LDAP authentication against AD -- bind-dn?

Is there any configuration option for gitlab.rb to tell Gitlab CE to attempt to authenticate against the AD/LDAP server with the login supplied to the login form? It seems the only options are to either 1) put an LDAP user & password in the gitlab.rb file, in plaintext, which is a security issue or 2) enable anonymous access to the LDAP directory and leave the bind_dn and password blank, which is a security issue.

Ideally the gitlab server should attempt to authenticate with the user supplied credentials, and fail if those credentials aren’t sufficient to login and look the user up.

TIA

This depends a lot on the solutions, and this varies from one implementation to the next. Some allow the login provided to bind - just like you mentioned, and others require a login for the initial bind request which is what gitlab requires.

However, putting these details in the file are not as high a security risk than you think. You provide a login which has the minimal amount of privileges which means it limits what they can do “if” they were obtained. However, this is unlikely since the gitlab.rb file only has root privileges, which means no-one is going to be able to see these details unless they have the root login in the first place. You can see that here:

-rw-------  1 root root  70K Jul 24  2019 gitlab.rb

as you can see, the permissions are 600. Therefore, it’s perfectly fine to do this, providing that your server is secured and root access on the server is limited. And even if someone did get it, you’ve limited what the login can do anyway because it only has read-only access to the AD/LDAP directory.

Gitlab isn’t the only application that integrates AD/LDAP this way, there are plenty of other commercial solutions that do it this way. And anonymous bind is definitely not advisable, it’s much more secure to do it with a read-only access login.

I understand your reasoning, but just to be clear, doing it the way I’m asking is objectively more secure. If you’re saying Gitlab doesn’t currently support that authentication style, that’s fine, I just want to know. I’ll proceed with setting up a bind user to do the auth, though it’s a bit irritating that Gitlab doesn’t document exactly what rights such a user actually needs to have – ideally I would grant such a user the absolute bare minimum permissions possible within AD.

In the meantime, I’ll go put in a feature request for them to support the other style.

The user needs read access to the directory of users. Nothing more. It just needs to authenticate, list the directory of users, so that it can find the person attempting to authenticate. You might need to play with permissions accordingly to restrict/expand depending on if it works or not. You can test from the command line on your gitlab linux server using ldapsearch. Once you start seeing LDAP results come back with the user lists, then that will show it’s working and you can then put the details in the gitlab.rb.

In terms of what you wrote, I agree, that allowing the authenticating user doing this instead of the read-only user is more secure if someone was to gain access to the server and find those login details. It just depends on how people integrate LDAP/AD authentication with their products. As previously mentioned I’ve seen a variety of these. Some allow the authenticating user to do all this, like you would like, and some other integrations have required a login for this. Sometimes I’ve also seen problems with other integrations, where they allowed the authenticating user to do it, but then it didn’t work as expected and I’ve had to use a read-only user instead.

From what I see, gitlab doesn’t support the option you require, so creating an issue for it could potentially see it integrated for the future. I certainly don’t see how to do it in the gitlab docs anyway.

If you do create the feature request, please link it here, so that anyone searching for the future can find it and vote for it. I would certainly vote for it, once you’ve created the request.