How to Configure Gitlab with FreeIPA Auth

By | 2015/11/21



Gitlab can take advantage of LDAP for auth which works great with FreeIPA. Here is how to set it up!


This example is using:

FreeIPA 4.1.0
CentOS 7

Gitlab CE 8.1.4
CentOS 7


1. Read only ldap user

First, create a read only user in FreeIPA for ldap auth. This is optional, but will allow the retrieval of email addresses of users from ldap into gitlab.

If you already are good with FreeIPA chops to do this, skip ahead. Otherwise, a brief how-to is:

A. First, make that dedicated ldap auth user in FreeIPA, for example, username: readonly with a good password.

B. Next, go to IPA Server > Role Based Access Control > Permission

C. There, create a new Permission called Read Only LDAP Auth and select Granted rights: [x] read [x] search [x] compare

D. Next, create a Privilege called Read Only LDAP Auth, and add the Permission just created.

E. Finally, create a Role Read Only LDAP Auth, and add the Privilege Read Only LDAP Auth.

F. And lastly, add the user readonly to that Role.


2. GitLab Setup

Below is an example ldap setup to use with FreeIPA and a read only bind user.

In the main gitlab config file (/etc/gitlab/gitlab.rb), I commented out existing ldap configs and put in the following two lines:

gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load_file('/etc/gitlab/ldap_settings.yml')

Next, here is a separate example ldap config file:

/etc/gitlab/ldap_settings.yml

main: 
  label: 'FreeIPA'
  host: 'ipa.example.com'
  port: 389
  uid: 'uid'
  method: 'tls'
  bind_dn: 'uid=readonly,cn=users,cn=accounts,dc=example,dc=com'
  password: 'readonly user's password here'
  base: 'cn=accounts,dc=example,dc=com'



After editing gitlab.rb, one must run the following to reconfigure gitlab with the changes:

sudo gitlab-ctl reconfigure


Done! You can now login via FreeIPA to gitlab.

gitlab_freeipa

Thanks to #freeipa on freenode. Cheers,