Redundant LDAP config

atommaki · March 18, 2022, 3:31pm

Hi all,

I am trying to configure an LDAP connection to my the Active directory (using gitlab-ee 14.8.4). The base configuration finally works, however I had some trouble following the guide: Integrate LDAP with GitLab | GitLab

The page says I have to edit /etc/gitlab/gitlab.rb as I used the package based installer for Ubuntu. However this config had no effect on my setup, looks like just ignored. Finally I’ve found this config (what is not mentioned at all in the doc!): /var/opt/gitlab/gitlab-rails/etc/gitlab.yml where I could make the LDAP auth work.

After the base setup started working I wanted to add the 2nd LDAP server for redundancy, but I can’t make the redundant setup work. The working single LDAP server config looks like this (only relevant part pasted):

    host: 'myserver1.mydomain.local'
    port: 389

what I’ve replaced to this (what doesn’t work):

    hosts:
       - [ 'myserver1.mydomain.local', 389 ]
       - [ 'myserver2.mydomain.local', 389 ]

What do I do wrong?

ps: I’ve found the config quite messy (see above), also the logging doesn’t help much to see what’s wrong.

dnsmichi · March 18, 2022, 6:31pm

Hi,

multiple hosts for LDAP servers need to be defined using the hosts attribute instead of the host/port combination. The docs hint at this in the config settings.

Editing /etc/gitlab/gitlab.rb and reconfiguring should be sufficient with changes to your Omnibus based installation.

$ sudo vim /etc/gitlab/gitlab.rb

gitlab_rails['ldap_servers'] = {
'main' => {
  'label' => 'LDAP',
  'hosts' =>  [['myserver1.mydomain.local', 389], ['myserver2.mydomain.local', 389]]

$ sudo gitlab-ctl reconfigure

The gitlab.yml shouldn’t be edited, as this file will be generated every time you change gitlab.rb and reconfigure, and overrides all edits.

Cheers,
Michael

atommaki · March 18, 2022, 9:24pm

Thanks, but as you can see in my config above I was already using the “hosts” attribute. Anyway In the meantime I figured out what is a working setup. The “single server config” host and port parameter has to be in the config even if it’s overwritten by the hosts. So this setup works fine for me:

    host: 'fake.mydomain.local' # <- this is ignored, but needed here :/
    port: 389
    hosts:
      - [ 'myserver1.mydomain.local', 389 ]
      - [ 'myserver2.mydomain.local', 389 ]

nightman68 · March 29, 2022, 4:22pm

I tested this with release 14.7.4-ee and it is working without the “duplicate” mentioned by atommaki. Verified by the LDAP test which was contacting both servers.

dnsmichi · March 29, 2022, 5:09pm

Thanks, I overlooked that in your configuration.

Maybe the YAML format is the problem and the ruby config parser happily accepts one or the other attribute. I’d suggest switching to gitlab.rb to stay safe on upgrades.

Thanks for testing and verifying my assumption

atommaki · April 5, 2022, 2:44pm

OK, it works now for me. I know what I missed. This generated config concept was not clear to me, if you work with gitlab for a while it’s just a routine to run gitlab-ctl reconfigure, but I missed that, so my changes were useless (and then I started to modify the generated config without knowing that’s generated.
I would suggest to make it more clear on the LDAP integration page. Recofigure mentioned at some places in some specific case and you read it there then it’s clean. LDAP integration is one of the first thing you want to do after installing gitlab, so I think I am not the first to miss that…