Authenticate GitLab against FreeIPA using LDAP

GitLab can utilize LDAP to authenticate against a variety of directory services such as Microsoft Active Directory Domain Services or FreeIPA and Red Hat Identity Management. This post describes configuring and integrating into FreeIPA.

By clicking Identity > User Groups > Add within the FreeIPA interface, an assistant for creating new groups is started. Create two groups named gitlab-users and gitlab-admins.

Afterwards, appropriate users can be added to those groups. Before changing the GitLab configuration file, it is advisable to create a backup:

 1# cp /etc/gitlab/gitlab.rb /etc/gitlab/gitlab.rb.backup
 2# vi /etc/gitlab/gitlab.rb
 4gitlab_rails['ldap_enabled'] = true
 5gitlab_rails['ldap_servers'] = YAML.load <<-EOS
 7  label: 'LDAP'
 8  host: 'myldap.localdomain.loc'
 9  port: 636
10  uid: 'uid'
11  method: 'ssl'
12  bind_dn: 'uid=svc-readonly,cn=users,cn=accounts,dc=localdomain,dc=loc'
13  password: '...'
15  timeout: 10
16  active_directory: false
17  allow_username_or_email_login: false
18  block_auto_created_users: false
20  base: 'cn=users,cn=accounts,dc=localdomain,dc=loc'
21  user_filter: '(memberOf=cn=gitlab-users,cn=groups,cn=accounts,dc=localdomain,dc=loc)'
23  attributes:
24    username: ['uid', 'userid', 'sAMAccountName']
25    email:    ['mail', 'email', 'userPrincipalName']
26    name:       'cn'
27    first_name: 'givenName'
28    last_name:  'sn'

Depending on your infrastructure, you will need to change the entries host, bind_dn, base and user_filter. If you also like to live dangerously by authenticating unencrypted, change the following lines:

1port: 389
2method: 'plain'

GitLab Enterprise Edition users can also define an administrator group by adding the following line to the configuration:

1admin_group: 'cn=gitlab-admins,cn=groups,cn=accounts,dc=localdomain,dc=loc'

Beginning with GitLab 10.xSSL verification is enabled by default. If no certificate is configured, authentication fails with the following error:

1Could not authenticate you from Ldapmain because "Ssl connect returned=1 errno=0 state=error: certificate verify failed".

To fix this, simply add the following configuration line:

1  ca_file: '/etc/ssl/certs/ipa.pem'

Of course, you will need to alter the path. I was using the following two commands to retrieve my FreeIPA system's certificate:

1# scp root@ipa:/etc/ipa/ca.crt /etc/ssl/certs/ipa.pem
2# restorecon /etc/ssl/certs/ipa.pem

Afterwards, GitLab needs to be reconfigured by executing the following command:

1# gitlab-ctl reconfigure

GitLab should now be able to authenticate using LDAP. To test this, utilize the following command which will also list the first 1000 LDAP users:

 1# gitlab-rake gitlab:ldap:check RAILS_ENV=production
 2Checking LDAP ...
 4Server: ldapmain
 5LDAP authentication... Success
 6LDAP users with access to your GitLab server (only showing the first 100 results)
 7        DN: uid=giertz,cn=users,cn=accounts,dc=localdomain,dc=loc        uid: giertz
 8        DN: uid=pinkepank,cn=users,cn=accounts,dc=localdomain,dc=loc     uid: pinkepank
10Checking LDAP ... Finished

In GitLab web interface you will find a new "LDAP" pane for authenticating against the directory. Local logins are still possible. LDAP users and local users are linked if mail addresses are matching.