{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 我只想做你的唯一 的问题《Gitlab LDAP Authentication》','https://www.manongdao.com/q-703460.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a Gitlab server installed somewhere, and I am trying to get it working for my AD users. I have the following configuration:
label: 'LDAP'
host: 'myserver.com'
port: 389
#uid: ''
method: 'plain' # "tls" or "ssl" or "plain"
bind_dn: ''
#password: ''
active_directory: true
allow_username_or_email_login: true
block_auto_created_users: false
base: ''
user_filter: ''
## EE only
group_base: ''
admin_group: ''
sync_ssh_keys: false
But I can not login with provided settings.
I am not very familiar with LDAP settings, but this is a code in PHP which is used to login into our in-house systems, and works perfectly:
$ldap = ldap_connect("ldap://myserver.com/");
if(!ldap_bind($ldap, "DOMAIN\\$username", $password)) {
echo "Authentication Error";
} else {
echo "OK";
}
I think I don't know where to put DOMAIN in Gitlab configuration.
I've gone through questions and googled about it, nothing worked.
I also tried loging in using username and DOMAIN\username and username@myserver.com and username@DOMAIN but none worked.
With some configuration (I don't remember exactly what, but I will find it if it is necessary), I get following error in logs:
ArgumentError (uid or filter MUST be provided):
EDIT:
This is how my config looks like now, still not working.
label: 'LDAP'
host: 'myserver.com'
port: 389
uid: 'sAMAccountName'
method: 'plain' # "tls" or "ssl" or "plain"
bind_dn: 'CN=gitldap,CN=Users,DC=myserver,DC=com'
password: 'thepassword'
active_directory: true
allow_username_or_email_login: true
#block_auto_created_users: false
base: 'ou=MyServer,dc=myserver,dc=com'
#user_filter: ''
### EE only
#group_base: ''
#admin_group: ''
#sync_ssh_keys: false
And for a reference, this is how an SVN server is using our AD:
SVNParentPath /var/svn
SSLRequireSSL
AuthType Basic
AuthName "MyServer Source Control System"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPBindDN "CN=svnldap,CN=Users,DC=myserver,DC=com"
AuthLDAPBindPassword 'thepassword'
AuthLDAPURL "ldap://dc-2.myserver.com:389/ou=MyServer,dc=myserver,dc=com?sAMAccountName" NONE
AuthzSVNAccessFile /etc/svn/dav_svn.authz
Require valid-user
And I have to mention that myserver.com and dc-2.myserver.com resolve to same machine.
You will need to create an AD user account ("service account") for GitLab, whose DN and password have to be specified in the GitLab config as
bind_dnandpassword.uidshould be set to 'sAMAccountName'.This is different from what you did in PHP. There you used the user's credentials to access the AD through LDAP. GitLab will use it's own user account and then lookup users.
The first step is to check the binding to LDAP with
ldapbind(see for instance "Using ldapbind to Authenticate").As the OP mentions, that allows to detect if the user id is correct.