Hi guys!
I am exploring gitlab usage for our small organization.
Everything is fine except LDAP groups which we have.
All developers have LDAP users with respective LDAP groups memberships.
Also we store ssh public keys inside user object.
As far as i understood gitlab should be able to sync existing LDAP groups and create respective objects?
And also it should populate memberships accordingly?
If its true this is not happening in my case.
My gitlab.rb:
gitlab.rb
gitlab_rails[‘ldap_enabled’] = true
gitlab_rails[‘prevent_ldap_sign_in’] = false
gitlab_rails[‘ldap_servers’] = YAML.load <<-‘EOS’
main:
label: LDAP
host: ‘ldap-master.example.com’
port: 636
uid: ‘uid’
bind_dn: ‘cn=gitlab,container=Infrastructure,container=System,dc=example,dc=com’
password: ‘’
encryption: ‘simple_tls’
verify_certificates: true
smartcard_auth: false
active_directory: false
allow_username_or_email_login: false
lowercase_usernames: true
block_auto_created_users: false
base: ‘container=Users,dc=example,dc=com’
user_filter: ‘(|(employeeType=admin)(employeeType=developer))’
## EE only
group_base: ‘container=Groups,dc=example,dc=com’
admin_group: ‘superuser’
sync_ssh_keys: true
attributes:
username: [‘uid’]
email: [‘mail’]
name: ‘cn’
first_name: ‘cn’
last_name: ‘cn’
tls_options:
ca_file: ‘/etc/pki/ca-trust/source/anchors/internal-ca.pem’
ssl_version: ‘TLSv1_2’
ciphers: ‘<long_cipher_list>’
cert: |
key: |
EOS
gitlab_rails[‘ldap_sync_worker_cron’] = “0 * * * "
gitlab_rails[‘ldap_group_sync_worker_cron’] = "/10 * * * *”
LDAP group object example:
LDAP group object
dn: cn=superuser,container=Groups,dc=example,dc=com
objectClass: group
cn: superuser
gidNumber: 10000
memberUid: testuser
structuralObjectClass: group
LDAP user object example:
LDAP user object
dn: uid=testuser,container=Users,dc=example,dc=com
uid: testuser
cn: testuser
objectClass: user
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sshKey
shadowLastChange: 15140
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/testuser
mail: testuser@example.com
employeeType=admin
structuralObjectClass: user
userPassword:
sshPublicKey:
Gitlab rails features information:
features summary
irb(main):096:0> License.feature_available?(:ldap_group_sync_filter)
License Load (0.9ms) SELECT “licenses”.* FROM “licenses” ORDER BY “licenses”.“id” DESC LIMIT 1
=> true
irb(main):097:0> License.feature_available?(:ldap_group_sync,)
License Load (1.0ms) SELECT “licenses”.* FROM “licenses” ORDER BY “licenses”.“id” DESC LIMIT 1
(0.5ms) SELECT “features”.“key” FROM “features”
=> true
So at this point users are able to login.
But gitlab dont sync the groups and fails to recognize memberships.
When i run this:
ldap_group_members
irb(main)
0> ldap_group = EE::Gitlab::Auth::Ldap::Group.find_by_cn(‘group_cn_here’, adapter)
irb(main):101:0> ldap_group = EE::Gitlab::Auth::Ldap::Group.find_by_cn(‘superuser’, adapter)
irb(main):102:0> ldap_group.member_uids
=> [“testuser”, “testuser1”]
As you can see it actually can see correct memberships.
But at the same time this one returns empty result:
member_dns
irb(main):103:0> ldap_group.member_dns
=> [""]
Because this one requires memberOf?
But because i switched off active_directory it should not be a problem?
When i run sync groups manually:
sync_groups
irb(main):104:0> EE::Gitlab::Auth::Ldap::Sync::Groups.execute
Performing LDAP group sync for ‘ldapmain’ provider
Group Load (44.2ms) SELECT DISTINCT “namespaces”.* FROM “namespaces” INNER JOIN “ldap_group_links” ON “ldap_group_links”.“group_id” = “namespaces”.“id” WHERE “namespaces”.“type” = ‘Group’ AND “ldap_group_links”.“provider” = ‘ldapmain’ ORDER BY ldap_sync_last_successful_update_at ASC, namespaces.id ASC
Finished LDAP group sync for ‘ldapmain’ provider
Syncing admin users for ‘ldapmain’ provider
Instantiating EE::Gitlab::Auth::Ldap::Group with LDIF:
dn: cn=superuser,container=Groups,dc=example,dc=com
cn: superuser
memberuid: testuser
memberuid: testuser1
Members in ‘superuser’ LDAP group: [""]
Identity Load (6.6ms) SELECT “identities”.* FROM “identities” WHERE (LOWER(“identities”.“extern_uid”) = LOWER(‘uid=testuser,container=users,dc=example,dc=com’)) AND “identities”.“provider” = ‘ldapmain’ LIMIT 1
User Load (11.9ms) SELECT “users”.* FROM “users” WHERE “users”.“id” = 2 LIMIT 1
(0.4ms) BEGIN
Namespace Load (1.3ms) SELECT “namespaces”.* FROM “namespaces” WHERE “namespaces”.“owner_id” = 2 AND “namespaces”.“type” IS NULL LIMIT 1
(0.5ms) COMMIT
User Load (5.2ms) SELECT “users”.* FROM “users” INNER JOIN “identities” ON “identities”.“user_id” = “users”.“id” WHERE “identities”.“provider” = ‘ldapmain’ AND “users”.“admin” = TRUE
Finished syncing admin users for ‘ldapmain’ provider
No external_groups configured for ‘ldapmain’ provider. Skipping
=> true
As i mentioned previously it can see memberuid attribute.
But why it does not process it and create a respective gitlab group?
Am i missing something here?
I can also provide additional details if required.
