GitLab 4.2-Stable and LDAP with ActiveDirectory

Enabling LDAP on Gitlab 4.2-Stable seemed straightforward, but then I hit a number of issues with authentication outside of the GUI.

First, the documentation from the main link is woefully inadequate, but I stumbled upon this link on Setting up LDAP Auth which helped with some of the specifics.

The second issue I ran into authenticating against ActiveDirectory LDAP and GitLab is an error message that reports that accounts must have both an uid and an email.  It took a bit to track this down but finally I found a reference to this commit from a fork by “syndicut” which addresses a problem in the user mapping.  The config mapping as it exists in ldap.rb below fails because the mapping does not move beyond the initial check — a .respond_to? check is added to handle the lookups correctly.   There are some posts that refer to changing the order to work around the problem, I applied the code changes in ldap.rb so that it works as expected.

@@config = {
	'name' => 'cn',
	'first_name' => 'givenName',
	'last_name' => 'sn',
	'email' => ['email', 'mail', 'userPrincipalName'],
	'phone' => ['telephoneNumber', 'homePhone', 'facsimileTelephoneNumber'],
	'mobile' => ['mobile', 'mobileTelephoneNumber'],
	'nickname' => ['uid', 'userid', 'sAMAccountName'],
	'title' => 'title',
	'location' => {"%0, %1, %2, %3 %4" => [['address', 'postalAddress', 'homePostalAddress', 'street', 'streetAddr$
	'uid' => 'dn',
	'url' => ['wwwhomepage'],
	'image' => 'jpegPhoto',
	'description' => 'description'

Another critical issue that I hit was related to LDAP auth with git over https versus ssh.
Basically, I want to authenticate over LDAP when cloning or creating a new git repo such as:

git clone "Test Project"

This one was a bit more involved but I found a reference to an issue tracking this and a related pull request. GitLab Pull Request 2557 adds support to authenticate users in the grack module. Once this is applied, the git over https scenario works with LDAP authenticated users.

Finally, I wanted to restrict user logins to those groups with GitLab permissions. GitLab/OmniAuth-Ldap Pull Request 3 and GitLab Pull Request 2497 from user dimaj updates omniauth-ldap to apply a more general ldap filter rather than a specific uid filter when validating logins.  Applying these changes will enforce a user’s membership in a specific security group.

I have one remaining issue to address and that’s to enforce TLS over 389 with ActiveDirectory. This currently fails to authenticate in simple_tls mode and I have more debugging and digging through commits to find or fix this particular failure case.