diff options
Diffstat (limited to 'doc/administration/auth/ldap/index.md')
-rw-r--r-- | doc/administration/auth/ldap/index.md | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/doc/administration/auth/ldap/index.md b/doc/administration/auth/ldap/index.md index 0c7bd33c2c1..7687f7c9340 100644 --- a/doc/administration/auth/ldap/index.md +++ b/doc/administration/auth/ldap/index.md @@ -270,7 +270,7 @@ These LDAP sync configuration settings are available: | Setting | Description | Required | Examples | |-------------------|-------------|----------|----------| -| `group_base` | Base used to search for groups. | **{dotted-circle}** No | `'ou=groups,dc=gitlab,dc=example'` | +| `group_base` | Base used to search for groups. | **{dotted-circle}** No (required when `external_groups` is configured) | `'ou=groups,dc=gitlab,dc=example'` | | `admin_group` | The CN of a group containing GitLab administrators. Not `cn=administrators` or the full DN. | **{dotted-circle}** No | `'administrators'` | | `external_groups` | An array of CNs of groups containing users that should be considered external. Not `cn=interns` or the full DN. | **{dotted-circle}** No | `['interns', 'contractors']` | | `sync_ssh_keys` | The LDAP attribute containing a user's public SSH key. | **{dotted-circle}** No | `'sshPublicKey'` or false if not set | @@ -1031,6 +1031,25 @@ See [Google Secure LDAP](google_secure_ldap.md) for detailed configuration instr For more information on synchronizing users and groups between LDAP and GitLab, see [LDAP synchronization](ldap_synchronization.md). +## Move from LDAP to SAML + +1. [Configure SAML](../../../integration/saml.md). Add `auto_link_ldap_user` to: + - [`gitlab.rb` for Omnibus](../../../integration/saml.html?tab=Linux+package+%28Omnibus%29). + - [`values.yml` for Kubernetes](../../../integration/saml.html?tab=Helm+chart+%28Kubernetes%29). + For more information, see the [initial settings for all providers](../../../integration/omniauth.md#configure-initial-settings). + +1. Optional. [Disable the LDAP auth from the sign-in page](#disable-ldap-web-sign-in). + +1. Optional. To fix issues with linking users, you can first [remove those users' LDAP identities](ldap-troubleshooting.md#remove-the-identity-records-that-relate-to-the-removed-ldap-server). + +1. Confirm that users are able to sign in to their accounts. If a user cannot sign in, check if that user's LDAP is still there and remove it if necessary. If this issue persists, check the logs to identify the problem. + +1. In the configuration file, change: + - `omniauth_auto_link_user` to `saml` only. + - `omniauth_auto_link_ldap_user` to false. + - `ldap_enabled` to `false`. + You can also comment out the LDAP provider settings. + ## Troubleshooting See our [administrator guide to troubleshooting LDAP](ldap-troubleshooting.md). |