GitLab 接入 OpenLDAP 配置

操作系统:CentOS6.8
操作账户:root

安装GitLab CE

创建或编辑 /etc/yum.repos.d/gitlab-ce.repo ,填入以下内容:

1
2
3
4
5
6
7
[gitlab-ce]
name=gitlab-ce
baseurl=http://mirrors.tuna.tsinghua.edu.cn/gitlab-ce/yum/el6
repo_gpgcheck=0
gpgcheck=0
enabled=1
gpgkey=https://packages.gitlab.com/gpg.key

执行命令安装:

1
2
yum makecache
yum install gitlab-ce

安装依赖并启动 Postfix :

install curl openssh-server openssh-clients postfix cronie
1
2
3
service postfix start
chkconfig postfix on
lokkit -s http -s ssh

启动 Gitlab CE :

1
2
gitlab-ctl reconfigure
gitlab-ctl start

访问 Gitlab CE :

1
2
# 默认80端口
http://IP/

安装 OpenLDAP

执行安装命令:

1
yum install -y openldap-*

拷贝配置文件:

1
2
cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

修改 /etc/openldap/slapd.conf 文件,按需求初始化以下内容:

  • 参数和值中间是 空格+Tab ,不是单纯的 空格Tab
1
2
3
4
5
6
7
8
9
10
11
12
database        bdb
suffix "dc=huangzhongzhang,dc=cn"
checkpoint 1024 15
rootdn "cn=hzz,dc=huangzhongzhang,dc=cn"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# 使用slappasswd命令获取加密后的密码
rootpw {SSHA}UfJQm6wGviLw2yw8XcYozyphWJOwlLWy

# 添加日志输出级别
loglevel Stats

修改 /etc/openldap/ldap.conf 文件,根据具体信息修改以下内容:

  • 参数和值中间是空格+Tab,不是单纯的 空格Tab
1
2
BASE    dc=huangzhongzhang,dc=cn
URI ldap://:389

修改/etc/rsyslog.conf文件,增加日志输出:

1
local4.*                                                /var/slapd.log

创建日志文件并重启日志服务:

1
2
touch /var/slapd.log
/etc/init.d/rsyslog restart

检查 slapd.conf 配置:

1
slaptest -f /etc/openldap/slapd.conf

slapd.conf 配置写入 cn=config

1
2
3
rm -rf /etc/openldap/slapd.d/*
slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
chown -R ldap.ldap /etc/openldap

启动 OpenLDAP

1
service slapd restart

创建 root 用户:

1
2
3
4
5
6
7
8
9
10
11
12
13
echo "
dn: dc=huangzhongzhang,dc=cn
objectClass: dcObject
objectClass: organization
dc: huangzhongzhang
o: huangzhongzhang.cn

dn: cn=hzz,dc=huangzhongzhang,dc=cn
objectClass: organizationalRole
cn: hzz
" > /etc/openldap/root.ldif

ldapadd -H ldap://:389 -x -D "cn=hzz,dc=huangzhongzhang,dc=cn" -W -f /etc/openldap/root.ldif

创建 test 用户:

1
2
3
4
5
6
7
8
9
10
11
echo "
dn: uid=test,dc=huangzhongzhang,dc=cn
userPassword: {sha}fEqNCco3Yq9h5ZUglD3CZJT4lBs=
objectClass: inetOrgPerson
sn: t
uid: test
mail: test@huangzhongzhang.cn
cn: 测试帐号
" > /etc/openldap/test.ldif

ldapadd -H ldap://:389 -x -D "cn=hzz,dc=huangzhongzhang,dc=cn" -W -f /etc/openldap/test.ldif

整合 OpenLDAP 和 GitLab

按需求更新 /etc/gitlab/gitlab.rb 文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
## For setting up LDAP
## see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#setting-up-ldap-sign-in
## Be careful not to break the identation in the ldap_servers block. It is in
## yaml format and the spaces must be retained. Using tabs will not work.

gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'LDAP'
host: '127.0.0.1'
port: 389
uid: 'uid'
method: 'plain' # "tls" or "ssl" or "plain"
bind_dn: 'cn=hzz,dc=huangzhongzhang,dc=cn'
password: '{SSHA}UfJQm6wGviLw2yw8XcYozyphWJOwlLWy'
active_directory: true
allow_username_or_email_login: true
block_auto_created_users: false
base: 'dc=huangzhongzhang,dc=cn'
user_filter: ''
attributes:
username: ['uid', 'userid', 'sAMAccountName']
email: ['mail', 'email', 'userPrincipalName']
name: 'cn'
first_name: 'givenName'
last_name: 'sn'
# ## EE only
# group_base: ''
# admin_group: ''
# sync_ssh_keys: false
#
# secondary: # 'secondary' is the GitLab 'provider ID' of second LDAP server
# label: 'LDAP'
# host: '_your_ldap_server'
# port: 389
# uid: 'sAMAccountName'
# method: 'plain' # "tls" or "ssl" or "plain"
# bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
# password: '_the_password_of_the_bind_user'
# active_directory: true
# allow_username_or_email_login: false
# block_auto_created_users: false
# base: ''
# user_filter: ''
# attributes:
# username: ['uid', 'userid', 'sAMAccountName']
# email: ['mail', 'email', 'userPrincipalName']
# name: 'cn'
# first_name: 'givenName'
# last_name: 'sn'
# ## EE only
# group_base: ''
# admin_group: ''
# sync_ssh_keys: false
EOS

重载 GitLab 配置:

1
gitlab-ctl reconfigure

重载完成后会在 GitLab 登录页面出现 LDAP 选项卡,使用 test 用户就能进行登录了。

GitLab OpenLDAP

GitLab OpenLDAP Profile

总结

通过 /etc/gitlab/gitlab.rb 配置,可以知道 GitLab 从 OpenLDAP 读取的属性分别为:

1
2
3
4
5
6
7
8
9
10
11
attributes:
# 用户名
username: ['uid', 'userid', 'sAMAccountName']
# 邮箱
email: ['mail', 'email', 'userPrincipalName']
# 显示名称
name: 'cn'
# 名
first_name: 'givenName'
# 姓
last_name: 'sn'

若 OpenLDAP 新建用户的 email 和原 GitLab 用户的相同,则可直接登录到原 GitLab 用户,相当于一个用户两个账户同时使用,即使对原 GitLab 用户进行 block ,从 OpenLDAP 也能正常登录。

若从 GitLab 删除拥有双账户的用户或 GitLab 中不存在该用户,使用 OpenLDAP 账户登录时会自行创建新用户。