GitLab 4.2-Stable and LDAP with ActiveDirectory

Enabling LDAP on Gitlab 4.2-Stable seemed straightforward, but then I hit a number of issues with authentication outside of the GUI.

First, the documentation from the main link is woefully inadequate, but I stumbled upon this link on Setting up LDAP Auth which helped with some of the specifics.

The second issue I ran into authenticating against ActiveDirectory LDAP and GitLab is an error message that reports that accounts must have both an uid and an email.  It took a bit to track this down but finally I found a reference to this commit from a fork by “syndicut” which addresses a problem in the user mapping.  The config mapping as it exists in ldap.rb below fails because the mapping does not move beyond the initial check — a .respond_to? check is added to handle the lookups correctly.   There are some posts that refer to changing the order to work around the problem, I applied the code changes in ldap.rb so that it works as expected.

@@config = {
	'name' => 'cn',
	'first_name' => 'givenName',
	'last_name' => 'sn',
	'email' => ['email', 'mail', 'userPrincipalName'],
	'phone' => ['telephoneNumber', 'homePhone', 'facsimileTelephoneNumber'],
	'mobile' => ['mobile', 'mobileTelephoneNumber'],
	'nickname' => ['uid', 'userid', 'sAMAccountName'],
	'title' => 'title',
	'location' => {"%0, %1, %2, %3 %4" => [['address', 'postalAddress', 'homePostalAddress', 'street', 'streetAddr$
	'uid' => 'dn',
	'url' => ['wwwhomepage'],
	'image' => 'jpegPhoto',
	'description' => 'description'

Another critical issue that I hit was related to LDAP auth with git over https versus ssh.
Basically, I want to authenticate over LDAP when cloning or creating a new git repo such as:

git clone "Test Project"

This one was a bit more involved but I found a reference to an issue tracking this and a related pull request. GitLab Pull Request 2557 adds support to authenticate users in the grack module. Once this is applied, the git over https scenario works with LDAP authenticated users.

Finally, I wanted to restrict user logins to those groups with GitLab permissions. GitLab/OmniAuth-Ldap Pull Request 3 and GitLab Pull Request 2497 from user dimaj updates omniauth-ldap to apply a more general ldap filter rather than a specific uid filter when validating logins.  Applying these changes will enforce a user’s membership in a specific security group.

I have one remaining issue to address and that’s to enforce TLS over 389 with ActiveDirectory. This currently fails to authenticate in simple_tls mode and I have more debugging and digging through commits to find or fix this particular failure case.

Gitlab 4.0-Stable on Ubuntu 12.04, SSL & Apache2

After a bunch of trial and error, I was able to get GitLab running on Apache2 supporting large payloads with SSL.
Special thanks to some pointers on the passenger module install from Nick Yeoman.

  • Configure gitlab.yml for SSL
## GitLab settings
  ## Web server settings
  host: gitlab.<your-domain>
  port: 443
  https: true
  • Install the passenger module for Ruby & Apache2:
sudo gem install passenger
sudo passenger-install-apache2-module

The passenger installer will note that these lines will need to be added to the Apache config:

LoadModule passenger_module /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.15/ext/apache2/
PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.15
PassengerRuby /usr/local/bin/ruby
  • Enable rewrite for http: -> https: (optional)
sudo a2enmod rewrite
  • Create the gitlab conf in apache2
sudo vim /etc/apache2/sites-available/gitlab
LoadModule passenger_module /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19/ext/apache2/
PassengerRoot /usr/local/lib/ruby/gems/1.9.1/gems/passenger-3.0.19
PassengerRuby /usr/local/bin/ruby

<VirtualHost *:80>
        ServerName gitlab.<your.domain>

        # Redirect from HTTP to HTTPS
        RewriteEngine   on
        RewriteCond     %{SERVER_PORT} ^80$
        RewriteRule     ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
<VirtualHost *:443>
        ServerName gitlab.<your.domain>
        ServerAdmin gitlab@<your.domain>

        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/<cert.file>
        SSLCertificateKeyFile /etc/apache2/ssl/<cert.key>
        SSLCertificateChainFile /etc/apache2/ssl/<chain-file.crt>

        # Point this to your public folder of gitlab
        DocumentRoot /home/gitlab/gitlab/public
        <Directory /home/gitlab/gitlab/public>
                # This relaxes Apache security settings.
                AllowOverride all
                # MultiViews must be turned off.
                Options -MultiViews

        CustomLog /var/log/apache2/gitlab-access.log combined
        ErrorLog  /var/log/apache2/gitlab-error.log
  • Enable the site and restart Apache2
a2ensite gitlab
sudo service apache2 restart