CODEWITHSUNDEEP
gitldapgitlabopenldap
Waqas Ali Razzaq
Waqas Ali Razzaq

Reputation: 669

Configure GitLab with open LDAP

I am trying to configure my gitlab with openldap to authenticate the users. I have configured the openldap and it is working fine with Jenkins. But with gitlab it is giving the error that Could not authenticate you from Ldapmain because "Invalid credentials".

Below are the gitlab.rb configs:

gitlab_rails['ldap_enabled'] = true
 gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
   main: # 'main' is the GitLab 'provider ID' of this LDAP server
     label: 'LDAP'
     host: 'localhost'
     port: 389
     uid: 'uid'
     method: 'plain' # "tls" or "ssl" or "plain"
     bind_dn: 'cn=admin,dc=ldap,dc=com'
     password: 'waqas'
     active_directory: false
     allow_username_or_email_login: true
    #block_auto_created_users: false
     base: 'cn=Appliance,dc=ldap,dc=com'
     user_filter: ''
# attributes:
#   username: ['uid', 'userid', 'sAMAccountName']
#   email:    ['mail', 'email', 'userPrincipalName']
#   name:       'cn'
#       first_name: 'givenName'
#       last_name:  'sn'
#     ## EE only
#    group_base: 'ou=W-Integrate,dc=ldap,dc=com'
     #admin_group: 'cn=admin,dc=ldap,dc=com'
#     sync_ssh_keys: false
#

 EOS

enter image description here And My openLDAP screen shoot is also attached. can any one correct me what I am doing wrong.

Upvotes: 3

Views: 5676

Answers (2)

Cheety
Cheety

Reputation: 1

  1. Solution for openLDAP: create a group with groupOfUniqueNames instead of groupOfNames because only groupOfUniqueNames has memberOf attribute by default.

Upvotes: 0

VonC
VonC

Reputation: 1323115

Your base should not be a user (or inetOrgPerson, group of users cn=Appliance), it should be limited to dc entries for a base dn:

base: 'dc=ldap,dc=com'

This differ from bind_dn, the binding account, which does reference a user: bind_dn: 'cn=admin,dc=ldap,dc=com': there is a cn there.

Note that since GitLab 13.7 (December 2020):

Support for encrypted LDAP credentials

GitLab uses a unified configuration file, for example gitlab.rb in Omnibus GitLab, which makes configuration easy across all of the bundled services.

Included in this configuration file are some secrets, like the credentials to authenticate to the LDAP server.
While access to this file does require elevated privileges, best practice is to separate secrets from configuration.

Omnibus GitLab and Source installs now support encrypted credentials, with the first credential supported being LDAP.
This reduces the sensitivity of the GitLab configuration file, and also helps to achieve customer compliance requirements.

See Documentation and Issue.

Upvotes: 2

Related Questions