1- 修改/etc/gitlab/gitlab.rb
我的配置:
gitlab_rails['ldap_enabled'] = true
###! **remember to close this block with 'EOS' below**
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'LDAP'
host: '10.0.0.31'
port: 389
uid: 'SamaccountName'
method: 'plain' # "tls" or "ssl" or "plain"
bind_dn: 'cn=admin,cn=Users,dc=leman,dc=com'
password: 'Password@1'
active_directory: true
allow_username_or_email_login: true
block_auto_created_users: false
base: 'dc=leman,dc=com'
user_filter: ''
EOS
参数说明:
- host 、port :是 LDAP 服务的主机IP和端口。
- bind_dn :管理 LDAP 的 dn。指定ldap服务器的管理员信息,即cn=账户,cn=组织单位。
- base:表 LDAP 将以该 dn 为 节点,向下查找用户。ldap服务器的base域。
- user_filter:表以某种过滤条件筛选用户。为空表示不过滤。
例如需要过滤允许的用户:
user_filter: '(CN=sambauser1)'
2- 使用gitlab命令配置重置生效
gitlab-ctl reconfigure
3- 获取AD域中用户列表
gitlab-rake gitlab:ldap:check
有以下输出才算正常,否则需要检查修改配置文件
[root@gitlab ~]# gitlab-rake gitlab:ldap:check
Checking LDAP ...
Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
DN: CN=Access Control Assistance Operators,CN=Builtin,DC=leman,DC=com SamaccountName: Access Control Assistance Operators
DN: CN=Account Operators,CN=Builtin,DC=leman,DC=com SamaccountName: Account Operators
DN: CN=admin,CN=Users,DC=leman,DC=com SamaccountName: admin
DN: CN=Administrator,CN=Users,DC=leman,DC=com SamaccountName: Administrator
DN: CN=Administrators,CN=Builtin,DC=leman,DC=com SamaccountName: Administrators
DN: CN=Allowed RODC Password Replication Group,CN=Users,DC=leman,DC=com SamaccountName: Allowed RODC Password Replication Group
DN: CN=Backup Operators,CN=Builtin,DC=leman,DC=com SamaccountName: Backup Operators
DN: CN=Cert Publishers,CN=Users,DC=leman,DC=com SamaccountName: Cert Publishers
DN: CN=Certificate Service DCOM Access,CN=Builtin,DC=leman,DC=com SamaccountName: Certificate Service DCOM Access
DN: CN=Cloneable Domain Controllers,CN=Users,DC=leman,DC=com SamaccountName: Cloneable Domain Controllers
DN: CN=Cryptographic Operators,CN=Builtin,DC=leman,DC=com SamaccountName: Cryptographic Operators
DN: CN=DefaultAccount,CN=Users,DC=leman,DC=com SamaccountName: DefaultAccount
DN: CN=Denied RODC Password Replication Group,CN=Users,DC=leman,DC=com SamaccountName: Denied RODC Password Replication Group
DN: CN=DHCP Administrators,CN=Users,DC=leman,DC=com SamaccountName: DHCP Administrators
DN: CN=DHCP Users,CN=Users,DC=leman,DC=com SamaccountName: DHCP Users
DN: CN=Distributed COM Users,CN=Builtin,DC=leman,DC=com SamaccountName: Distributed COM Users
DN: CN=DnsAdmins,CN=Users,DC=leman,DC=com SamaccountName: DnsAdmins
DN: CN=DnsUpdateProxy,CN=Users,DC=leman,DC=com SamaccountName: DnsUpdateProxy
DN: CN=Domain Admins,CN=Users,DC=leman,DC=com SamaccountName: Domain Admins
DN: CN=Domain Computers,CN=Users,DC=leman,DC=com SamaccountName: Domain Computers
DN: CN=Domain Controllers,CN=Users,DC=leman,DC=com SamaccountName: Domain Controllers
DN: CN=Domain Guests,CN=Users,DC=leman,DC=com SamaccountName: Domain Guests
DN: CN=Domain Users,CN=Users,DC=leman,DC=com SamaccountName: Domain Users
DN: CN=Enterprise Admins,CN=Users,DC=leman,DC=com SamaccountName: Enterprise Admins
DN: CN=Enterprise Key Admins,CN=Users,DC=leman,DC=com SamaccountName: Enterprise Key Admins
DN: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=leman,DC=com SamaccountName: Enterprise Read-only Domain Controllers
DN: CN=Event Log Readers,CN=Builtin,DC=leman,DC=com SamaccountName: Event Log Readers
DN: CN=ftp_user,CN=Users,DC=leman,DC=com SamaccountName: ftp_user
DN: CN=ftpuser1,OU=leman1,OU=Domain Controllers,DC=leman,DC=com SamaccountName: ftp_user1
DN: CN=ftpuser2,OU=leman1,OU=Domain Controllers,DC=leman,DC=com SamaccountName: ftp_user2
DN: CN=ftp1,CN=Users,DC=leman,DC=com SamaccountName: ftp1
DN: CN=ftp2,CN=Users,DC=leman,DC=com SamaccountName: ftp2
DN: CN=ftp3,CN=Users,DC=leman,DC=com SamaccountName: ftp3
DN: CN=Group Policy Creator Owners,CN=Users,DC=leman,DC=com SamaccountName: Group Policy Creator Owners
DN: CN=Guest,CN=Users,DC=leman,DC=com SamaccountName: Guest
DN: CN=Guests,CN=Builtin,DC=leman,DC=com SamaccountName: Guests
DN: CN=Hyper-V Administrators,CN=Builtin,DC=leman,DC=com SamaccountName: Hyper-V Administrators
DN: CN=IIS_IUSRS,CN=Builtin,DC=leman,DC=com SamaccountName: IIS_IUSRS
DN: CN=Incoming Forest Trust Builders,CN=Builtin,DC=leman,DC=com SamaccountName: Incoming Forest Trust Builders
DN: CN=Key Admins,CN=Users,DC=leman,DC=com SamaccountName: Key Admins
DN: CN=krbtgt,CN=Users,DC=leman,DC=com SamaccountName: krbtgt
DN: CN=LEMAN-P1,CN=Computers,DC=leman,DC=com SamaccountName: LEMAN-P1$
DN: CN=LEMAN,OU=Domain Controllers,DC=leman,DC=com SamaccountName: LEMAN$
DN: CN=leman_ftp,OU=leman1,OU=Domain Controllers,DC=leman,DC=com SamaccountName: leman_ftp
DN: CN=leman_samba,OU=leman1,OU=Domain Controllers,DC=leman,DC=com SamaccountName: leman_samba
DN: CN=Network Configuration Operators,CN=Builtin,DC=leman,DC=com SamaccountName: Network Configuration Operators
DN: CN=Performance Log Users,CN=Builtin,DC=leman,DC=com SamaccountName: Performance Log Users
DN: CN=Performance Monitor Users,CN=Builtin,DC=leman,DC=com SamaccountName: Performance Monitor Users
DN: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=leman,DC=com SamaccountName: Pre-Windows 2000 Compatible Access
DN: CN=Print Operators,CN=Builtin,DC=leman,DC=com SamaccountName: Print Operators
DN: CN=PROMETHEUS,CN=Computers,DC=leman,DC=com SamaccountName: PROMETHEUS$
DN: CN=Protected Users,CN=Users,DC=leman,DC=com SamaccountName: Protected Users
DN: CN=RAS and IAS Servers,CN=Users,DC=leman,DC=com SamaccountName: RAS and IAS Servers
DN: CN=RDS Endpoint Servers,CN=Builtin,DC=leman,DC=com SamaccountName: RDS Endpoint Servers
DN: CN=RDS Management Servers,CN=Builtin,DC=leman,DC=com SamaccountName: RDS Management Servers
DN: CN=RDS Remote Access Servers,CN=Builtin,DC=leman,DC=com SamaccountName: RDS Remote Access Servers
DN: CN=Read-only Domain Controllers,CN=Users,DC=leman,DC=com SamaccountName: Read-only Domain Controllers
DN: CN=Remote Desktop Users,CN=Builtin,DC=leman,DC=com SamaccountName: Remote Desktop Users
DN: CN=Remote Management Users,CN=Builtin,DC=leman,DC=com SamaccountName: Remote Management Users
DN: CN=Replicator,CN=Builtin,DC=leman,DC=com SamaccountName: Replicator
DN: CN=samba,CN=Users,DC=leman,DC=com SamaccountName: samba
DN: CN=sambauser1,OU=leman1,OU=Domain Controllers,DC=leman,DC=com SamaccountName: samba_user1
DN: CN=sambauser2,OU=leman1,OU=Domain Controllers,DC=leman,DC=com SamaccountName: samba_user2
DN: CN=Schema Admins,CN=Users,DC=leman,DC=com SamaccountName: Schema Admins
DN: CN=Server Operators,CN=Builtin,DC=leman,DC=com SamaccountName: Server Operators
DN: CN=Storage Replica Administrators,CN=Builtin,DC=leman,DC=com SamaccountName: Storage Replica Administrators
DN: CN=System Managed Accounts Group,CN=Builtin,DC=leman,DC=com SamaccountName: System Managed Accounts Group
DN: CN=Terminal Server License Servers,CN=Builtin,DC=leman,DC=com SamaccountName: Terminal Server License Servers
DN: CN=UBUNTU,CN=Computers,DC=leman,DC=com SamaccountName: UBUNTU$
DN: CN=Users,CN=Builtin,DC=leman,DC=com SamaccountName: Users
DN: CN=Windows Authorization Access Group,CN=Builtin,DC=leman,DC=com SamaccountName: Windows Authorization Access Group
Checking LDAP ... Finished
4- 日志
ldap登陆报错日志位置
/var/log/gitlab/gitlab-rails/production.log