Gitlab AD-LDAP Integration

Table of contents

  1. GitLab Server with Samba-based Active Directory
  2. AD/LDAP bind account
  3. AD/LDAP groups
  4. GitLab AD/LDAP configuration
  5. GitLab AD/LDAP login

GitLab Server with Samba-based Active Directory

In this blog post I’m showing how to integrate GitLab Server with a Samba-based Active Directory. Note: The same setup and configuration should also work with a Windows-based Active Directory.

AD/LDAP Bind account

To “connect” from the Gitlab to AD, a System Account is required for the LDAP Binding (so-called LDAP bind account).

GitLab Active Directory LDAP Bind Account

AD/LDAP groups

In addition I’m creating two AD groups, one for users and the other one for admins. The users in the user group should then have a “standard” access to GitLab. The users in the admin group should have “standard” access plus “administrative” access to manage the GitLab server settings.

GitLab Active Directory User Groups

GitLab AD/LDAP configuration

The configuration file /etc/gitlab/gitlab.rb must be adjusted with the configuration settings for the Samba-AD (or Windows-AD) Server LDAP integration. The technical details of the LDAP integration are available in the documentation at GitLab General LDAP setup.

    gitlab_rails['ldap_enabled'] = true
    gitlab_rails['prevent_ldap_sign_in'] = false
    gitlab_rails['ldap_servers'] = {
      'main' => {
        'label' => 'LDAP',
        'host' =>  'IP_ADDRESS_OF_SAMBA_AD_LDAP',
        'port' => 636,
        'uid' => 'sAMAccountName',
        'encryption' => 'simple_tls',
        'verify_certificates' => false,
        'bind_dn' => 'CN=sys.gitlab,OU=Sys.Accounts,DC=AD_DOMAIN',
        'password' => 'LDAP_BIND_ACCOUNT_PASSWORD',
        'verify_certificates' => false,
        'tls_options' => {
          'ca_file' => '',
          'ssl_version' => '',
          'ciphers' => '',
          'cert' => '',
          'key' => ''
        'timeout' => 10,
        'active_directory' => true,
        'allow_username_or_email_login' => false,
        'block_auto_created_users' => false,
        'base' => 'OU=Usr.Accounts,OU=Applications,DC=AD_DOMAIN',
        'user_filter' => '',
        'attributes' => {
          'username' => ['uid', 'userid', 'sAMAccountName'],
          'email' => ['mail', 'email', 'userPrincipalName'],
          'name' => 'cn',
          'first_name' => 'givenName',
          'last_name' => 'sn'
        'lowercase_usernames' => false,
        'group_base' => 'OU=gitlab,OU=Applications,DC=AD_DOMAIN',
        'admin_group' => 'grp.gitlab.admins',
        'external_groups' => [],
        'sync_ssh_keys' => false

To activate the new configuration with LDAP, the GitLab server must be reconfigured. This can be accomplished by the following command:

    gitlab-ctl reconfigure

To check the LDAP configuration the following command can be used:

    gitlab-rake gitlab:ldap:check

The LDAP authentication should show a Success for a successful LDAP bind and the users which should have access should be listed as well.

GitLab AD/LDAP login

If the reconfiguration and check was successful, the Web-UI of the GitLab Server then should show LDAP as login option.

GitLab LDAP Login