Authenticate GitLab against FreeIPA using LDAP

GitLab can utilize LDAP to authenticate against a variety of directory services such as Microsoft Active Directory Domain Services or FreeIPA and Red Hat Identity Management. This post describes configuring and integrating into FreeIPA.

By clicking Identity > User Groups > Add within the FreeIPA interface, an assistant for creating new groups is started. Create two groups named gitlab-users and gitlab-admins.

Afterwards, appropriate users can be added to those groups. Before changing the GitLab configuration file, it is advisable to create a backup:

# cp /etc/gitlab/gitlab.rb /etc/gitlab/gitlab.rb.backup
# vi /etc/gitlab/gitlab.rb
...
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-EOS
main:
  label: 'LDAP'
  host: 'myldap.localdomain.loc'
  port: 636
  uid: 'uid'
  method: 'ssl'
  bind_dn: 'uid=svc-readonly,cn=users,cn=accounts,dc=localdomain,dc=loc'
  password: '...'

  timeout: 10
  active_directory: false
  allow_username_or_email_login: false
  block_auto_created_users: false

  base: 'cn=users,cn=accounts,dc=localdomain,dc=loc'
  user_filter: '(memberOf=cn=gitlab-users,cn=groups,cn=accounts,dc=localdomain,dc=loc)'

  attributes:
    username: ['uid', 'userid', 'sAMAccountName']
    email:    ['mail', 'email', 'userPrincipalName']
    name:       'cn'
    first_name: 'givenName'
    last_name:  'sn'
EOS

Depending on your infrastructure, you will need to change the entries host, bind_dn, base and user_filter. If you also like to live dangerously by authenticating unencrypted, change the following lines:

port: 389
method: 'plain'

GitLab Enterprise Edition users can also define an administrator group by adding the following line to the configuration:

admin_group: 'cn=gitlab-admins,cn=groups,cn=accounts,dc=localdomain,dc=loc'

Beginning with GitLab 10.xSSL verification is enabled by default. If no certificate is configured, authentication fails with the following error:

Could not authenticate you from Ldapmain because "Ssl connect returned=1 errno=0 state=error: certificate verify failed".

To fix this, simply add the following configuration line:

  ca_file: '/etc/ssl/certs/ipa.pem'

Of course, you will need to alter the path. I was using the following two commands to retrieve my FreeIPA system’s certificate:

# scp root@ipa:/etc/ipa/ca.crt /etc/ssl/certs/ipa.pem
# restorecon /etc/ssl/certs/ipa.pem

Afterwards, GitLab needs to be reconfigured by executing the following command:

# gitlab-ctl reconfigure

GitLab should now be able to authenticate using LDAP. To test this, utilize the following command which will also list the first 1000 LDAP users:

# gitlab-rake gitlab:ldap:check RAILS_ENV=production
Checking LDAP ...

Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
        DN: uid=giertz,cn=users,cn=accounts,dc=localdomain,dc=loc        uid: giertz
        DN: uid=pinkepank,cn=users,cn=accounts,dc=localdomain,dc=loc     uid: pinkepank

Checking LDAP ... Finished

In GitLab web interface you will find a new “LDAP” pane for authenticating against the directory. Local logins are still possible. LDAP users and local users are linked if mail addresses are matching.

Leave a Reply