GITLAB integration with Active Directory

Hello,
I did my first installation of Gitlab (12.10.3)
I need to integrate it with an Active Directory (windows server 2012 r2).

I made the following configuration:

but it’s not working. What would I have done wrong?
note: Windows Server has the windows firewall disabled.

On our server, we set bind_dn: in the format admin-gitlab@example.co.uk. Do you get any errors in any of the logs that could help out.

Hello. I managed to solve this first part.
integration worked.

my question now is … can I configure more than 1 base?

Say I have users in 2 OU’s.
TEST-GITLAB (already configured)
and TEST-GITLAB2 …
how do I set up 2 user bases?

We don’t specify an OU. We just use DC=example,DC=co,DC=uk as that will then allow any domain users access to our server with out limiting to an OU.

@veltusti will you please help to solve my issue .

I am also facing issue and unable to connect with AD server, when i run
" gitlab-rake gitlab:ldap:check"
and output is : Checking LDAP …

LDAP: … Server: ldapmain
LDAP authentication… Failed. Check bind_dn and password configuration values
LDAP users with access to your GitLab server (only showing the first 100 results)

Checking LDAP … Finished

used ldapsearch to verify bind-dn and password and it worked but with gitlab it is not

Hello,

I also have some issues but in my case the error is:
gitlab-rake gitlab:ldap:check
Checking LDAP …

LDAP: … Server: ldapmain
Exception: no bind result

Checking LDAP … Finished

This problem starts to happen when I migrated the version from 11.6.0 to 11.11.8.

Hi.
I have a question regarding this case also.
I have working configuration. But recently to our team joined guys from other OU’s.

“base” is the the location where github can search for users.

But can i use multiple “base” ?
For example:

base: ‘OU=users, DC=global, DC=com, DC=pl’
base: ‘OU=remoteusers, DC=global, DC=com, DC=pl’

the uid and bind_dn are the same for both AD.

Hi, no there can only be one basedn. You would have to use:

base: 'DC=global, DC=com, DC=pl'

probably better is use user filter and use memberOf to ensure they are in a specific group if you want to restrict certain users. Eg: create group called “Gitlab”, put the users from ou=users and ou=remoteusers in that group, and then use user filter to check membership of the gitlab group. You can find an example for that here: ldap - How to bind a user and ensure they are in the correct group? - Stack Overflow

from the answer:

"(&(cn=My Name)(memberOf=cn=admin,ou=groups,dc=example,dc=com))"

adapt this with your gitlab group that was created, and put this in gitlab.rb where the user-filter appears in the LDAP config section.

1 Like

Yeah… the problem is i am not AD admin and we can not create new OU’s :confused:
But from Your example:

base: 'DC=global, DC=com, DC=pl'

This should search inside whole DC global right? All subOU’s?

And after this change reload of settings is ‘gitlab-ctl reconfigure’ right?

Yes, that would allow searching ou=users and ou=remoteusers. Of course, all other ou’s will also be able to be searched and accessed as well. But to restrict though, would require asking your AD/LDAP people to create a group and then add all the users that need to login to Gitlab. That way you can restrict it by using the user-filter option in Gitlab config to stop all other users logging into Gitlab.