In addition to SVN, Git is also favored by more and more developers. This article will introduce how GitLab integrates OpenLDAP to achieve account authentication

GitLab integrates OpenLDAP authentication

  1. Modify the configuration file gitlab.yml
ldap:
enabled: true
servers:
  main: 
    label: 'LDAP'

    host: 'ldap.blz.netease.com'
    port: 389
    uid: 'uid'
    method: 'plain'
    bind_dn: 'uid=authz,ou=Public,dc=blz,dc=internal'
    password: 'ImNVZODT884'

    timeout: 10

    active_directory: false
    allow_username_or_email_login: false

    block_auto_created_users: false

    base: 'dc=blz,dc=internal'
    user_filter: ' '
Copy the code

Important configuration parameters (read the previous article about SVN integration with LDAP authentication to understand these parameters better) :

  • host: LDAP server address
  • port: LDAP service port
  • uidWhich attribute should be used as the validation attribute? Uid, CN, etc. We use uid
  • method: If TLS or SSL is enabled, enter TLS or SSL. If neither is enabled, enter plain
  • bind_dn: search User to search for account information Complete bind (requires an account with read permission to search for the existence of the username entered by the user)
  • password: bind_dn User password,bind_dnandpasswordTwo parameters log in to the LDAP server to search for users
  • active_directory: LDAP server is Windows AD, we are using OpenLDAP, write false here
  • allow_username_or_email_login: Specifies whether to allow user name or email authentication. If yes, the user can enter either user name or email address
  • base: Search users from which location, for example, users allowed to log in to GitLab are in OU GitLab, name can be written hereou=gitlab,dc=domain,dc=com
  • filter: Add filtering attributes, for example, filtering only users whose employeeType is developer for authentication (employeeType=developer)
  1. Restart the GitLab service and see that the page already has LDAP login options

Error handling

Could not authenticate you from Ldapmain because “Invalid credentials”

Error saving user: [“Email is not whitelisted. Email domains valid for registration are: domain.com”]

Email not whitelisted? Think about why:

  1. Gitlab has configured Restricted Domains for sign-ups to allow only users with domain.com mailboxes to register
  2. However, when OpenLDAP created a user, the mailbox was not filled in as empty

Maybe this is the problem. Login LAM will fill in the mailbox field of the user (in accordance with the whitelist rules) and then log in again

Related articles recommended reading:

  • LDAP Deployment (1) : OpenLDAP deployment, management and maintenance
  • LDAP deployment (2) : The SVN integrates OpenLDAP authentication
  • LDAP implementation combat (3) : GitLab integrates OpenLDAP authentication
  • Jenkins integrates OpenLDAP authentication
  • LDAP implementation (5) : Django integrates OpenLDAP authentication