我想用我们公司的LDAP作为演示来设置Gitlab。但不幸的是,我必须在gitlab.yml中输入一个管理员密码,以使gitlab访问LDAP服务。问题实际上是管理,因为他们不想仅为Gitlab设置另一个帐户。有没有办法在不填写我自己的密码的情况下绕过这个?有没有办法让Gitlab只用提供的用户凭证来建立LDAP连接?
除了以匿名方式登录之外的任何想法?
已发布here。
答案 0 :(得分:9)
我还没有尝试过,但是从我迄今为止构建的对LDAP和来自配置文件的信息进行身份验证时,只有在LDAP不支持匿名绑定时才需要此用户帐户。搜索。
因此,我会将两个条目bind_dn和password注释掉,并尝试是否有效。
<强>更新
我在Gitlab中实现了LDAP-Autehntication,这很容易。
在gitlab.yml - 文件中有一个名为ldap的部分。
您必须提供连接到LDAP的信息。似乎所有领域都必须给出,似乎没有后备默认!如果要使用匿名绑定来检索用户DN,请为bind_dn和password提供空字符串。评论他们似乎不起作用!至少我收到了501错误消息。
可在https://github.com/patthoyts/gitlabhq/wiki/Setting-up-ldap-auth找到更多信息,(更为过时,但仍然有用)https://github.com/intridea/omniauth-ldap
答案 1 :(得分:5)
我修补了gitlab以这种方式工作并在https://foivos.zakkak.net/tutorials/gitlab_ldap_auth_without_querying_account/
中记录了该过程我无耻地复制这里的说明是为了自我完整。
注意:本教程最后一次使用从源代码安装的gitlab 8.2进行测试。
本教程旨在介绍如何修改Gitlab安装 使用用户凭据对LDAP服务器进行身份验证。通过 默认Gitlab依赖于匿名绑定或特殊的查询用户 之前询问LDAP服务器是否存在用户 用她自己的凭证认证她。出于安全考虑, 但是,许多管理员禁用匿名绑定并禁止匿名绑定 创建特殊的查询 LDAP用户。
在本教程中,我们假设我们有一个gitlab设置
gitlab.example.com和在ldap.example.com上运行的LDAP服务器,以及
用户拥有以下格式的DN:
CN=username,OU=Users,OU=division,OU=department,DC=example,DC=com。
要使Gitlab在这种情况下工作,我们需要对其进行部分修改 关于LDAP的认证机制。
首先,我们用this派生替换omniauth-ldap模块。至
为此,我们将以下补丁应用于gitlab/Gemfile:
diff --git a/Gemfile b/Gemfile
index 1171eeb..f25bc60 100644
--- a/Gemfile
+++ b/Gemfile
@@ -44,4 +44,5 @@ gem 'gitlab-grack', '~> 2.0.2', require: 'grack'
# LDAP Auth
# GitLab fork with several improvements to original library. For full list of changes
# see https://github.com/intridea/omniauth-ldap/compare/master...gitlabhq:master
-gem 'gitlab_omniauth-ldap', '1.2.1', require: "omniauth-ldap"
+#gem 'gitlab_omniauth-ldap', '1.2.1', require: "omniauth-ldap"
+gem 'gitlab_omniauth-ldap', :git => 'https://github.com/zakkak/omniauth-ldap.git', require: 'net-ldap', require: "omniauth-ldap"
现在,我们需要执行以下操作:
sudo -u git -H bundle install --without development test mysql --path vendor/bundle --no-deployment sudo -u git -H bundle install --deployment --without development test mysql aws 这些命令将获取修改后的omniauth-ldap模块
gitlab/vendor/bundle/ruby/2.x.x/bundler/gems。现在该模块是
获取后,我们需要修改它以使用我们的LDAP服务器所期望的DN。我们
通过修补lib/omniauth/strategies/ldap.rb来实现这一目标
gitlab/vendor/bundle/ruby/2.x.x/bundler/gems/omniauth-ldap with:
diff --git a/lib/omniauth/strategies/ldap.rb b/lib/omniauth/strategies/ldap.rb
index 9ea62b4..da5e648 100644
--- a/lib/omniauth/strategies/ldap.rb
+++ b/lib/omniauth/strategies/ldap.rb
@@ -39,7 +39,7 @@ module OmniAuth
return fail!(:missing_credentials) if missing_credentials?
# The HACK! FIXME: do it in a more generic/configurable way
- @options[:bind_dn] = "CN=#{request['username']},OU=Test,DC=my,DC=example,DC=com"
+ @options[:bind_dn] = "CN=#{request['username']},OU=Users,OU=division,OU=department,DC=example,DC=com"
@options[:password] = request['password']
@adaptor = OmniAuth::LDAP::Adaptor.new @options
使用此模块,gitlab使用用户的凭据绑定到LDAP 服务器并查询它,以及自己验证用户。
只有当用户不使用ssh-key时,这才会起作用 使用Gitlab进行身份验证。通过ssh-key进行身份验证时 default Gitlab查询LDAP服务器以查明是否 相应的用户(仍)是有效用户。在这一点上,我们 自用户以来,无法使用用户凭据来查询LDAP服务器 没有提供给我们。结果我们禁用了这个机制, 基本上允许用户使用已注册的ssh-keys但从中删除 LDAP服务器仍然使用我们的Gitlab设置。防止这样的用户 如果仍能使用Gitlab设置,则必须手动完成 从您设置中的任何帐户中删除他们的ssh-key。
要禁用此机制,我们会修补gitlab/lib/gitlab/ldap/access.rb
用:
diff --git a/lib/gitlab/ldap/access.rb b/lib/gitlab/ldap/access.rb
index 16ff03c..9ebaeb6 100644
--- a/lib/gitlab/ldap/access.rb
+++ b/lib/gitlab/ldap/access.rb
@@ -14,15 +14,16 @@ module Gitlab
end
def self.allowed?(user)
- self.open(user) do |access|
- if access.allowed?
- user.last_credential_check_at = Time.now
- user.save
- true
- else
- false
- end
- end
+ true
+ # self.open(user) do |access|
+ # if access.allowed?
+ # user.last_credential_check_at = Time.now
+ # user.save
+ # true
+ # else
+ # false
+ # end
+ # end
end
def initialize(user, adapter=nil)
@@ -32,20 +33,21 @@ module Gitlab
end
def allowed?
- if Gitlab::LDAP::Person.find_by_dn(user.ldap_identity.extern_uid, adapter)
- return true unless ldap_config.active_directory
+ true
+ # if Gitlab::LDAP::Person.find_by_dn(user.ldap_identity.extern_uid, adapter)
+ # return true unless ldap_config.active_directory
- # Block user in GitLab if he/she was blocked in AD
- if Gitlab::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter)
- user.block unless user.blocked?
- false
- else
- user.activate if user.blocked? && !ldap_config.block_auto_created_users
- true
- end
- else
- false
- end
+ # # Block user in GitLab if he/she was blocked in AD
+ # if Gitlab::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter)
+ # user.block unless user.blocked?
+ # false
+ # else
+ # user.activate if user.blocked? && !ldap_config.block_auto_created_users
+ # true
+ # end
+ # else
+ # false
+ # end
rescue
false
end
在gitlab.yml中使用以下内容(根据您的需要进行修改):
#
# 2. Auth settings
# ==========================
## LDAP settings
# You can inspect a sample of the LDAP users with login access by running:
# bundle exec rake gitlab:ldap:check RAILS_ENV=production
ldap:
enabled: true
servers:
##########################################################################
#
# Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab
# Enterprise Edition now supports connecting to multiple LDAP servers.
#
# If you are updating from the old (pre-7.4) syntax, you MUST give your
# old server the ID 'main'.
#
##########################################################################
main: # 'main' is the GitLab 'provider ID' of this LDAP server
## label
#
# A human-friendly name for your LDAP server. It is OK to change the label later,
# for instance if you find out it is too large to fit on the web page.
#
# Example: 'Paris' or 'Acme, Ltd.'
label: 'LDAP_EXAMPLE_COM'
host: ldap.example.com
port: 636
uid: 'sAMAccountName'
method: 'ssl' # "tls" or "ssl" or "plain"
bind_dn: ''
password: ''
# This setting specifies if LDAP server is Active Directory LDAP server.
# For non AD servers it skips the AD specific queries.
# If your LDAP server is not AD, set this to false.
active_directory: true
# If allow_username_or_email_login is enabled, GitLab will ignore everything
# after the first '@' in the LDAP username submitted by the user on login.
#
# Example:
# - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials;
# - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.
#
# If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
# disable this setting, because the userPrincipalName contains an '@'.
allow_username_or_email_login: false
# To maintain tight control over the number of active users on your GitLab installation,
# enable this setting to keep new users blocked until they have been cleared by the admin
# (default: false).
block_auto_created_users: false
# Base where we can search for users
#
# Ex. ou=People,dc=gitlab,dc=example
#
base: 'OU=Users,OU=division,OU=department,DC=example,DC=com'
# Filter LDAP users
#
# Format: RFC 4515 http://tools.ietf.org/search/rfc4515
# Ex. (employeeType=developer)
#
# Note: GitLab does not support omniauth-ldap's custom filter syntax.
#
user_filter: '(&(objectclass=user)(objectclass=person))'
答案 2 :(得分:1)
GitLab使用 omniauth 来管理多个登录来源(包括LDAP)。
因此,如果您可以以某种方式扩展omniauth以便以不同方式管理LDAP连接,则可以从其他来源获取密码。
这样可以避免在ldap section of the gitlab.yml config file中保留所说的密码。