Merge branch 'dblessing_ldap_kerberos_mapping_gitlabyml_example' into 'master'

Add Kerberos LDAP mapping documentation See merge request gitlab-org/gitlab!43922

Merge branch 'dblessing_ldap_kerberos_mapping_gitlabyml_example' into 'master'
Add Kerberos LDAP mapping documentation See merge request gitlab-org/gitlab!43922
52aa21e5 · Robert Speicher · 6baac6e8 · c779a352 · 52aa21e5 · 52aa21e5
Commit 52aa21e5 authored Oct 07, 2020 by Robert Speicher
Hide whitespace changes
Inline Side-by-side

Showing with 40 additions and 0 deletions

config/gitlab.yml.example config/gitlab.yml.example +6 -0

doc/integration/kerberos.md doc/integration/kerberos.md +34 -0

No files found.
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -854,6 +854,12 @@ production: &base
    # (default: accept any service name in keytab file)
    # service_principal_name: HTTP/gitlab.example.com@EXAMPLE.COM

+    # Kerberos realms/domains that are allowed to automatically link LDAP identities.
+    # By default, GitLab accepts a realm that matches the domain derived from the
+    # LDAP `base` DN. For example, `ou=users,dc=example,dc=com` would allow users
+    # with a realm matching `example.com`.
+    # simple_ldap_linking_allowed_realms: ['example.com','kerberos.example.com']
+
    # Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails.
    # To support both Basic and Negotiate methods with older versions of Git, configure
    # nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines

--- a/doc/integration/kerberos.md
+++ b/doc/integration/kerberos.md
@@ -114,6 +114,40 @@ Taken together, these rules mean that linking will only work if your users'
 Kerberos usernames are of the form `foo@AD.EXAMPLE.COM` and their
 LDAP Distinguished Names look like `sAMAccountName=foo,dc=ad,dc=example,dc=com`.

+### Custom allowed realms
+
+[Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/9962) in GitLab 13.5.
+
+You can configure custom allowed realms when
+the user's Kerberos realm doesn't match the domain from the user's LDAP DN. The
+configuration value must specify all domains that users may be expected to
+have. Any other domains will be ignored and an LDAP identity will not be linked.
+
+**For Omnibus installations**
+
+1. Edit `/etc/gitlab/gitlab.rb`:
+
+   ```ruby
+   gitlab_rails['kerberos_simple_ldap_linking_allowed_realms'] = ['example.com','kerberos.example.com']
+   ```
+
+1. Save the file and [reconfigure](../administration/restart_gitlab.md#omnibus-gitlab-reconfigure)
+   GitLab for the changes to take effect.
+
+---
+
+**For installations from source**
+
+1. Edit `config/gitlab.yml`:
+
+   ```yaml
+   kerberos:
+     simple_ldap_linking_allowed_realms: ['example.com','kerberos.example.com']
+   ```
+
+1. Save the file and [restart](../administration/restart_gitlab.md#installations-from-source)
+   GitLab for the changes to take effect.
+
 ## HTTP Git access

 A linked Kerberos account enables you to `git pull` and `git push` using your