How to restrict access to Gitlab by LDAP group (with LDAP search filter)?
I have a running Gitlab CE installation with LDAP authentication. Now I want to restrict the access based on group membership.
The option user_filter
seems to be the option to go with. However, I can't seem to get anyone to be allowed to login based on group membership.
What I tried is this (gitlabaccess
being the group that should be allowed to login):
user_filter: '(&(objectclass=group)(samaccountname=gitlabaccess))'
or:
user_filter: '(memberOf=cn=gitlabaccess,DC=my,DC=domain,DC=com)'
The documentation states the following but it also doesn't work and I have no idea what the numbers should be:
user_filter: '(memberOf:1.2.840.113556.1.4.1941:=cn=gitlabaccess,DC=my,DC=domain,DC=com)'
Specific users work like this:
user_filter: '(&(objectclass=user)(samaccountname=jon.doe))'
Gitlab CE version 9.5.5 installed from omnibus package.
How can one restrict the access to Gitlab based on LDAP group membership?
Solution 1:
I figured it out. You need to specify the whole path to the group with all OU's. In my case this was:
user_filter: '(&(objectClass=user)(memberOf=CN=gitlabaccess,OU=mail-distribution-groups,OU=staff,DC=my,DC=domain,DC=com))'
As pointed out in the comments, the above query only returns direct members of the group. If you also want to include members of nested groups you will have to add :1.2.840.113556.1.4.1941:
to memberOf
like so:
user_filter: '(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=gitlabaccess,OU=mail-distribution-groups,OU=staff,DC=my,DC=domain,DC=com))'
If you want to add a specific user, use this:
user_filter: '(|(&(objectClass=user)(memberOf=CN=gitlabaccess,OU=mail-distribution-groups,OU=staff,DC=my,DC=domain,DC=com))(&(objectClass=user)(sAMAccountName=jon.doe)))'