How to Configure Gitlab with FreeIPA Auth

By | 2015/11/21



Gitlab can take advantage of LDAP for auth which works great with FreeIPA. Here is how to set it up!


This example is using:

FreeIPA 4.1.0
CentOS 7

Gitlab CE 8.1.4
CentOS 7


1. Read only ldap user

First, create a read only user in FreeIPA for ldap auth. This is optional, but will allow the retrieval of email addresses of users from ldap into gitlab.

If you already are good with FreeIPA chops to do this, skip ahead. Otherwise, a brief how-to is:

A. First, make that dedicated ldap auth user in FreeIPA, for example, username: readonly with a good password.

B. Next, go to IPA Server > Role Based Access Control > Permission

C. There, create a new Permission called Read Only LDAP Auth and select Granted rights: [x] read [x] search [x] compare

D. Next, create a Privilege called Read Only LDAP Auth, and add the Permission just created.

E. Finally, create a Role Read Only LDAP Auth, and add the Privilege Read Only LDAP Auth.

F. And lastly, add the user readonly to that Role.


2. GitLab Setup

Below is an example ldap setup to use with FreeIPA and a read only bind user.

In the main gitlab config file (/etc/gitlab/gitlab.rb), I commented out existing ldap configs and put in the following two lines:

gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load_file('/etc/gitlab/ldap_settings.yml')

Next, here is a separate example ldap config file:

/etc/gitlab/ldap_settings.yml

main: 
  label: 'FreeIPA'
  host: 'ipa.example.com'
  port: 389
  uid: 'uid'
  method: 'tls'
  bind_dn: 'uid=readonly,cn=users,cn=accounts,dc=example,dc=com'
  password: 'readonly user's password here'
  base: 'cn=accounts,dc=example,dc=com'



After editing gitlab.rb, one must run the following to reconfigure gitlab with the changes:

sudo gitlab-ctl reconfigure


Done! You can now login via FreeIPA to gitlab.

gitlab_freeipa

Thanks to #freeipa on freenode. Cheers,

4 thoughts on “How to Configure Gitlab with FreeIPA Auth

  1. yuki

    Hi Scott,

    Thank you so much to post this useful blog.
    But I met some issues when then ldap user login to Gitlab.
    The user ‘s Email field shows ‘temp-email-for-oauth-yuki@gitlab.localhost’ and ‘Email is read-only for LDAP user’.
    When this user try to navigate to other page, GitLab shows ‘Please complete your profile with email address’.

    Did I miss something? sorry for my poor English, thanks again

    Reply
    1. yuki

      and this user has an email address in the IPA server.
      [yuki@ipaserver ~]$ ipa user-show yuki
      User login: yuki
      First name: yu
      Last name: ki
      Home directory: /home/yuki
      Login shell: /bin/bash
      Email address: yuki@testipa.com
      UID: 737600003
      GID: 737600003
      Account disabled: False
      Password: True
      Member of groups: ipausers

      Reply
      1. Scott Miller Post author

        A bind user is required to fetch and work with the existing email address out of freeipa. (Step 1 on this page)

        Cheers,

        Reply
  2. yuki

    Thank you for your reply.
    This issue disappeared when I configure another GitLab server.
    There are maybe some issues in the old server.
    thanks for your nice blog.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.