LDAP Setup
新建LDAP用户gitlab.connector,用于GitLab和FeeIPA对接。
新建LDAP用户组gitlabusers,组内用户可访问登录GitLab。
GitLab Configuration
修改GitLab配置文件/etc/gitlab/gitlab.rb中LDAP部分:
# vim /etc/gitlab/gitlab.rb
...
### LDAP Settings
###! Docs: https://docs.gitlab.com/omnibus/settings/ldap.html
###! **Be careful not to break the indentation in the ldap_servers block. It is
###! in yaml format and the spaces must be retained. Using tabs will not work.**
gitlab_rails['ldap_enabled'] = true
gitlab_rails['prevent_ldap_sign_in'] = false
###! **remember to close this block with 'EOS' below**
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main:
label: 'LDAP'
host: 'ipa.example.com/IP'
port: 389
uid: 'uid'
bind_dn: 'uid=gitlab.connector,cn=users,cn=accounts,dc=example,dc=com'
password: 'PASSWORD'
encryption: 'start_tls'
verify_certificates: false
smartcard_auth: false
active_directory: false
allow_username_or_email_login: false
lowercase_usernames: false
block_auto_created_users: false
base: 'cn=accounts,dc=example,dc=com'
user_filter: '(memberof=cn=gitlabusers,cn=groups,cn=accounts,dc=example,dc=com)'
attributes:
username: ['uid']
email: ['mail']
name: 'displayName'
first_name: 'givenName'
last_name: 'sn'
EOS
...
# gitlab-ctl reconfigure
# gitlab-ctl restart
# gitlab-rake gitlab:ldap:check
Checking LDAP ...
LDAP: ... Server: ldapmain
not verifying SSL hostname of LDAPS server 'ipa.example.com/IP:389'
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
...
...
...
Checking LDAP ... Finished