使用开放的 LDAP 配置 GitLab
Configure GitLab with open LDAP
我正在尝试使用 openldap 配置我的 gitlab 以对用户进行身份验证。我已经配置了 openldap,它在 Jenkins 下运行良好。但是 gitlab 给出的错误是 Could not authenticate you from Ldapmain because "Invalid credentials".
以下是 gitlab.rb 配置:
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'LDAP'
host: 'localhost'
port: 389
uid: 'uid'
method: 'plain' # "tls" or "ssl" or "plain"
bind_dn: 'cn=admin,dc=ldap,dc=com'
password: 'waqas'
active_directory: false
allow_username_or_email_login: true
#block_auto_created_users: false
base: 'cn=Appliance,dc=ldap,dc=com'
user_filter: ''
# attributes:
# username: ['uid', 'userid', 'sAMAccountName']
# email: ['mail', 'email', 'userPrincipalName']
# name: 'cn'
# first_name: 'givenName'
# last_name: 'sn'
# ## EE only
# group_base: 'ou=W-Integrate,dc=ldap,dc=com'
#admin_group: 'cn=admin,dc=ldap,dc=com'
# sync_ssh_keys: false
#
EOS
还附上了我的 openLDAP 屏幕截图。任何人都可以纠正我我做错了什么。
你的基数不应该是一个用户(或者inetOrgPerson,一组用户cn=Appliance),应该限制在dc entries for a base dn:
base: 'dc=ldap,dc=com'
这与绑定帐户 bind_dn 不同,后者确实引用了用户:bind_dn: 'cn=admin,dc=ldap,dc=com':那里有一个 cn。
请注意,自 GitLab 13.7(2020 年 12 月)起:
Support for encrypted LDAP credentials
GitLab uses a unified configuration file, for example gitlab.rb in Omnibus GitLab, which makes configuration easy across all of the bundled services.
Included in this configuration file are some secrets, like the
credentials to authenticate to the LDAP server.
While access to this file does require elevated privileges, best practice
is to separate secrets from configuration.
Omnibus GitLab and Source installs now support encrypted credentials, with the first credential supported being LDAP.
This reduces the sensitivity of the GitLab configuration file, and also helps to achieve customer compliance requirements.
See Documentation and Issue.
我正在尝试使用 openldap 配置我的 gitlab 以对用户进行身份验证。我已经配置了 openldap,它在 Jenkins 下运行良好。但是 gitlab 给出的错误是 Could not authenticate you from Ldapmain because "Invalid credentials".
以下是 gitlab.rb 配置:
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'LDAP'
host: 'localhost'
port: 389
uid: 'uid'
method: 'plain' # "tls" or "ssl" or "plain"
bind_dn: 'cn=admin,dc=ldap,dc=com'
password: 'waqas'
active_directory: false
allow_username_or_email_login: true
#block_auto_created_users: false
base: 'cn=Appliance,dc=ldap,dc=com'
user_filter: ''
# attributes:
# username: ['uid', 'userid', 'sAMAccountName']
# email: ['mail', 'email', 'userPrincipalName']
# name: 'cn'
# first_name: 'givenName'
# last_name: 'sn'
# ## EE only
# group_base: 'ou=W-Integrate,dc=ldap,dc=com'
#admin_group: 'cn=admin,dc=ldap,dc=com'
# sync_ssh_keys: false
#
EOS
你的基数不应该是一个用户(或者inetOrgPerson,一组用户cn=Appliance),应该限制在dc entries for a base dn:
base: 'dc=ldap,dc=com'
这与绑定帐户 bind_dn 不同,后者确实引用了用户:bind_dn: 'cn=admin,dc=ldap,dc=com':那里有一个 cn。
请注意,自 GitLab 13.7(2020 年 12 月)起:
Support for encrypted LDAP credentials
GitLab uses a unified configuration file, for example
gitlab.rbin Omnibus GitLab, which makes configuration easy across all of the bundled services.Included in this configuration file are some secrets, like the credentials to authenticate to the LDAP server.
While access to this file does require elevated privileges, best practice is to separate secrets from configuration.Omnibus GitLab and Source installs now support encrypted credentials, with the first credential supported being LDAP.
This reduces the sensitivity of the GitLab configuration file, and also helps to achieve customer compliance requirements.See Documentation and Issue.