Gitlab 部署和AD对接
一、缘起
公司一直使用SVN厌倦了,准备换换口味,于是去实验Gitlab。
二、Gitlab安装
作为实验性质,自然选择了最为简便的Docker方式进行。
docker run --detach \
--publish 7443:443 \
--publish 7080:80 \
--publish 7022:22 \
--name gitlab \
--restart always \
--volume /data/gitlab/config:/etc/gitlab \
--volume /data/gitlab/logs:/var/log/gitlab \
--volume /data/gitlab/data:/var/opt/gitlab \
gitlab /gitlab-ce:latest
三、AD域对接
作为一个公司自然有着统一个用户体系,总不能一个系统去创建一套用户吧,于是AD对接成了必然。度娘一阵咨询,看了N多前辈曾经踩过的坑,总结了自己的做法,直接成功,幸运站在了前辈的肩膀上。
1、创建一个内部对接专用帐户
为方便配置,建议用户创建在域自有的组Users下,这里创建帐户如下:
帐户:ldaponly
密码:P@ssw0rd
2、登陆docker,修改/etc/gitlab/gitlab.rb中LDAP相关配置如下:
AD域的IP为172.10.10.1
AD域名为corp.local
### LDAP Settings
###! Docs: https://docs.gitlab.com/omnibus/settings/ldap.html
###! **Be careful not to break the indentation in the ldap_servers block. It is
###! in yaml format and the spaces must be retained. Using tabs will not work..
**
gitlab_rails['ldap_enabled'] = true
###! **remember to close this block with 'EOS' below**
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'LDAP'
host: '172.10.10.1'
port: 389
uid: 'sAMAccountName'
bind_dn: 'cn=ldaponly,cn=users,dc=corp,dc=local'
password: 'P@ssw0rd'
encryption: 'plain' # "start_tls" or "simple_tls" or "plain"
verify_certificates: true
active_directory: true
allow_username_or_email_login: false
lowercase_usernames: false
block_auto_created_users: false
base: 'dc=corp,dc=local'
user_filter: ''
## EE only
group_base: ''
admin_group: ''
sync_ssh_keys: false
# secondary: # 'secondary' is the GitLab 'provider ID' of second LDAP server
# label: 'LDAP'
# host: '_your_ldap_server'
# port: 389
# uid: 'sAMAccountName'
# bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
# password: '_the_password_of_the_bind_user'
# encryption: 'plain' # "start_tls" or "simple_tls" or "plain"
# verify_certificates: true
# active_directory: true
# allow_username_or_email_login: false
# lowercase_usernames: false
# block_auto_created_users: false
# base: ''
# user_filter: ''
# ## EE only
# group_base: ''
# admin_group: ''
# sync_ssh_keys: false
EOS
3、重置Gitlab并重启
#gitlab-ctl reconfigure
.....(略)
Running handlers:
Running handlers complete
Chef Client finished, 7/535 resources updated in 32 seconds
gitlab Reconfigured!
#gitlab-ctl restart
.....(略)
ok: run: redis-exporter: (pid 31729) 1s
ok: run: sidekiq: (pid 31738) 0s
ok: run: sshd: (pid 31741) 1s
ok: run: unicorn: (pid 31749) 0s
4、检查AD对接是否正常
#gitlab-rake gitlab:ldap:check
Checking LDAP ...
Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
DN: cn=access control assistance operators,cn=builtin,dc=corp,dc=local sAMAccountName: Access Control Assistance Operators
DN: cn=account operators,cn=builtin,dc=corp,dc=local sAMAccountName: Account Operators
.....(略)
DN: cn=iis_iusrs,cn=builtin,dc=corp,dc=local sAMAccountName: IIS_IUSRS
DN: cn=incoming forest trust builders,cn=builtin,dc=corp,dc=local sAMAccountName: Incoming Forest Trust Builders
Checking LDAP ... Finished
四、使用
此时在登录界面上可以看到LDAP,直接选择次登录即可。
注意:LDAP Username中只输入用户名称不需要加@corp.local
网友评论