I have a running Gitlab CE installation with LDAP authentication. Now I want to restrict the access based on group membership.
The option user_filter
seems to be the option to go with. However, I can't seem to get anyone to be allowed to login based on group membership.
What I tried is this (gitlabaccess
being the group that should be allowed to login):
user_filter: '(&(objectclass=group)(samaccountname=gitlabaccess))'
or:
user_filter: '(memberOf=cn=gitlabaccess,DC=my,DC=domain,DC=com)'
The documentation states the following but it also doesn't work and I have no idea what the numbers should be:
user_filter: '(memberOf:1.2.840.113556.1.4.1941:=cn=gitlabaccess,DC=my,DC=domain,DC=com)'
Specific users work like this:
user_filter: '(&(objectclass=user)(samaccountname=jon.doe))'
Gitlab CE version 9.5.5 installed from omnibus package.
How can one restrict the access to Gitlab based on LDAP group membership?
I figured it out. You need to specify the whole path to the group with all OU's. In my case this was:
As pointed out in the comments, the above query only returns direct members of the group. If you also want to include members of nested groups you will have to add
:1.2.840.113556.1.4.1941:
tomemberOf
like so:If you want to add a specific user, use this: