '13 11:03

Bubu


2 Answers

I have patched gitlab to work this way and documented the process in https://foivos.zakkak.net/tutorials/gitlab_ldap_auth_without_querying_account/

I shamelessly copy the instructions here for self-completeness.

Note: This tutorial was last tested with gitlab 8.2 installed from source.

This tutorial aims to describe how to modify a Gitlab installation to use the users credentials to authenticate with the LDAP server. By default Gitlab relies on anonymous binding or a special querying user to ask the LDAP server about the existence of a user before authenticating her with her own credentials. For security reasons, however, many administrators disable anonymous binding and forbid the creation of special querying LDAP users.

In this tutorial we assume that we have a gitlab setup at gitlab.example.com and an LDAP server running on ldap.example.com, and users have a DN of the following form: CN=username,OU=Users,OU=division,OU=department,DC=example,DC=com.

Patching

To make Gitlab work in such cases we need to partly modify its authentication mechanism regarding LDAP.

First, we replace the omniauth-ldap module with this derivation. To achieve this we apply the following patch to gitlab/Gemfile:

diff --git a/Gemfile b/Gemfile
index 1171eeb..f25bc60 100644
--- a/Gemfile
+++ b/Gemfile
@@ -44,4 +44,5 @@ gem 'gitlab-grack', '~> 2.0.2', require: 'grack'
 # LDAP Auth
 # GitLab fork with several improvements to original library. For full list of changes 
 # see https://github.com/intridea/omniauth-ldap/compare/master...gitlabhq:master
-gem 'gitlab_omniauth-ldap', '1.2.1', require: "omniauth-ldap"
+#gem 'gitlab_omniauth-ldap', '1.2.1', require: "omniauth-ldap"
+gem 'gitlab_omniauth-ldap', :git => 'https://github.com/zakkak/omniauth-ldap.git', require: 'net-ldap', require: "omniauth-ldap"

Now, we need to perform the following actions:

  1. sudo -u git -H bundle install --without development test mysql --path vendor/bundle --no-deployment
  2. sudo -u git -H bundle install --deployment --without development test mysql aws

These commands will fetch the modified omniauth-ldap module in gitlab/vendor/bundle/ruby/2.x.x/bundler/gems. Now that the module is fetched, we need to modify it to use the DN our LDAP server expects. We achieve this by patching lib/omniauth/strategies/ldap.rb in gitlab/vendor/bundle/ruby/2.x.x/bundler/gems/omniauth-ldap with:

diff --git a/lib/omniauth/strategies/ldap.rb b/lib/omniauth/strategies/ldap.rb
index 9ea62b4..da5e648 100644
--- a/lib/omniauth/strategies/ldap.rb
+++ b/lib/omniauth/strategies/ldap.rb
@@ -39,7 +39,7 @@ module OmniAuth
         return fail!(:missing_credentials) if missing_credentials?

         # The HACK!  FIXME: do it in a more generic/configurable way
-        @options[:bind_dn]  = "CN=#{request['username']},OU=Test,DC=my,DC=example,DC=com"
+        @options[:bind_dn]  = "CN=#{request['username']},OU=Users,OU=division,OU=department,DC=example,DC=com"
         @options[:password] = request['password']
         @adaptor = OmniAuth::LDAP::Adaptor.new @options

With this module, gitlab uses the user's credentials to bind to the LDAP server and query it, as well as, to authenticate the user herself.

This however will only work as long as the users do not use ssh-keys to authenticate with Gitlab. When authenticating through an ssh-key, by default Gitlab queries the LDAP server to find out whether the corresponding user is (still) a valid user or not. At this point, we cannot use the user credentials to query the LDAP server, since the user did not provide them to us. As a result we disable this mechanism, essentially allowing users with registered ssh-keys but removed from the LDAP server to still use our Gitlab setup. To prevent such users from being able to still use your Gitlab setup, you will have to manually delete their ssh-keys from any accounts in your setup.

To disable this mechanism we patch gitlab/lib/gitlab/ldap/access.rb with:

diff --git a/lib/gitlab/ldap/access.rb b/lib/gitlab/ldap/access.rb
index 16ff03c..9ebaeb6 100644
--- a/lib/gitlab/ldap/access.rb
+++ b/lib/gitlab/ldap/access.rb
@@ -14,15 +14,16 @@ module Gitlab
       end

       def self.allowed?(user)
-        self.open(user) do |access|
-          if access.allowed?
-            user.last_credential_check_at = Time.now
-            user.save
-            true
-          else
-            false
-          end
-        end
+        true
+        # self.open(user) do |access|
+        #   if access.allowed?
+        #     user.last_credential_check_at = Time.now
+        #     user.save
+        #     true
+        #   else
+        #     false
+        #   end
+        # end
       end

       def initialize(user, adapter=nil)
@@ -32,20 +33,21 @@ module Gitlab
       end

def allowed?
-        if Gitlab::LDAP::Person.find_by_dn(user.ldap_identity.extern_uid, adapter)
-          return true unless ldap_config.active_directory
+        true
+        # if Gitlab::LDAP::Person.find_by_dn(user.ldap_identity.extern_uid, adapter)
+        #   return true unless ldap_config.active_directory

-          # Block user in GitLab if he/she was blocked in AD
-          if Gitlab::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter)
-            user.block unless user.blocked?
-            false
-          else
-            user.activate if user.blocked? && !ldap_config.block_auto_created_users
-            true
-          end
-        else
-          false
-        end
+        #   # Block user in GitLab if he/she was blocked in AD
+        #   if Gitlab::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter)
+        #     user.block unless user.blocked?
+        #     false
+        #   else
+        #     user.activate if user.blocked? && !ldap_config.block_auto_created_users
+        #     true
+        #   end
+        # else
+        #   false
+        # end
rescue
false
end

Configuration

In gitlab.yml use something like the following (modify to your needs):

#
# 2. Auth settings
# ==========================

## LDAP settings
# You can inspect a sample of the LDAP users with login access by running:
#   bundle exec rake gitlab:ldap:check RAILS_ENV=production
ldap:
  enabled: true
  servers:
    ##########################################################################
    #
    # Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab
    # Enterprise Edition now supports connecting to multiple LDAP servers.
    #
    # If you are updating from the old (pre-7.4) syntax, you MUST give your
    # old server the ID 'main'.
    #
    ##########################################################################
    main: # 'main' is the GitLab 'provider ID' of this LDAP server
      ## label
      #
      # A human-friendly name for your LDAP server. It is OK to change the label later,
      # for instance if you find out it is too large to fit on the web page.
      #
      # Example: 'Paris' or 'Acme, Ltd.'
      label: 'LDAP_EXAMPLE_COM'

      host: ldap.example.com
      port: 636
      uid: 'sAMAccountName'
      method: 'ssl' # "tls" or "ssl" or "plain"
      bind_dn: ''
      password: ''

      # This setting specifies if LDAP server is Active Directory LDAP server.
      # For non AD servers it skips the AD specific queries.
      # If your LDAP server is not AD, set this to false.
      active_directory: true

      # If allow_username_or_email_login is enabled, GitLab will ignore everything
      # after the first '@' in the LDAP username submitted by the user on login.
      #
      # Example:
      # - the user enters '[email protected]' and 'p@ssw0rd' as LDAP credentials;
      # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.
      #
      # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
      # disable this setting, because the userPrincipalName contains an '@'.
      allow_username_or_email_login: false

      # To maintain tight control over the number of active users on your GitLab installation,
      # enable this setting to keep new users blocked until they have been cleared by the admin
      # (default: false).
      block_auto_created_users: false

      # Base where we can search for users
      #
      #   Ex. ou=People,dc=gitlab,dc=example
      #
      base: 'OU=Users,OU=division,OU=department,DC=example,DC=com'

      # Filter LDAP users
      #
      #   Format: RFC 4515 http://tools.ietf.org/search/rfc4515
      #   Ex. (employeeType=developer)
      #
      #   Note: GitLab does not support omniauth-ldap's custom filter syntax.
      #
      user_filter: '(&(objectclass=user)(objectclass=person))'
like image 190
zakkak Avatar answered Sep 28 '22 14:09

zakkak


GitLab uses omniauth to manage multiple login sources (including LDAP).

So if you can somehow extend omniauth in order to manage the LDAP connection differently, you could fetch the password from a different source.
That would allow you to avoid keeping said password in the ldap section of the gitlab.yml config file.

like image 32
VonC Avatar answered Sep 28 '22 16:09

VonC