Gitlab AD-LDAP Integration

In this blog post I’m showing how to integrate GitLab Server with a Samba-based Active Directory. Note: The same setup and configuration should also work with a Windows-based Active Directory.

To “connect” from the Gitlab to AD, a System Account is required for the LDAP Binding (so-called LDAP bind account).

GitLab Active Directory LDAP Bind Account
GitLab Active Directory LDAP Bind Account

In addition I’m creating two AD groups, one for users and the other one for admins. The users in the user group should then have a “standard” access to GitLab. The users in the admin group should have “standard” access plus “administrative” access to manage the GitLab server settings.

GitLab Active Directory User Groups
GitLab Active Directory User Groups

The configuration file /etc/gitlab/gitlab.rb must be adjusted with the configuration settings for the Samba-AD (or Windows-AD) Server LDAP integration. The technical details of the LDAP integration are available in the documentation at GitLab General LDAP setup.

    gitlab_rails['ldap_enabled'] = true
    gitlab_rails['prevent_ldap_sign_in'] = false
    gitlab_rails['ldap_servers'] = {
      'main' => {
        'label' => 'LDAP',
        'host' =>  'IP_ADDRESS_OF_SAMBA_AD_LDAP',
        'port' => 636,
        'uid' => 'sAMAccountName',
        'encryption' => 'simple_tls',
        'verify_certificates' => false,
        'bind_dn' => 'CN=sys.gitlab,OU=Sys.Accounts,DC=AD_DOMAIN',
        'password' => 'LDAP_BIND_ACCOUNT_PASSWORD',
        'verify_certificates' => false,
        'tls_options' => {
          'ca_file' => '',
          'ssl_version' => '',
          'ciphers' => '',
          'cert' => '',
          'key' => ''
        },
        'timeout' => 10,
        'active_directory' => true,
        'allow_username_or_email_login' => false,
        'block_auto_created_users' => false,
        'base' => 'OU=Usr.Accounts,OU=Applications,DC=AD_DOMAIN',
        'user_filter' => '',
        'attributes' => {
          'username' => ['uid', 'userid', 'sAMAccountName'],
          'email' => ['mail', 'email', 'userPrincipalName'],
          'name' => 'cn',
          'first_name' => 'givenName',
          'last_name' => 'sn'
        },
        'lowercase_usernames' => false,
        'group_base' => 'OU=gitlab,OU=Applications,DC=AD_DOMAIN',
        'admin_group' => 'grp.gitlab.admins',
        'external_groups' => [],
        'sync_ssh_keys' => false
      }
    }
GitLab: LDAP config in /etc/gitlab/gitlab.rb

To activate the new configuration with LDAP, the GitLab server must be reconfigured. This can be accomplished by the following command:

    gitlab-ctl reconfigure
GitLab: Reconfigure with LDAP settings

To check the LDAP configuration the following command can be used:

    gitlab-rake gitlab:ldap:check
GitLab: Test LDAP settings and connection

The LDAP authentication should show a Success for a successful LDAP bind and the users which should have access should be listed as well.

If the reconfiguration and check was successful, the Web-UI of the GitLab Server then should show LDAP as login option.

GitLab LDAP Login
GitLab LDAP Login

Share: