GitLab 接入 OpenLDAP 配置

发表于

操作系统:CentOS6.8 操作账户:root

安装GitLab CE

创建或编辑 /etc/yum.repos.d/gitlab-ce.repo ,填入以下内容:

[gitlab-ce]
name=gitlab-ce
baseurl=http://mirrors.tuna.tsinghua.edu.cn/gitlab-ce/yum/el6
repo_gpgcheck=0
gpgcheck=0
enabled=1
gpgkey=https://packages.gitlab.com/gpg.key

执行命令安装:

yum makecache
yum install gitlab-ce

安装依赖并启动 Postfix :

service postfix start
chkconfig postfix on
lokkit -s http -s ssh

启动 Gitlab CE :

gitlab-ctl reconfigure
gitlab-ctl start

访问 Gitlab CE :

# 默认80端口
http://IP/

安装 OpenLDAP

执行安装命令:

yum install -y openldap-*

拷贝配置文件:

cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

修改 /etc/openldap/slapd.conf 文件,按需求初始化以下内容:

  • 参数和值中间是 空格+Tab ,不是单纯的 空格Tab
database        bdb
suffix          "dc=huangzhongzhang,dc=cn"
checkpoint      1024 15
rootdn          "cn=hzz,dc=huangzhongzhang,dc=cn"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# 使用slappasswd命令获取加密后的密码
rootpw          {SSHA}UfJQm6wGviLw2yw8XcYozyphWJOwlLWy

# 添加日志输出级别
loglevel        Stats

修改 /etc/openldap/ldap.conf 文件,根据具体信息修改以下内容:

  • 参数和值中间是空格+Tab,不是单纯的 空格Tab
BASE    dc=huangzhongzhang,dc=cn
URI     ldap://:389

修改/etc/rsyslog.conf文件,增加日志输出:

local4.*                                                /var/slapd.log

创建日志文件并重启日志服务:

touch /var/slapd.log
/etc/init.d/rsyslog restart

检查 slapd.conf 配置:

slaptest -f /etc/openldap/slapd.conf

slapd.conf 配置写入 cn=config

rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap.ldap /etc/openldap

启动 OpenLDAP

service slapd restart

创建 root 用户:

echo "
dn: dc=huangzhongzhang,dc=cn
objectClass: dcObject
objectClass: organization
dc: huangzhongzhang
o: huangzhongzhang.cn

dn: cn=hzz,dc=huangzhongzhang,dc=cn
objectClass: organizationalRole
cn: hzz
" > /etc/openldap/root.ldif

ldapadd -H ldap://:389 -x -D "cn=hzz,dc=huangzhongzhang,dc=cn" -W -f /etc/openldap/root.ldif

创建 test 用户:

echo "
dn: uid=test,dc=huangzhongzhang,dc=cn
userPassword: {sha}fEqNCco3Yq9h5ZUglD3CZJT4lBs=
objectClass: inetOrgPerson
sn: t
uid: test
mail: test@huangzhongzhang.cn
cn: 测试帐号
" > /etc/openldap/test.ldif

ldapadd -H ldap://:389 -x -D "cn=hzz,dc=huangzhongzhang,dc=cn" -W -f /etc/openldap/test.ldif

整合 OpenLDAP 和 GitLab

按需求更新 /etc/gitlab/gitlab.rb 文件:

## For setting up LDAP
## see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#setting-up-ldap-sign-in
## Be careful not to break the identation in the ldap_servers block. It is in
## yaml format and the spaces must be retained. Using tabs will not work.

gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
  main: # 'main' is the GitLab 'provider ID' of this LDAP server
    label: 'LDAP'
    host: '127.0.0.1'
    port: 389
    uid: 'uid'
    method: 'plain' # "tls" or "ssl" or "plain"
    bind_dn: 'cn=hzz,dc=huangzhongzhang,dc=cn'
    password: '{SSHA}UfJQm6wGviLw2yw8XcYozyphWJOwlLWy'
    active_directory: true
    allow_username_or_email_login: true
    block_auto_created_users: false
    base: 'dc=huangzhongzhang,dc=cn'
    user_filter: ''
    attributes:
      username: ['uid', 'userid', 'sAMAccountName']
      email:    ['mail', 'email', 'userPrincipalName']
      name:       'cn'
      first_name: 'givenName'
      last_name:  'sn'
#     ## EE only
#     group_base: ''
#     admin_group: ''
#     sync_ssh_keys: false
#
#   secondary: # 'secondary' is the GitLab 'provider ID' of second LDAP server
#     label: 'LDAP'
#     host: '_your_ldap_server'
#     port: 389
#     uid: 'sAMAccountName'
#     method: 'plain' # "tls" or "ssl" or "plain"
#     bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
#     password: '_the_password_of_the_bind_user'
#     active_directory: true
#     allow_username_or_email_login: false
#     block_auto_created_users: false
#     base: ''
#     user_filter: ''
#     attributes:
#       username: ['uid', 'userid', 'sAMAccountName']
#       email:    ['mail', 'email', 'userPrincipalName']
#       name:       'cn'
#       first_name: 'givenName'
#       last_name:  'sn'
#     ## EE only
#     group_base: ''
#     admin_group: ''
#     sync_ssh_keys: false
EOS

重载 GitLab 配置:

gitlab-ctl reconfigure

重载完成后会在 GitLab 登录页面出现 LDAP 选项卡,使用 test 用户就能进行登录了。

GitLab

GitLab

总结

通过 /etc/gitlab/gitlab.rb 配置,可以知道 GitLab 从 OpenLDAP 读取的属性分别为:

attributes:
  # 用户名
  username: ['uid', 'userid', 'sAMAccountName']
  # 邮箱
  email:    ['mail', 'email', 'userPrincipalName']
  # 显示名称
  name:       'cn'
  # 名
  first_name: 'givenName'
  # 姓
  last_name:  'sn'

若 OpenLDAP 新建用户的 email 和原 GitLab 用户的相同,则可直接登录到原 GitLab 用户,相当于一个用户两个账户同时使用,即使对原 GitLab 用户进行 block ,从 OpenLDAP 也能正常登录。

若从 GitLab 删除拥有双账户的用户或 GitLab 中不存在该用户,使用 OpenLDAP 账户登录时会自行创建新用户。

发表评论

邮箱地址不会被公开。 必填项已用*标注

Captcha Code