Setup Gitlab CE with Active Directory authentication

Looking to configure Gitlab so that it will authenticate against your AD servers? Here’s a quick overview of setting it up, which will help you avoid some common “gotchas”:


1) Create a user in Active Directory to perform LDAP queries

Don’t configure Gitlab to perform LDAP queries using an administrator account. Instead, setup a new user with no domain privileges:

  • Log onto your domain controller, and load Active Directory User and Computers
  • Create a new group called “NoPermissions”
  • Create a new user called “ldapsearch”
  • Edit the “ldapsearch” user groups. Set the default group to “NoPermissions”, and remove the user from the “Domain User” group.

2) Edit your Gitlab Omnibus configuration

On your Gitlab server, edit your Gitlab configuration file:

nano /etc/gitlab/gitlab.rb

And add the following settings:

gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-EOS # remember to close this block with 'EOS' below
: 'ActiveDirectory'
: 389 #Change to 636 if using LDAPS
: 'plain' # Change to "tls" if using LDAPS
: 'sAMAccountName' # Don't change this
: 'CN=ldapsearch,CN=Users,DC=CORP,DC=COM'
: 10
: true
: false
: false
# Optional: the next line specifies that only members of the user group "gitlab-users" can authenticate to Gitlab:
#user_filter: '(memberOf:1.2.840.113556.1.4.1941:=CN=GITLAB-USERS,CN=Users,DC=CORP,DC=COM)'

NOTE: The configuration file is spacing sensitive! There must be:

  • One space before “main”
  • Two spaces before each attribute below “main”
  • No spaces before “EOS”

Save the configuration, and reload your Gitlab config:

gitlab-ctl reconfigure

Next, test your LDAP connection to your AD server:

gitlab-rake gitlab:ldap:check

You should see results like this:

Checking LDAP ...

LDAP users with access to your GitLab server (only showing the first 100 results)
Server: ldapmain
DN: CN=Test User,CN=Users,DC=corp,DC=com sAMAccountName: testuser
Checking LDAP ... Finished


3) Troubleshooting

  • Can you connect to the LDAP port on the AD server from your Gitlab server? Try: telnet 389
  • Do you have the correct distinguished name (DN) for your ldapsearch user and base DN? Use the LDAP Admin tool to verify the distinguished names.
  • Does the configuration file use the correct YAML spacing, as mentioned above?

AWS Consulting

Casey Labs provides AWS consulting for growing companies, helping them to build secure server infrastructure in the cloud.

Contact us today: [email protected]