Tag Archives: LDAP

Http clone with LDAP authentication in Gitlab

I’m beginning to change the title of the blog to Gitlab something 🙂 But, it is the current focus at my day job, so it can’t be helped. Anyway, LDAP Gitlab web UI is pretty easy to setup and use. And it works beautifully. Devise and omniauth are driving it and that is pretty much it. However, if you like to have HTTP access repositories, and use LDAP to authenticate users, it wouldn’t work. The reason is that UI access goes through Devise, but repo access actually doesn’t. The grack_auth.rb is the key to the repo access process.

The main idea is to use plain ruby Net LDAP gem to authenticate the user directly against LDAP, while using Gitlab provided LDAP settings. I couldn’t find a way to hook this into Devise flow, hence this approach. If anybody knows how to manually authenticate using Devise, please let me know?! I suppose in some future versions Gitlab will solve this but for versions <= 3.1.0, this is usable and actually works in production environment at my day job.

There are actually two versions of the fix. Latest version, that applies to latest master, assumes username for the User is filled in when user is added after first time login (or updated later). Stable (3.1.0 or less) fix works a bit differently, it first tries to authenticate user with LDAP and uses the provided user email to continue. More details can be found in the provided gists:

* latest / master version: https://gist.github.com/4195057
* stable (<=3.1.0) version: https://gist.github.com/4195080

Feel free to apply at your environment and let me know if it works.

Update: found another approach @ https://github.com/gitlabhq/gitlabhq/issues/1349. It is not a pull request but maybe you’ll like this approach better.

Tagged ,