I’m using omnibus gitlab ee on debian buster with ldap through FreeIPA and saml authentication through Keycloack.
I have saml omniauth authentication setup with gitlab_rails['omniauth_auto_link_ldap_user'] = true
set, but ldap users aren’t getting automatically linked. Ldap authentication and sync works correctly when the user logins using ldap rather than saml.
Here’s my saml config:
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_ldap_user'] = true
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
{
name: 'saml',
label: 'SAML',
args: {
assertion_consumer_service_url: 'https://gitlab.domain.tld/users/auth/saml/callback',
idp_cert: '-snip-'
idp_sso_target_url: 'https://login.domain.tld/auth/realms/master/protocol/saml',
issuer: 'https://gitlab.domain.tld',
name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
attribute_statements: { username: ['username'] }
}
}
]
Here’s my ldap config:
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main:
label: 'FreeIPA'
host: 'ipaserver.domain.tld'
port: 389
uid: 'uid'
bind_dn: 'uid=gitlab,cn=sysaccounts,cn=etc,dc=domain,dc=tld'
password: '-snip-'
encryption: 'start_tls'
verify_certificates: true
tls_options:
ca_file: '/etc/ipa/ca.crt'
smartcard_auth: false
active_directory: false
allow_username_or_email_login: false
lowercase_usernames: false
block_auto_created_users: false
base: 'cn=users,cn=accounts,dc=domain,dc=tld'
user_filter: '(objectclass=inetorgperson)'
group_base: 'cn=groups,cn=accounts,dc=domain,dc=tld'
admin_group: 'admins'
sync_ssh_keys: ipaSshPubKey
EOS