How to restrict access to Gitlab by LDAP group (with LDAP search filter)?

Question

I have a running Gitlab CE installation with LDAP authentication. Now I want to restrict the access based on group membership.

The option user_filter seems to be the option to go with. However, I can't seem to get anyone to be allowed to login based on group membership.

What I tried is this (gitlabaccess being the group that should be allowed to login):

user_filter: '(&(objectclass=group)(samaccountname=gitlabaccess))'

or:

user_filter: '(memberOf=cn=gitlabaccess,DC=my,DC=domain,DC=com)'

The documentation states the following but it also doesn't work and I have no idea what the numbers should be:

user_filter: '(memberOf:1.2.840.113556.1.4.1941:=cn=gitlabaccess,DC=my,DC=domain,DC=com)'

Specific users work like this:

user_filter: '(&(objectclass=user)(samaccountname=jon.doe))'

Gitlab CE version 9.5.5 installed from omnibus package.

How can one restrict the access to Gitlab based on LDAP group membership?

Sethos II · Accepted Answer · 2017-10-05T05:49:37.827

4

I figured it out. You need to specify the whole path to the group with all OU's. In my case this was:

user_filter: '(&(objectClass=user)(memberOf=CN=gitlabaccess,OU=mail-distribution-groups,OU=staff,DC=my,DC=domain,DC=com))'

As pointed out in the comments, the above query only returns direct members of the group. If you also want to include members of nested groups you will have to add :1.2.840.113556.1.4.1941: to memberOf like so:

user_filter: '(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=gitlabaccess,OU=mail-distribution-groups,OU=staff,DC=my,DC=domain,DC=com))'

If you want to add a specific user, use this:

user_filter: '(|(&(objectClass=user)(memberOf=CN=gitlabaccess,OU=mail-distribution-groups,OU=staff,DC=my,DC=domain,DC=com))(&(objectClass=user)(sAMAccountName=jon.doe)))'

edited Oct 05 '17 at 05:49

answered Oct 04 '17 at 12:55

Sethos II

507
4
7
18

2

"the numbers" in your example from the docs are actually explained right below the example in your doc link. It's a filter modification that tells AD you want direct *and* nested members of that group to be valid. Your answer right now will only allow direct members of the group. – Ryan Bolger Oct 04 '17 at 15:10
@RyanBolger Thanks for pointing this out, I added this to the answer. – Sethos II Oct 05 '17 at 05:50

score 0 · Answer 2 · answered Nov 07 '22 at 00:37

0

Solution for openLDAP:

create a group with groupOfUniqueNames instead of groupOfNames because only groupOfUniqueNames has memberOf attribute by default.

answered Nov 07 '22 at 00:37

Cheety

1

score 0 · Answer 3 · answered Feb 10 '23 at 08:20

Solution for FreeIPA on RHEL 9, and GitLab 15.8.1 CE/EE (2023)

The steps for setting up LDAP filters in GitLab for FreeIPA are different to the steps for setting up LDAP filters in GitLab for Active Directory.

Setup is as follows:

FreeIPA is hosted on:
- dc1.mydomain.com
GitLab is hosted on:
- gitlab.mydomain.com

Perform the following steps:

create user for FreeIPA accessing GitLab
- Username: "Happy Developer"
- First name: Happy
- Last name: Developer
Create group in FreeIPA for accessing Gitlab
- Group name: ug_gitlab_mydomain_com_login_ldap
Add user "Happy Developer" to user group "ug_gitlab_mydomain_com_login_ldap" in FreeIPA
create user in FreeIPA for use with LDAP bind for gitlab.mydomain.com
- Username: ldap.gitlab.mydomain.com
- Firstname: ldap
- Lastname: gitlab.mydomain.com
- Password: Alphanumeric, no special symbols like $ < /

Now, Check group membership from command line:

ldapsearch -b "dc=mydomain,dc=com" -s sub "(&(objectclass=person)(memberof=cn=ug_gitlab_mydomain_com_login_ldap,cn=groups,cn=accounts,dc=mydomain,dc=com))" -D "uid=ldap.gitlab.mydomain.com,cn=users,cn=accounts,dc=mydomain,dc=com" -W

You should see one group member, "Happy Developer".

Now change the gitlab configuration:

sudo nano /etc/gitlab.gitlab.rb

Find the section containing the LDAP configuration and add the following text:

gitlab_rails['ldap_enabled'] = true

gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
   main: # 'main' is the GitLab 'provider ID' of this LDAP server
     label: 'My LDAP'
     host: 'dc1.mydomain.com'
     port: 636
     uid: 'uid'
     bind_dn: 'uid=ldap.myhost.mydomain.com,cn=users,cn=accounts,dc=mydomain,dc=com'
     password: 'password'
     encryption: 'simple_tls' # "start_tls" or "simple_tls" or "plain"
     verify_certificates: false
     smartcard_auth: false
     active_directory: false
     allow_username_or_email_login: false
     lowercase_usernames: false
     block_auto_created_users: false
     base: 'dc=mydomain,dc=com'
     user_filter: 'memberof=cn=ug_gitlab_mydomain_com_login_ldap,cn=groups,cn=accounts,dc=mydomain,dc=com'
     ## EE only
     group_base: ''
     admin_group: ''
     sync_ssh_keys: false
EOS

Reconfigure and restart GitLab and check filter results:

sudo gitlab-ctl reconfigure
sudo gitlab-ctl restart
sudo gitlab-rake gitlab:ldap:check

You should be able to see list of authorized users to login

Note: An alternate user_filter is:

user_filter: '(&(objectclass=person)(memberof=cn=ug_gitlab_mydomain_com_login_ldap,cn=groups,cn=accounts,dc=mydomain,dc=com))'

Note: Make sure you perform additional steps to verify the TLS settings of the LDAP connection in the usual way for your setup.

I am not sure if this supports nested group support. But for now, this should be a good starting point for most FreeIPA users.

How to restrict access to Gitlab by LDAP group (with LDAP search filter)?

3 Answers3