PasseRR

xie__hai@sina.com

Gitlab集成ldap登录及钉钉扫码登录

11 Mar 2022 » operation

集成LDAP

  1. 修改gitlab.rb配置
     gitlab_rails['ldap_enabled'] = true
     gitlab_rails['prevent_ldap_sign_in'] = false
        
     ###! **remember to close this block with 'EOS' below**
     gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
       main: # 'main' is the GitLab 'provider ID' of this LDAP server
         label: 'LDAP登录'
         host: 'localhost'
         port: 389
         uid: 'cn'
         # ldap用户dn
         bind_dn: 'cn=admin,dc=hightop,dc=com'
         # rootDN密码
         password: 'mima'
         encryption: 'plain' # "start_tls" or "simple_tls" or "plain"
         verify_certificates: false
         allow_username_or_email_login: true
         # 创建的用户自动锁定
         #block_auto_created_users: false
         # 对接用户dn objectClass应为inetOrgPerson
         base: 'ou=employee,dc=hightop,dc=com'
         # 用户过滤器
         #user_filter: ''
         # 用户密码对应userPassword字段
         attributes:
           username: 'cn'
           email:    'mail'
           name:       'sn'
           first_name: 'sn'
           last_name:  'sn'
     EOS
    
  2. 重新配置生效
     gitlab-ctl reconfigure
    

集成钉钉扫码登录

  1. 创建钉钉应用,记录appKeyappSecret
  2. 修改gitlab.rb配置
     # 自动链接ldap用户
     gitlab_rails['omniauth_auto_link_ldap_user'] = true
     gitlab_rails['omniauth_providers'] = [
         {
           name: "dingtalk",
           # 登录按钮展示名称
           label: "钉钉",
           app_id: "appKey",
           app_secret: "appSecret"
         }
       ]
    
  3. 已有LDAP扫码登录

    需要保证ldap中uid为为钉钉用户API中的userId,非LDAP用户需要自行扫码绑定钉钉帐号

  4. 将已有用户和ldap用户绑定

    将已有用户邮箱修改为ldap中的邮箱地址,然后ldap可正常登陆,原有用户也可以进行标准登陆,且支持钉钉扫码

  5. 重新配置gitlab生效
     gitlab-ctl reconfigure