diff options
Diffstat (limited to 'doc/administration/auth/ldap')
| -rw-r--r-- | doc/administration/auth/ldap/img/multi_login.png | bin | 12689 -> 0 bytes | |||
| -rw-r--r-- | doc/administration/auth/ldap/index.md | 141 | ||||
| -rw-r--r-- | doc/administration/auth/ldap/ldap-troubleshooting.md | 20 | ||||
| -rw-r--r-- | doc/administration/auth/ldap/ldap_synchronization.md | 2 |
4 files changed, 81 insertions, 82 deletions
diff --git a/doc/administration/auth/ldap/img/multi_login.png b/doc/administration/auth/ldap/img/multi_login.png Binary files differdeleted file mode 100644 index 512f403a442..00000000000 --- a/doc/administration/auth/ldap/img/multi_login.png +++ /dev/null diff --git a/doc/administration/auth/ldap/index.md b/doc/administration/auth/ldap/index.md index 05eee338e64..2f0a0db9d6f 100644 --- a/doc/administration/auth/ldap/index.md +++ b/doc/administration/auth/ldap/index.md @@ -75,7 +75,7 @@ To configure LDAP integration, add your LDAP server settings in: - `/home/git/gitlab/config/gitlab.yml` for source install instances. After configuring LDAP, to test the configuration, use the -[LDAP check Rake task](../../raketasks/check.md#ldap-check). +[LDAP check Rake task](../../raketasks/ldap.md#check). NOTE: The `encryption` value `simple_tls` corresponds to 'Simple TLS' in the LDAP @@ -95,42 +95,42 @@ This example shows configuration for Omnibus GitLab instances: gitlab_rails['ldap_enabled'] = true gitlab_rails['prevent_ldap_sign_in'] = false gitlab_rails['ldap_servers'] = { -'main' => { - 'label' => 'LDAP', - 'host' => 'ldap.mydomain.com', - 'port' => 389, - 'uid' => 'sAMAccountName', - 'encryption' => 'simple_tls', - 'verify_certificates' => true, - 'bind_dn' => '_the_full_dn_of_the_user_you_will_bind_with', - 'password' => '_the_password_of_the_bind_user', - 'tls_options' => { - 'ca_file' => '', - 'ssl_version' => '', - 'ciphers' => '', - 'cert' => '', - 'key' => '' - }, - 'timeout' => 10, - 'active_directory' => true, - 'allow_username_or_email_login' => false, - 'block_auto_created_users' => false, - 'base' => 'dc=example,dc=com', - 'user_filter' => '', - 'attributes' => { - 'username' => ['uid', 'userid', 'sAMAccountName'], - 'email' => ['mail', 'email', 'userPrincipalName'], - 'name' => 'cn', - 'first_name' => 'givenName', - 'last_name' => 'sn' - }, - 'lowercase_usernames' => false, - - # EE Only - 'group_base' => '', - 'admin_group' => '', - 'external_groups' => [], - 'sync_ssh_keys' => false + 'main' => { + 'label' => 'LDAP', + 'host' => 'ldap.mydomain.com', + 'port' => 389, + 'uid' => 'sAMAccountName', + 'encryption' => 'simple_tls', + 'verify_certificates' => true, + 'bind_dn' => '_the_full_dn_of_the_user_you_will_bind_with', + 'password' => '_the_password_of_the_bind_user', + 'tls_options' => { + 'ca_file' => '', + 'ssl_version' => '', + 'ciphers' => '', + 'cert' => '', + 'key' => '' + }, + 'timeout' => 10, + 'active_directory' => true, + 'allow_username_or_email_login' => false, + 'block_auto_created_users' => false, + 'base' => 'dc=example,dc=com', + 'user_filter' => '', + 'attributes' => { + 'username' => ['uid', 'userid', 'sAMAccountName'], + 'email' => ['mail', 'email', 'userPrincipalName'], + 'name' => 'cn', + 'first_name' => 'givenName', + 'last_name' => 'sn' + }, + 'lowercase_usernames' => false, + + # EE Only + 'group_base' => '', + 'admin_group' => '', + 'external_groups' => [], + 'sync_ssh_keys' => false } } ``` @@ -248,33 +248,34 @@ The following example shows how to configure three LDAP servers in `gitlab.rb`: ```ruby gitlab_rails['ldap_enabled'] = true gitlab_rails['ldap_servers'] = { -'main' => { - 'label' => 'GitLab AD', - 'host' => 'ad.example.org', - 'port' => 636, - ... + 'main' => { + 'label' => 'GitLab AD', + 'host' => 'ad.example.org', + 'port' => 636, + ... }, -'secondary' => { - 'label' => 'GitLab Secondary AD', - 'host' => 'ad-secondary.example.net', - 'port' => 636, - ... + 'secondary' => { + 'label' => 'GitLab Secondary AD', + 'host' => 'ad-secondary.example.net', + 'port' => 636, + ... }, -'tertiary' => { - 'label' => 'GitLab Tertiary AD', - 'host' => 'ad-tertiary.example.net', - 'port' => 636, - ... + 'tertiary' => { + 'label' => 'GitLab Tertiary AD', + 'host' => 'ad-tertiary.example.net', + 'port' => 636, + ... } - } ``` -This example results in the following sign-in page: +This example results in a sign-in page with the following tabs: - +- **GitLab AD**. +- **GitLab Secondary AD**. +- **GitLab Tertiary AD**. ### Set up LDAP user filter @@ -286,9 +287,9 @@ necessary, you can set up an LDAP user filter. The filter must comply with [RFC ```ruby gitlab_rails['ldap_servers'] = { - 'main' => { - # snip... - 'user_filter' => '(employeeType=developer)' + 'main' => { + # snip... + 'user_filter' => '(employeeType=developer)' } } ``` @@ -363,9 +364,9 @@ the configuration option `lowercase_usernames`. By default, this configuration o ```ruby gitlab_rails['ldap_servers'] = { - 'main' => { - # snip... - 'lowercase_usernames' => true + 'main' => { + # snip... + 'lowercase_usernames' => true } } ``` @@ -444,15 +445,15 @@ If initially your LDAP configuration looked like: 1. In `/etc/gitlab/gitlab.rb`: - ```ruby - gitlab_rails['ldap_servers'] = { - 'main' => { - # snip... - 'bind_dn' => 'admin', - 'password' => '123' - } - } - ``` + ```ruby + gitlab_rails['ldap_servers'] = { + 'main' => { + # snip... + 'bind_dn' => 'admin', + 'password' => '123' + } + } + ``` 1. Edit the encrypted secret: diff --git a/doc/administration/auth/ldap/ldap-troubleshooting.md b/doc/administration/auth/ldap/ldap-troubleshooting.md index c7572ec0a18..64ef27cbf51 100644 --- a/doc/administration/auth/ldap/ldap-troubleshooting.md +++ b/doc/administration/auth/ldap/ldap-troubleshooting.md @@ -181,7 +181,7 @@ The user should now be able to sign in. #### Email has already been taken A user tries to sign in with the correct LDAP credentials, is denied access, -and the [production.log](../../logs.md#productionlog) shows an error that looks like this: +and the [production.log](../../logs/index.md#productionlog) shows an error that looks like this: ```plaintext (LDAP) Error saving user <USER DN> (email@example.com): ["Email has already been taken"] @@ -210,8 +210,8 @@ This shows you which user has this email address. One of two steps must be taken remove this email as a secondary email and make it a primary one so GitLab associates this profile to the LDAP identity. -The user can do either of these steps [in their -profile](../../../user/profile/index.md#access-your-user-profile) or an administrator can do it. +The user can do either of these steps +[in their profile](../../../user/profile/index.md#access-your-user-profile) or an administrator can do it. #### Projects limit errors @@ -426,13 +426,12 @@ Rails.logger.level = Logger::DEBUG LdapAllGroupsSyncWorker.new.perform ``` -Next, [learn how to read the -output](#example-console-output-after-a-group-sync). +Next, [learn how to read the output](#example-console-output-after-a-group-sync). ##### Example console output after a group sync -Like the output from the user sync, the output from the [manual group -sync](#sync-all-groups) is also very verbose. However, it contains lots +Like the output from the user sync, the output from the +[manual group sync](#sync-all-groups) is also very verbose. However, it contains lots of helpful information. Indicates the point where syncing actually begins: @@ -644,10 +643,10 @@ users, [see what to do when no users are found](#no-users-are-found). ### GitLab logs If a user account is blocked or unblocked due to the LDAP configuration, a -message is [logged to `application.log`](../../logs.md#applicationlog). +message is [logged to `application.log`](../../logs/index.md#applicationlog). If there is an unexpected error during an LDAP lookup (configuration error, -timeout), the sign-in is rejected and a message is [logged to `production.log`](../../logs.md#productionlog). +timeout), the sign-in is rejected and a message is [logged to `production.log`](../../logs/index.md#productionlog). ### ldapsearch @@ -743,8 +742,7 @@ For instructions about how to use the rails console, refer to this This provides debug output that shows what GitLab is doing and with what. This value is not persisted, and is only enabled for this session in the Rails console. -To enable debug output in the rails console, [enter the rails -console](#rails-console) and run: +To enable debug output in the rails console, [enter the rails console](#rails-console) and run: ```ruby Rails.logger.level = Logger::DEBUG diff --git a/doc/administration/auth/ldap/ldap_synchronization.md b/doc/administration/auth/ldap/ldap_synchronization.md index b0ada1c11dd..62706a9e3b9 100644 --- a/doc/administration/auth/ldap/ldap_synchronization.md +++ b/doc/administration/auth/ldap/ldap_synchronization.md @@ -128,7 +128,7 @@ To take advantage of group sync, group Owners or users with the [Maintainer role ### Add group links For information on adding group links by using CNs and filters, refer to the -[GitLab groups documentation](../../../user/group/index.md#manage-group-memberships-via-ldap). +[GitLab groups documentation](../../../user/group/access_and_permissions.md#manage-group-memberships-via-ldap). ### Administrator sync |
