Require AD users to Sign up

rbbicknell · March 15, 2021, 8:52pm

I’m in the process of setting up a new internal Gitlab server. It resides entirely within our firewall with no public access.

I configured it to use AD authentication just fine, but was a bit surprised when I logged in as a new user I just jumped right in with a new account.

OK, so I was persistently warned that I had Sign-up restrictions enabled, and disabled it, maybe I need to reenable that? After reenabling Sign-up and requiring admin approval for sign-ups, I was dismayed to find a new AD user just jumped right in to a new account without being required to sign up or wait for approval.

I don’t want just anyone in my company who was AD creds to be able to log in to the app and create a new account. I want to require AD users to sign up, and have an admin approve new AD signups.

Can Gitlab be configured in this way?

Thanks

Bruce.

iwalker · March 15, 2021, 9:53pm

Yes,

Add users to a group, and then use user filters for example memberOf to make sure that the login is a member of the group that you want to login.

More info here: General LDAP Setup | GitLab

balonik · March 16, 2021, 8:41am

What @iwalker suggested and don’t forget to disable Sign-up.

Sign-up is for creating new internal account, but when you have LDAP configured, user is not creating new internal account, but using his external AD account. For GitLab this is Sign-in, because user identity already exists in external source.

rbbicknell · March 16, 2021, 8:47pm

Thank you for your reply.

We want to use AD for authentication, but not authorization. Using AD groups is not feasible or desirable for us.

It looks like a suitable workaround might be to have new users treated as “external” by default. I have found the setting gitlab_rails[‘gitlab_default_can_create_group’] in /etc/gitlab/gitlab.rb, and setting it to false does just that. I can’t find a place to make a similar setting for making user_default_external true.

I found this in the User model

  default_value_for(:external) { Gitlab::CurrentSettings.user_default_external }
  default_value_for :can_create_group, gitlab_config.default_can_create_group

Which suggests that the setting should be configurable, but in chasing down Gitlab::CurrentSettings.user_default_external somewhat, I can’t find a where it gets set.

B.

balonik · March 30, 2021, 5:48pm

GitLab uses LDAP only for authentication. There is LDAP groups for authorization, but that is Premium feature. As you mentioned you don’t want it anyway.
Users can create groups by default (no difference what method they use for authentication) unless it is disabled by the settings you have already found.
External users from LDAP is also a Premium feature.

EDIT: There is option to specify external users by e-mail, but I think that is only for Internal accounts. You can give it a try.