How to restrict access to Gitlab by LDAP group (with LDAP search filter)?

I have a running Gitlab CE installation with LDAP authentication. Now I want to restrict the access based on group membership.

The option user_filter seems to be the option to go with. However, I can't seem to get anyone to be allowed to login based on group membership.

What I tried is this (gitlabaccess being the group that should be allowed to login):

user_filter: '(&(objectclass=group)(samaccountname=gitlabaccess))'

or:

user_filter: '(memberOf=cn=gitlabaccess,DC=my,DC=domain,DC=com)'

The documentation states the following but it also doesn't work and I have no idea what the numbers should be:

user_filter: '(memberOf:1.2.840.113556.1.4.1941:=cn=gitlabaccess,DC=my,DC=domain,DC=com)'

Specific users work like this:

user_filter: '(&(objectclass=user)(samaccountname=jon.doe))'

Gitlab CE version 9.5.5 installed from omnibus package.

How can one restrict the access to Gitlab based on LDAP group membership?


Solution 1:

I figured it out. You need to specify the whole path to the group with all OU's. In my case this was:

user_filter: '(&(objectClass=user)(memberOf=CN=gitlabaccess,OU=mail-distribution-groups,OU=staff,DC=my,DC=domain,DC=com))'

As pointed out in the comments, the above query only returns direct members of the group. If you also want to include members of nested groups you will have to add :1.2.840.113556.1.4.1941: to memberOf like so:

user_filter: '(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=gitlabaccess,OU=mail-distribution-groups,OU=staff,DC=my,DC=domain,DC=com))'

If you want to add a specific user, use this:

user_filter: '(|(&(objectClass=user)(memberOf=CN=gitlabaccess,OU=mail-distribution-groups,OU=staff,DC=my,DC=domain,DC=com))(&(objectClass=user)(sAMAccountName=jon.doe)))'