Ldap – How to restrict access to Gitlab by LDAP group (with LDAP search filter)

gitlabldap

I have a running Gitlab CE installation with LDAP authentication. Now I want to restrict the access based on group membership.

The option user_filter seems to be the option to go with. However, I can't seem to get anyone to be allowed to login based on group membership.

What I tried is this (gitlabaccess being the group that should be allowed to login):

user_filter: '(&(objectclass=group)(samaccountname=gitlabaccess))'

or:

user_filter: '(memberOf=cn=gitlabaccess,DC=my,DC=domain,DC=com)'

The documentation states the following but it also doesn't work and I have no idea what the numbers should be:

user_filter: '(memberOf:1.2.840.113556.1.4.1941:=cn=gitlabaccess,DC=my,DC=domain,DC=com)'

Specific users work like this:

user_filter: '(&(objectclass=user)(samaccountname=jon.doe))'

Gitlab CE version 9.5.5 installed from omnibus package.

How can one restrict the access to Gitlab based on LDAP group membership?

Best Answer

I figured it out. You need to specify the whole path to the group with all OU's. In my case this was:

user_filter: '(&(objectClass=user)(memberOf=CN=gitlabaccess,OU=mail-distribution-groups,OU=staff,DC=my,DC=domain,DC=com))'

As pointed out in the comments, the above query only returns direct members of the group. If you also want to include members of nested groups you will have to add :1.2.840.113556.1.4.1941: to memberOf like so:

user_filter: '(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=gitlabaccess,OU=mail-distribution-groups,OU=staff,DC=my,DC=domain,DC=com))'

If you want to add a specific user, use this:

user_filter: '(|(&(objectClass=user)(memberOf=CN=gitlabaccess,OU=mail-distribution-groups,OU=staff,DC=my,DC=domain,DC=com))(&(objectClass=user)(sAMAccountName=jon.doe)))'

Related Solutions

OpenLDAP – Configure Reverse Group Membership Maintenance (memberOf)

I've been struggling with the same thing, the openldap documentation is minimalist and hardly helpful at all. When they went over to a config database (not a bad idea in principle) all the options changed so when people are giving example from /etc/ldap/slapd.conf it is useless with a modern slapd config (such as Ubuntu).

I finally got this working. Here's the summary... first LDIF file:

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: memberof

Second LDIF file:

dn: olcOverlay=memberof,olcDatabase={1}hdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

Add them into the config database using ldapadd (same as normal config stuff).

It does not automatically update the existing data in the database, so I needed to use slapcat to copy everything out into a temporary file, and visit each group, delete the group and add the same group back in again (forces the memberOf attributes to update correctly). If you are starting with an empty database, then it will correctly update the attributes as objects are added.

Also, note that "olcDatabase={1}hdb" is very typical, but not guaranteed to match your setup. Be sure to check that one.

Ldap – Restrict access to websites based on LDAP / Active Directory group membership

We do this with Barracuda Network's Web Filter, which can be integrated with Active Directory. You can also assign certain IP addresses specific permissions - it is easy enough to make sure the same computer always has the same IP address on your network via DHCP or plain old static configuration. We chose this because we liked the reporting it does, and we got a good deal.

There are plenty of competing web filter solutions, hardware, software, open source, and even cloud based Software as a Service solutions, that integrate with Active Directory - if they do that then they almost 100% do what you need.

Best Answer

Related Solutions

OpenLDAP – Configure Reverse Group Membership Maintenance (memberOf)

Ldap – Restrict access to websites based on LDAP / Active Directory group membership

Related Topic