We are currently using LDAP sync to our active directory to handle user creation and access for our on-premise gitlab installation (Starter 12.1.6-ee). We use the gitlab.rb setting ldap_servers.main.base to point out all our valid users, and ldap_server.main.group_base to sync group memberships. An admin group is also set somewhere in there.
Currently, base is set to something like “OU=Users,OU=<domain>,DC=<domain>,DC=local” which is all users in our AD. What we want to do is constrain the selection of valid gitlab users somewhat, and we think the nested group member filter from Using an LDAP filter to limit access to your gitlab server would be a good fit. Something like
user_filter: '(memberOf:1.2.840.113556.1.4.1941:=CN=sg-usr-gitlabsync,OU=groups,OU=<domain>,DC=<domain>,DC=local)'
That should include all users in the gitlabsync group, as well as any users in groups where the group is member of gitlabsync, right?
I’ve checked with ldapsync, and adding that filter to the above base search will give a list of users that looks correct.
I have a couple of questions though, before we add the line to the config and sudo gitlab-ctl reconfigure.
-
What would happen to existing users suddenly not found during the ldap sync? Would they be ldap_blocked?
-
If we make a mistake and manage to write a filter that returns no users, will we block all existing users in that case? even those in admin_group? How would we restore such a mistake? Is a wide restore from backup the only option? Could it be fixed by just removing the filter and waiting for ldap to run again?
-
Are there any other obvious issues with this that we have missed?