I always thought that integrating a Gitlab server with LDAP/Active Directory is something hard to achieve. Following a guide from online, i’ve done my own configuration of this. Let’s dive in! :)

Let’s ssh to our server and begin by editing /etc/gitlab/gitlab.rb file. This is a really large with around to 4000 lines. Main section that we would work on is just below line 500:

vim /etc/gitlab/gitlab.rb

NOTE: Proceed with care when editing the file and do not change indentation as it will break the server and not start up again.

Here we have a mirrored configuration from my gitlab server’s AD configuration.

gitlab_rails['ldap_enabled'] = true
# gitlab_rails['prevent_ldap_sign_in'] = false

###! **remember to close this block with 'EOS' below**
 gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
   main: # 'main' is the GitLab 'provider ID' of this LDAP server
     label: 'LDAP'
     host: 'domaincontroller.domain.local'
     port: 389
     uid: 'sAMAccountName'
     bind_dn: '[email protected]'
     password: 'YourSup3rS3cretPa$$word'
#     encryption: 'plain' # "start_tls" or "simple_tls" or "plain"
#     verify_certificates: true
#     smartcard_auth: false
     active_directory: true
#     smartcard_ad_cert_field: 'altSecurityIdentities'
#     smartcard_ad_cert_format: null # 'issuer_and_serial_number', 'issuer_and_subject' , 'principal_name'
#     allow_username_or_email_login: false
#     lowercase_usernames: false
#     block_auto_created_users: false
     base: 'CN=Users,DC=domain,DC=local'
#     user_filter: ''
#     ## EE only
#     group_base: ''
#     admin_group: ''
#     sync_ssh_keys: false
EOS

First step is to turn on LDAP for the server that is done by uncommenting the # gitlab_rails['ldap_enabled'] = false and setting it’s value to true.

label: LDAP sets mode to ldap as it points out.

host: 'domaincontroller.domain.local' with this entry we need to point it to our domain controller, can be defined by DNS or IP address.

port: 389 im using the default non TLS port 389.

uid: 'sAMAccountName' sets server to look for AD username to bind.

bind_dn: '[email protected]' now this bit here is where you give the username that actually binds the gitlab server to AD, for this i’ve created a separate account in my domain specifically for this task.

password: 'YourSup3rS3cretPa$$word' this is the password for the bind user, i recommend having a password of mixed alphanumericals plus special characters, 15-20 long would be best.

active_directory: true make sure this setting is set to true and uncommented, as it determines type of LDAP server.

base: 'CN=Users,DC=domain,DC=local' make sure you adapt this setting to the location of where to look for the users that will login to the server.

EOS make sure that after the configuration you have the line EOS as this closes out the configuration for LDAP.

Once that is done save the file and we need to reconfigure the server:

gitlab-ctl reconfigure

These are the settings that needed to get it running with a minimal configuration and bind our gitlab instance with LDAP/ActiveDirectory logins. If you have not set up your own instance of gitlab yet, follow my tutorial on how to spin up your own instance here.

And that wraps up my take on this configuration. See you soon! :)