分享程序员开发的那些事...
更新时间:2022-05-10 22:54:32
在使用OpenLDAP验证用户身份时,您的Gitlab配置以Active Directory为目标,因此首先要做的是在/etc/gitlab/gitlab.rb中修复以下参数:>
Your Gitlab configuration targets Active Directory while you are using OpenLDAP to authenticate users, so the first thing to do is fixing the following parameters in /etc/gitlab/gitlab.rb:
uid: 'uid'
active_directory: false
在身份验证的上下文中,我不知道attributes的目的是什么(attributes用于将用户数据从ldap同步到其Gitlab帐户,对于身份验证本身并不重要).
I don't know what is the purpose of attributes in the context of an authentication (edit: attributes are used to synchronize user data from ldap to its Gitlab account, it shouldn't matter for the authentication itself).
如果您不知道使用uid,也许还有其他问题,例如用户的uid不是'user.name',或者基数太窄(user.name条目可能不在ou=people下). base dn作为基本搜索,或者通过运行带有/不带有"ou"部分的搜索来检查:
Maybe there are other issues like the user's uid not being 'user.name', or the base being too narrow for example (user.name entry may not be under ou=people), if you don't know use the base dn as base search, or check by running a search with/without the 'ou' part :
ldapsearch -H ldap://10.0.0.1:389 -D cn=admin,dc=serverX,dc=lan -W -b ou=people,dc=serverX,dc=lan uid=user.name \*
我还将直接针对ldap检查凭证本身,即.而不是通过Gitlab,通过执行大致相同的查询,但使用 user.name 绑定,在这里,我们实际上测试了他是否可以绑定并读取其自己的条目:
I'd also check the credentials themselves directly against ldap , ie. not through Gitlab, by performing roughly the same query but using user.name bindings, here we actually tests that he can bind and read its own entry :
ldapsearch -H ldap://10.0.0.1:389 -D <user.name dn> -W -b <user.name dn> -s base \*
GitLab文档还坚持认为 LDAP用户必须设置一个电子邮件地址,无论是否用于登录.
Also GitLab documentation insists on the fact that LDAP users must have an email address set, regardless of whether it is used to log in.
一个典型的ldif文件,其中包含要使用ldapadd -f创建的user.name条目(前提是存在以其专有名称提及的ou和dc):
A typical ldif file containing user.name entry to be created using ldapadd -f (provided that the ou and dc's mentioned in its distinguished name exists) would look like this :
# user.name entry
dn: uid=user.name,ou=users,dc=serverX,dc=lan
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Firstname Lastname
givenName: Firstname
sn: Lastname
uid: user.name
mail: user.name@domain.com
userPassword: {MD5}<base64EncodedHash>
我不知道GitLab是否/如何知道密码加密方案(似乎对此没有配置,或者我错过了).
I don't know though if/how GitLab is aware of the password encryption scheme (seems there is no config for this or I missed it).
您可以创建一个测试案例条目:
You can create a test case entry :
<base64EncodedHash>替换为{MD5}CY9rzUYh03PK3k6DJie09g==(它表示密码test,如果需要,我需要一个脚本来生成它们). ldapadd -x -H ldap://10.0.0.1:389 -D cn=admin,dc=serverX,dc=lan -W -f ldifFilename以创建用户条目. <base64EncodedHash> with {MD5}CY9rzUYh03PK3k6DJie09g== (it represents the password test, if you need I have a script to generate them). ldapadd -x -H ldap://10.0.0.1:389 -D cn=admin,dc=serverX,dc=lan -W -f ldifFilename to create the user entry. 在gitlab.rb中:
In gitlab.rb :
gitlab_rails['ldap_servers'] = YAML.load <<-EOS
label: 'Gitlab LDAP'
host: '10.0.0.1'
port: 389
uid: 'uid'
bind_dn: 'cn=admin,ou=users,dc=serverX,dc=lan'
password: 'xxxx'
encryption: 'plain'
active_directory: false
allow_username_or_email_login: false
block_auto_created_users: false
base: 'ou=users,dc=serverX,dc=lan'
如果您可以与此用户绑定但不能通过gitlab ui绑定,则可能意味着它不处理{MD5}身份验证方案.
If you can bind with this user but not through gitlab ui, that could mean it does not handle the {MD5} authentication scheme.