Add documentation for Google Secure LDAP
As of 11.9 GitLab supports Google Secure LDAP for authentication and group sync. This documentation outlines how to configure the service. Rename file
This commit is contained in:
parent
14bbc9362a
commit
1a0856ea97
|
@ -0,0 +1,207 @@
|
|||
# Google Secure LDAP **[CORE ONLY]**
|
||||
|
||||
> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/46391) in GitLab 11.9.
|
||||
|
||||
[Google Cloud Identity](https://cloud.google.com/identity/) provides a Secure
|
||||
LDAP service that can be configured with GitLab for authentication and group sync.
|
||||
|
||||
Secure LDAP requires a slightly different configuration than standard LDAP servers.
|
||||
The steps below cover:
|
||||
|
||||
- Configuring the Secure LDAP Client in the Google Admin console.
|
||||
- Required GitLab configuration.
|
||||
|
||||
## Configuring Google LDAP client
|
||||
|
||||
1. Navigate to https://admin.google.com and sign in as a GSuite domain administrator.
|
||||
|
||||
1. Go to **Apps > LDAP > Add Client**.
|
||||
|
||||
1. Provide an `LDAP client name` and an optional `Description`. Any descriptive
|
||||
values are acceptable. For example, the name could be 'GitLab' and the
|
||||
description could be 'GitLab LDAP Client'. Click the **Continue** button.
|
||||
|
||||
![Add LDAP Client Step 1](img/google_secure_ldap_add_step_1.png)
|
||||
|
||||
1. Set **Access Permission** according to your needs. You must choose either
|
||||
'Entire domain (GitLab)' or 'Selected organizational units' for both 'Verify user
|
||||
credentials' and 'Read user information'. Select 'Add LDAP Client'
|
||||
|
||||
TIP: **Tip:** If you plan to use GitLab [LDAP Group Sync](https://docs.gitlab.com/ee/administration/auth/ldap-ee.html#group-sync)
|
||||
, turn on 'Read group information'.
|
||||
|
||||
![Add LDAP Client Step 2](img/google_secure_ldap_add_step_2.png)
|
||||
|
||||
1. Download the generated certificate. This is required for GitLab to
|
||||
communicate with the Google Secure LDAP service. Save the downloaded certificates
|
||||
for later use. After downloading, click the **Continue to Client Details** button.
|
||||
|
||||
1. Expand the **Service Status** section and turn the LDAP client 'ON for everyone'.
|
||||
After selecting 'Save', click on the 'Service Status' bar again to collapse
|
||||
and return to the rest of the settings.
|
||||
|
||||
1. Expand the **Authentication** section and choose 'Generate New Credentials'.
|
||||
Copy/note these credentials for later use. After selecting 'Close', click
|
||||
on the 'Authentication' bar again to collapse and return to the rest of the settings.
|
||||
|
||||
Now the Google Secure LDAP Client configuration is finished. The screenshot below
|
||||
shows an example of the final settings. Continue on to configure GitLab.
|
||||
|
||||
![LDAP Client Settings](img/google_secure_ldap_client_settings.png)
|
||||
|
||||
## Configuring GitLab
|
||||
|
||||
Edit GitLab configuration, inserting the access credentials and certificate
|
||||
obtained earlier.
|
||||
|
||||
The following are the configuration keys that need to be modified using the
|
||||
values obtained during the LDAP client configuration earlier:
|
||||
|
||||
- `bind_dn`: The access credentials username
|
||||
- `password`: The access credentials password
|
||||
- `cert`: The `.crt` file text from the downloaded certificate bundle
|
||||
- `key`: The `.key` file text from the downloaded certificate bundle
|
||||
|
||||
**For Omnibus installations**
|
||||
|
||||
1. Edit `/etc/gitlab/gitlab.rb`:
|
||||
|
||||
```ruby
|
||||
gitlab_rails['ldap_enabled'] = true
|
||||
gitlab_rails['ldap_servers'] = YAML.load <<-EOS # remember to close this block with 'EOS' below
|
||||
main: # 'main' is the GitLab 'provider ID' of this LDAP server
|
||||
label: 'Google Secure LDAP'
|
||||
|
||||
host: 'ldap.google.com'
|
||||
port: 636
|
||||
uid: 'uid'
|
||||
bind_dn: 'DizzyHorse'
|
||||
password: 'd6V5H8nhMUW9AuDP25abXeLd'
|
||||
encryption: 'simple_tls'
|
||||
verify_certificates: true
|
||||
|
||||
tls_options:
|
||||
cert: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDbDCCAlSgAwIBAgIGAWlzxiIfMA0GCSqGSIb3DQEBCwUAMHcxFDASBgNVBAoTC0dvb2dsZSBJ
|
||||
bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQDEwtMREFQIENsaWVudDEPMA0GA1UE
|
||||
CxMGR1N1aXRlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTAeFw0xOTAzMTIyMTE5
|
||||
MThaFw0yMjAzMTEyMTE5MThaMHcxFDASBgNVBAoTC0dvb2dsZSBJbmMuMRYwFAYDVQQHEw1Nb3Vu
|
||||
dGFpbiBWaWV3MRQwEgYDVQQDEwtMREFQIENsaWVudDEPMA0GA1UECxMGR1N1aXRlMQswCQYDVQQG
|
||||
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
|
||||
ALOTy4aC38dyjESk6N8fRsKk8DN23ZX/GaNFL5OUmmA1KWzrvVC881OzNdtGm3vNOIxr9clteEG/
|
||||
tQwsmsJvQT5U+GkBt+tGKF/zm7zueHUYqTP7Pg5pxAnAei90qkIRFi17ulObyRHPYv1BbCt8pxNB
|
||||
4fG/gAXkFbCNxwh1eiQXXRTfruasCZ4/mHfX7MVm8JmWU9uAVIOLW+DSWOFhrDQduJdGBXJOyC2r
|
||||
Gqoeg9+tkBmNH/jjxpnEkFW8q7io9DdOUqqNgoidA1h9vpKTs3084sy2DOgUvKN9uXWx14uxIyYU
|
||||
Y1DnDy0wczcsuRt7l+EgtCEgpsLiLJQbKW+JS1UCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAf60J
|
||||
yazhbHkDKIH2gFxfm7QLhhnqsmafvl4WP7JqZt0u0KdnvbDPfokdkM87yfbKJU1MTI86M36wEC+1
|
||||
P6bzklKz7kXbzAD4GggksAzxsEE64OWHC+Y64Tkxq2NiZTw/76POkcg9StiIXjG0ZcebHub9+Ux/
|
||||
rTncip92nDuvgEM7lbPFKRIS/YMhLCk09B/U0F6XLsf1yYjyf5miUTDikPkov23b/YGfpc8kh6hq
|
||||
1kqdi6a1cYPP34eAhtRhMqcZU9qezpJF6s9EeN/3YFfKzLODFSsVToBRAdZgGHzj//SAtLyQTD4n
|
||||
KCSvK1UmaMxNaZyTHg8JnMf0ZuRpv26iSg==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
key: |
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCzk8uGgt/HcoxEpOjfH0bCpPAz
|
||||
dt2V/xmjRS+TlJpgNSls671QvPNTszXbRpt7zTiMa/XJbXhBv7UMLJrCb0E+VPhpAbfrRihf85u8
|
||||
7nh1GKkz+z4OacQJwHovdKpCERYte7pTm8kRz2L9QWwrfKcTQeHxv4AF5BWwjccIdXokF10U367m
|
||||
rAmeP5h31+zFZvCZllPbgFSDi1vg0ljhYaw0HbiXRgVyTsgtqxqqHoPfrZAZjR/448aZxJBVvKu4
|
||||
qPQ3TlKqjYKInQNYfb6Sk7N9POLMtgzoFLyjfbl1sdeLsSMmFGNQ5w8tMHM3LLkbe5fhILQhIKbC
|
||||
4iyUGylviUtVAgMBAAECggEAIPb0CQy0RJoX+q/lGbRVmnyJpYDf+115WNnl+mrwjdGkeZyqw4v0
|
||||
BPzkWYzUFP1esJRO6buBNFybQRFdFW0z5lvVv/zzRKq71aVUBPInxaMRyHuJ8D5lIL8nDtgVOwyE
|
||||
7DOGyDtURUMzMjdUwoTe7K+O6QBU4X/1pVPZYgmissYSMmt68LiP8k0p601F4+r5xOi/QEy44aVp
|
||||
aOJZBUOisKB8BmUXZqmQ4Cy05vU9Xi1rLyzkn9s7fxnZ+JO6Sd1r0Thm1mE0yuPgxkDBh/b4f3/2
|
||||
GsQNKKKCiij/6TfkjnBi8ZvWR44LnKpu760g/K7psVNrKwqJG6C/8RAcgISWQQKBgQDop7BaKGhK
|
||||
1QMJJ/vnlyYFTucfGLn6bM//pzTys5Gop0tpcfX/Hf6a6Dd+zBhmC3tBmhr80XOX/PiyAIbc0lOI
|
||||
31rafZuD/oVx5mlIySWX35EqS14LXmdVs/5vOhsInNgNiE+EPFf1L9YZgG/zA7OUBmqtTeYIPDVC
|
||||
7ViJcydItQKBgQDFmK0H0IA6W4opGQo+zQKhefooqZ+RDk9IIZMPOAtnvOM7y3rSVrfsSjzYVuMS
|
||||
w/RP/vs7rwhaZejnCZ8/7uIqwg4sdUBRzZYR3PRNFeheW+BPZvb+2keRCGzOs7xkbF1mu54qtYTa
|
||||
HZGZj1OsD83AoMwVLcdLDgO1kw32dkS8IQKBgFRdgoifAHqqVah7VFB9se7Y1tyi5cXWsXI+Wufr
|
||||
j9U9nQ4GojK52LqpnH4hWnOelDqMvF6TQTyLIk/B+yWWK26Ft/dk9wDdSdystd8L+dLh4k0Y+Whb
|
||||
+lLMq2YABw+PeJUnqdYE38xsZVHoDjBsVjFGRmbDybeQxauYT7PACy3FAoGBAK2+k9bdNQMbXp7I
|
||||
j8OszHVkJdz/WXlY1cmdDAxDwXOUGVKIlxTAf7TbiijILZ5gg0Cb+hj+zR9/oI0WXtr+mAv02jWp
|
||||
W8cSOLS4TnBBpTLjIpdu+BwbnvYeLF6MmEjNKEufCXKQbaLEgTQ/XNlchBSuzwSIXkbWqdhM1+gx
|
||||
EjtBAoGARAdMIiDMPWIIZg3nNnFebbmtBP0qiBsYohQZ+6i/8s/vautEHBEN6Q0brIU/goo+nTHc
|
||||
t9VaOkzjCmAJSLPUanuBC8pdYgLu5J20NXUZLD9AE/2bBT3OpezKcdYeI2jqoc1qlWHlNtVtdqQ2
|
||||
AcZSFJQjdg5BTyvdEDhaYUKGdRw=
|
||||
-----END PRIVATE KEY-----
|
||||
EOS
|
||||
```
|
||||
|
||||
1. Save the file and [reconfigure] GitLab for the changes to take effect.
|
||||
|
||||
---
|
||||
|
||||
**For installations from source**
|
||||
|
||||
1. Edit `config/gitlab.yml`:
|
||||
|
||||
```yaml
|
||||
ldap:
|
||||
enabled: true
|
||||
servers:
|
||||
main: # 'main' is the GitLab 'provider ID' of this LDAP server
|
||||
label: 'Google Secure LDAP'
|
||||
|
||||
host: 'ldap.google.com'
|
||||
port: 636
|
||||
uid: 'uid'
|
||||
bind_dn: 'DizzyHorse'
|
||||
password: 'd6V5H8nhMUW9AuDP25abXeLd'
|
||||
encryption: 'simple_tls'
|
||||
verify_certificates: true
|
||||
|
||||
tls_options:
|
||||
cert: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDbDCCAlSgAwIBAgIGAWlzxiIfMA0GCSqGSIb3DQEBCwUAMHcxFDASBgNVBAoTC0dvb2dsZSBJ
|
||||
bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQDEwtMREFQIENsaWVudDEPMA0GA1UE
|
||||
CxMGR1N1aXRlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTAeFw0xOTAzMTIyMTE5
|
||||
MThaFw0yMjAzMTEyMTE5MThaMHcxFDASBgNVBAoTC0dvb2dsZSBJbmMuMRYwFAYDVQQHEw1Nb3Vu
|
||||
dGFpbiBWaWV3MRQwEgYDVQQDEwtMREFQIENsaWVudDEPMA0GA1UECxMGR1N1aXRlMQswCQYDVQQG
|
||||
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
|
||||
ALOTy4aC38dyjESk6N8fRsKk8DN23ZX/GaNFL5OUmmA1KWzrvVC881OzNdtGm3vNOIxr9clteEG/
|
||||
tQwsmsJvQT5U+GkBt+tGKF/zm7zueHUYqTP7Pg5pxAnAei90qkIRFi17ulObyRHPYv1BbCt8pxNB
|
||||
4fG/gAXkFbCNxwh1eiQXXRTfruasCZ4/mHfX7MVm8JmWU9uAVIOLW+DSWOFhrDQduJdGBXJOyC2r
|
||||
Gqoeg9+tkBmNH/jjxpnEkFW8q7io9DdOUqqNgoidA1h9vpKTs3084sy2DOgUvKN9uXWx14uxIyYU
|
||||
Y1DnDy0wczcsuRt7l+EgtCEgpsLiLJQbKW+JS1UCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAf60J
|
||||
yazhbHkDKIH2gFxfm7QLhhnqsmafvl4WP7JqZt0u0KdnvbDPfokdkM87yfbKJU1MTI86M36wEC+1
|
||||
P6bzklKz7kXbzAD4GggksAzxsEE64OWHC+Y64Tkxq2NiZTw/76POkcg9StiIXjG0ZcebHub9+Ux/
|
||||
rTncip92nDuvgEM7lbPFKRIS/YMhLCk09B/U0F6XLsf1yYjyf5miUTDikPkov23b/YGfpc8kh6hq
|
||||
1kqdi6a1cYPP34eAhtRhMqcZU9qezpJF6s9EeN/3YFfKzLODFSsVToBRAdZgGHzj//SAtLyQTD4n
|
||||
KCSvK1UmaMxNaZyTHg8JnMf0ZuRpv26iSg==
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
key: |
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCzk8uGgt/HcoxEpOjfH0bCpPAz
|
||||
dt2V/xmjRS+TlJpgNSls671QvPNTszXbRpt7zTiMa/XJbXhBv7UMLJrCb0E+VPhpAbfrRihf85u8
|
||||
7nh1GKkz+z4OacQJwHovdKpCERYte7pTm8kRz2L9QWwrfKcTQeHxv4AF5BWwjccIdXokF10U367m
|
||||
rAmeP5h31+zFZvCZllPbgFSDi1vg0ljhYaw0HbiXRgVyTsgtqxqqHoPfrZAZjR/448aZxJBVvKu4
|
||||
qPQ3TlKqjYKInQNYfb6Sk7N9POLMtgzoFLyjfbl1sdeLsSMmFGNQ5w8tMHM3LLkbe5fhILQhIKbC
|
||||
4iyUGylviUtVAgMBAAECggEAIPb0CQy0RJoX+q/lGbRVmnyJpYDf+115WNnl+mrwjdGkeZyqw4v0
|
||||
BPzkWYzUFP1esJRO6buBNFybQRFdFW0z5lvVv/zzRKq71aVUBPInxaMRyHuJ8D5lIL8nDtgVOwyE
|
||||
7DOGyDtURUMzMjdUwoTe7K+O6QBU4X/1pVPZYgmissYSMmt68LiP8k0p601F4+r5xOi/QEy44aVp
|
||||
aOJZBUOisKB8BmUXZqmQ4Cy05vU9Xi1rLyzkn9s7fxnZ+JO6Sd1r0Thm1mE0yuPgxkDBh/b4f3/2
|
||||
GsQNKKKCiij/6TfkjnBi8ZvWR44LnKpu760g/K7psVNrKwqJG6C/8RAcgISWQQKBgQDop7BaKGhK
|
||||
1QMJJ/vnlyYFTucfGLn6bM//pzTys5Gop0tpcfX/Hf6a6Dd+zBhmC3tBmhr80XOX/PiyAIbc0lOI
|
||||
31rafZuD/oVx5mlIySWX35EqS14LXmdVs/5vOhsInNgNiE+EPFf1L9YZgG/zA7OUBmqtTeYIPDVC
|
||||
7ViJcydItQKBgQDFmK0H0IA6W4opGQo+zQKhefooqZ+RDk9IIZMPOAtnvOM7y3rSVrfsSjzYVuMS
|
||||
w/RP/vs7rwhaZejnCZ8/7uIqwg4sdUBRzZYR3PRNFeheW+BPZvb+2keRCGzOs7xkbF1mu54qtYTa
|
||||
HZGZj1OsD83AoMwVLcdLDgO1kw32dkS8IQKBgFRdgoifAHqqVah7VFB9se7Y1tyi5cXWsXI+Wufr
|
||||
j9U9nQ4GojK52LqpnH4hWnOelDqMvF6TQTyLIk/B+yWWK26Ft/dk9wDdSdystd8L+dLh4k0Y+Whb
|
||||
+lLMq2YABw+PeJUnqdYE38xsZVHoDjBsVjFGRmbDybeQxauYT7PACy3FAoGBAK2+k9bdNQMbXp7I
|
||||
j8OszHVkJdz/WXlY1cmdDAxDwXOUGVKIlxTAf7TbiijILZ5gg0Cb+hj+zR9/oI0WXtr+mAv02jWp
|
||||
W8cSOLS4TnBBpTLjIpdu+BwbnvYeLF6MmEjNKEufCXKQbaLEgTQ/XNlchBSuzwSIXkbWqdhM1+gx
|
||||
EjtBAoGARAdMIiDMPWIIZg3nNnFebbmtBP0qiBsYohQZ+6i/8s/vautEHBEN6Q0brIU/goo+nTHc
|
||||
t9VaOkzjCmAJSLPUanuBC8pdYgLu5J20NXUZLD9AE/2bBT3OpezKcdYeI2jqoc1qlWHlNtVtdqQ2
|
||||
AcZSFJQjdg5BTyvdEDhaYUKGdRw=
|
||||
-----END PRIVATE KEY-----
|
||||
```
|
||||
|
||||
1. Save the file and [restart] GitLab for the changes to take effect.
|
||||
|
||||
|
||||
[reconfigure]: ../restart_gitlab.md#omnibus-gitlab-reconfigure
|
||||
[restart]: ../restart_gitlab.md#installations-from-source
|
Binary file not shown.
After Width: | Height: | Size: 28 KiB |
Binary file not shown.
After Width: | Height: | Size: 80 KiB |
Binary file not shown.
After Width: | Height: | Size: 62 KiB |
|
@ -48,6 +48,14 @@ LDAP-enabled users can always authenticate with Git using their GitLab username
|
|||
or email and LDAP password, even if password authentication for Git is disabled
|
||||
in the application settings.
|
||||
|
||||
## Google Secure LDAP **[CORE ONLY]**
|
||||
|
||||
> Introduced in GitLab 11.9.
|
||||
|
||||
[Google Cloud Identity](https://cloud.google.com/identity/) provides a Secure
|
||||
LDAP service that can be configured with GitLab for authentication and group sync.
|
||||
See [Google Secure LDAP](google_secure_ldap.md) for detailed configuration instructions.
|
||||
|
||||
## Configuration
|
||||
|
||||
NOTE: **Note**:
|
||||
|
|
Loading…
Reference in New Issue