Commit 8a822b91 authored by Evan Read's avatar Evan Read Committed by Suzanne Selhorn

Split user and group sync from main LDAP content

parent 4f1c3fc0
...@@ -35,7 +35,7 @@ The steps below cover: ...@@ -35,7 +35,7 @@ The steps below cover:
credentials' and 'Read user information'. Select 'Add LDAP Client' credentials' and 'Read user information'. Select 'Add LDAP Client'
NOTE: NOTE:
If you plan to use GitLab [LDAP Group Sync](index.md#group-sync) If you plan to use GitLab [LDAP Group Sync](ldap_synchronization.md#group-sync)
, turn on 'Read group information'. , turn on 'Read group information'.
![Add LDAP Client Step 2](img/google_secure_ldap_add_step_2.png) ![Add LDAP Client Step 2](img/google_secure_ldap_add_step_2.png)
......
This diff is collapsed.
...@@ -229,7 +229,7 @@ ldapsearch -H ldaps://$host:$port -D "$bind_dn" -y bind_dn_password.txt -b "$ba ...@@ -229,7 +229,7 @@ ldapsearch -H ldaps://$host:$port -D "$bind_dn" -y bind_dn_password.txt -b "$ba
#### Sync all users **(PREMIUM SELF)** #### Sync all users **(PREMIUM SELF)**
The output from a manual [user sync](index.md#user-sync) can show you what happens when The output from a manual [user sync](ldap_synchronization.md#user-sync) can show you what happens when
GitLab tries to sync its users against LDAP. Enter the [rails console](#rails-console) GitLab tries to sync its users against LDAP. Enter the [rails console](#rails-console)
and then run: and then run:
...@@ -239,8 +239,7 @@ Rails.logger.level = Logger::DEBUG ...@@ -239,8 +239,7 @@ Rails.logger.level = Logger::DEBUG
LdapSyncWorker.new.perform LdapSyncWorker.new.perform
``` ```
Next, [learn how to read the Next, [learn how to read the output](#example-console-output-after-a-user-sync).
output](#example-console-output-after-a-user-sync).
##### Example console output after a user sync **(PREMIUM SELF)** ##### Example console output after a user sync **(PREMIUM SELF)**
...@@ -342,9 +341,8 @@ LDAP group sync, but for some reason it's not happening. There are several ...@@ -342,9 +341,8 @@ LDAP group sync, but for some reason it's not happening. There are several
things to check to debug the situation. things to check to debug the situation.
- Ensure LDAP configuration has a `group_base` specified. - Ensure LDAP configuration has a `group_base` specified.
[This configuration](index.md#group-sync) is required for group sync to work properly. [This configuration](ldap_synchronization.md#group-sync) is required for group sync to work properly.
- Ensure the correct [LDAP group link is added to the GitLab - Ensure the correct [LDAP group link is added to the GitLab group](ldap_synchronization.md#add-group-links).
group](index.md#add-group-links).
- Check that the user has an LDAP identity: - Check that the user has an LDAP identity:
1. Sign in to GitLab as an administrator user. 1. Sign in to GitLab as an administrator user.
1. On the top bar, select **Menu > Admin**. 1. On the top bar, select **Menu > Admin**.
...@@ -354,7 +352,7 @@ things to check to debug the situation. ...@@ -354,7 +352,7 @@ things to check to debug the situation.
1. Select the **Identities** tab. There should be an LDAP identity with 1. Select the **Identities** tab. There should be an LDAP identity with
an LDAP DN as the 'Identifier'. If not, this user hasn't signed in with an LDAP DN as the 'Identifier'. If not, this user hasn't signed in with
LDAP yet and must do so first. LDAP yet and must do so first.
- You've waited an hour or [the configured interval](index.md#adjust-ldap-group-sync-schedule) for - You've waited an hour or [the configured interval](ldap_synchronization.md#adjust-ldap-group-sync-schedule) for
the group to sync. To speed up the process, either go to the GitLab group **Group information > Members** the group to sync. To speed up the process, either go to the GitLab group **Group information > Members**
and press **Sync now** (sync one group) or [run the group sync Rake task](../../raketasks/ldap.md#run-a-group-sync) and press **Sync now** (sync one group) or [run the group sync Rake task](../../raketasks/ldap.md#run-a-group-sync)
(sync all groups). (sync all groups).
...@@ -366,8 +364,7 @@ the rails console. ...@@ -366,8 +364,7 @@ the rails console.
1. Choose a GitLab group to test with. This group should have an LDAP group link 1. Choose a GitLab group to test with. This group should have an LDAP group link
already configured. already configured.
1. [Enable debug logging, find the above GitLab group, and sync it with LDAP](#sync-one-group). 1. [Enable debug logging, find the above GitLab group, and sync it with LDAP](#sync-one-group).
1. Look through the output of the sync. See [example log 1. Look through the output of the sync. See [example log output](#example-console-output-after-a-group-sync)
output](#example-console-output-after-a-group-sync)
for how to read the output. for how to read the output.
1. If you still aren't able to see why the user isn't being added, [query the LDAP group directly](#query-a-group-in-ldap) 1. If you still aren't able to see why the user isn't being added, [query the LDAP group directly](#query-a-group-in-ldap)
to see what members are listed. to see what members are listed.
...@@ -377,20 +374,20 @@ the rails console. ...@@ -377,20 +374,20 @@ the rails console.
#### Administrator privileges not granted #### Administrator privileges not granted
When [Administrator sync](index.md#administrator-sync) has been configured When [Administrator sync](ldap_synchronization.md#administrator-sync) has been configured
but the configured users aren't granted the correct administrator privileges, confirm but the configured users aren't granted the correct administrator privileges, confirm
the following are true: the following are true:
- A [`group_base` is also configured](index.md#group-sync). - A [`group_base` is also configured](ldap_synchronization.md#group-sync).
- The configured `admin_group` in the `gitlab.rb` is a CN, rather than a DN or an array. - The configured `admin_group` in the `gitlab.rb` is a CN, rather than a DN or an array.
- This CN falls under the scope of the configured `group_base`. - This CN falls under the scope of the configured `group_base`.
- The members of the `admin_group` have already signed into GitLab with their LDAP - The members of the `admin_group` have already signed into GitLab with their LDAP
credentials. GitLab only grants the Administrator role to the users whose credentials. GitLab only grants the Administrator role to the users whose
accounts are already connected to LDAP. accounts are already connected to LDAP.
If all the above are true and the users are still not getting access, [run a manual If all the above are true and the users are still not getting access,
group sync](#sync-all-groups) in the rails console and [look through the [run a manual group sync](#sync-all-groups) in the rails console and
output](#example-console-output-after-a-group-sync) to see what happens when [look through the output](#example-console-output-after-a-group-sync) to see what happens when
GitLab syncs the `admin_group`. GitLab syncs the `admin_group`.
#### Sync all groups #### Sync all groups
...@@ -399,7 +396,7 @@ NOTE: ...@@ -399,7 +396,7 @@ NOTE:
To sync all groups manually when debugging is unnecessary, To sync all groups manually when debugging is unnecessary,
[use the Rake task](../../raketasks/ldap.md#run-a-group-sync) instead. [use the Rake task](../../raketasks/ldap.md#run-a-group-sync) instead.
The output from a manual [group sync](index.md#group-sync) can show you what happens The output from a manual [group sync](ldap_synchronization.md#group-sync) can show you what happens
when GitLab syncs its LDAP group memberships against LDAP. when GitLab syncs its LDAP group memberships against LDAP.
```ruby ```ruby
...@@ -494,7 +491,7 @@ this line indicates the sync is finished: ...@@ -494,7 +491,7 @@ this line indicates the sync is finished:
Finished syncing admin users for 'ldapmain' provider Finished syncing admin users for 'ldapmain' provider
``` ```
If [administrator sync](index.md#administrator-sync) is not configured, you see a message If [administrator sync](ldap_synchronization.md#administrator-sync) is not configured, you see a message
stating as such: stating as such:
```shell ```shell
...@@ -610,8 +607,7 @@ If a user account is blocked or unblocked due to the LDAP configuration, a ...@@ -610,8 +607,7 @@ If a user account is blocked or unblocked due to the LDAP configuration, a
message is [logged to `application.log`](../../logs.md#applicationlog). message is [logged to `application.log`](../../logs.md#applicationlog).
If there is an unexpected error during an LDAP lookup (configuration error, If there is an unexpected error during an LDAP lookup (configuration error,
timeout), the sign-in is rejected and a message is [logged to timeout), the sign-in is rejected and a message is [logged to `production.log`](../../logs.md#productionlog).
`production.log`](../../logs.md#productionlog).
### ldapsearch ### ldapsearch
......
This diff is collapsed.
...@@ -22,8 +22,8 @@ relevant compliance standards. ...@@ -22,8 +22,8 @@ relevant compliance standards.
|**[Email all users of a project, group, or entire server](../tools/email.md)**<br>An administrator can email groups of users based on project or group membership, or email everyone using the GitLab instance. This is great for scheduled maintenance or upgrades. | Premium+ | **{dotted-circle}** No | Instance | |**[Email all users of a project, group, or entire server](../tools/email.md)**<br>An administrator can email groups of users based on project or group membership, or email everyone using the GitLab instance. This is great for scheduled maintenance or upgrades. | Premium+ | **{dotted-circle}** No | Instance |
|**[Omnibus package supports log forwarding](https://docs.gitlab.com/omnibus/settings/logs.html#udp-log-forwarding)**<br>Forward your logs to a central system. | Premium+ | **{dotted-circle}** No | Instance | |**[Omnibus package supports log forwarding](https://docs.gitlab.com/omnibus/settings/logs.html#udp-log-forwarding)**<br>Forward your logs to a central system. | Premium+ | **{dotted-circle}** No | Instance |
|**[Lock project membership to group](../user/group/index.md#prevent-members-from-being-added-to-a-group)**<br>Group owners can prevent new members from being added to projects within a group. | Premium+ | **{check-circle}** Yes | Group | |**[Lock project membership to group](../user/group/index.md#prevent-members-from-being-added-to-a-group)**<br>Group owners can prevent new members from being added to projects within a group. | Premium+ | **{check-circle}** Yes | Group |
|**[LDAP group sync](auth/ldap/index.md#group-sync)**<br>GitLab Enterprise Edition gives administrators the ability to automatically sync groups and manage SSH keys, permissions, and authentication, so you can focus on building your product, not configuring your tools. | Premium+ | **{dotted-circle}** No | Instance | |**[LDAP group sync](auth/ldap/ldap_synchronization.md#group-sync)**<br>GitLab Enterprise Edition gives administrators the ability to automatically sync groups and manage SSH keys, permissions, and authentication, so you can focus on building your product, not configuring your tools. | Premium+ | **{dotted-circle}** No | Instance |
|**[LDAP group sync filters](auth/ldap/index.md#group-sync)**<br>GitLab Enterprise Edition Premium gives more flexibility to synchronize with LDAP based on filters, meaning you can leverage LDAP attributes to map GitLab permissions. | Premium+ | **{dotted-circle}** No | Instance | |**[LDAP group sync filters](auth/ldap/ldap_synchronization.md#group-sync)**<br>GitLab Enterprise Edition Premium gives more flexibility to synchronize with LDAP based on filters, meaning you can leverage LDAP attributes to map GitLab permissions. | Premium+ | **{dotted-circle}** No | Instance |
|**[Audit events](audit_events.md)**<br>To maintain the integrity of your code, GitLab Enterprise Edition Premium gives administrators the ability to view any modifications made within the GitLab server in an advanced audit events system, so you can control, analyze, and track every change. | Premium+ | **{check-circle}** Yes | Instance, Group, Project | |**[Audit events](audit_events.md)**<br>To maintain the integrity of your code, GitLab Enterprise Edition Premium gives administrators the ability to view any modifications made within the GitLab server in an advanced audit events system, so you can control, analyze, and track every change. | Premium+ | **{check-circle}** Yes | Instance, Group, Project |
|**[Auditor users](auditor_users.md)**<br>Auditor users are users who are given read-only access to all projects, groups, and other resources on the GitLab instance. | Premium+ | **{dotted-circle}** No | Instance | |**[Auditor users](auditor_users.md)**<br>Auditor users are users who are given read-only access to all projects, groups, and other resources on the GitLab instance. | Premium+ | **{dotted-circle}** No | Instance |
|**[Credentials inventory](../user/admin_area/credentials_inventory.md)**<br>With a credentials inventory, GitLab administrators can keep track of the credentials used by all of the users in their GitLab instance. | Ultimate | **{dotted-circle}** No | Instance | |**[Credentials inventory](../user/admin_area/credentials_inventory.md)**<br>With a credentials inventory, GitLab administrators can keep track of the credentials used by all of the users in their GitLab instance. | Ultimate | **{dotted-circle}** No | Instance |
......
...@@ -44,7 +44,7 @@ Get started: ...@@ -44,7 +44,7 @@ Get started:
**More resources** **More resources**
- Learn more about [running multiple Agile teams](https://www.youtube.com/watch?v=VR2r1TJCDew). - Learn more about [running multiple Agile teams](https://www.youtube.com/watch?v=VR2r1TJCDew).
- Sync group memberships [by using LDAP](../administration/auth/ldap/index.md#group-sync). - Sync group memberships [by using LDAP](../administration/auth/ldap/ldap_synchronization.md#group-sync).
- Manage user access with inherited permissions. Use up to 20 levels of subgroups to organize both teams and projects. - Manage user access with inherited permissions. Use up to 20 levels of subgroups to organize both teams and projects.
- Learn more about [inherited permissions](../user/project/members/index.md#inherited-membership). - Learn more about [inherited permissions](../user/project/members/index.md#inherited-membership).
- View [nested category examples](../user/group/subgroups/index.md#overview). - View [nested category examples](../user/group/subgroups/index.md#overview).
......
...@@ -38,13 +38,13 @@ rake gitlab:ldap:check[50] ...@@ -38,13 +38,13 @@ rake gitlab:ldap:check[50]
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/14735) in GitLab 12.2. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/14735) in GitLab 12.2.
The following task runs a [group sync](../auth/ldap/index.md#group-sync) immediately. This is valuable The following task runs a [group sync](../auth/ldap/ldap_synchronization.md#group-sync) immediately.
when you'd like to update all configured group memberships against LDAP without This is valuable when you'd like to update all configured group memberships against LDAP without
waiting for the next scheduled group sync to be run. waiting for the next scheduled group sync to be run.
NOTE: NOTE:
If you'd like to change the frequency at which a group sync is performed, If you'd like to change the frequency at which a group sync is performed,
[adjust the cron schedule](../auth/ldap/index.md#adjust-ldap-group-sync-schedule) [adjust the cron schedule](../auth/ldap/ldap_synchronization.md#adjust-ldap-group-sync-schedule)
instead. instead.
**Omnibus Installation** **Omnibus Installation**
......
...@@ -50,15 +50,15 @@ the tiers are no longer mentioned in GitLab documentation: ...@@ -50,15 +50,15 @@ the tiers are no longer mentioned in GitLab documentation:
- [Group management through LDAP](../administration/auth/ldap/ldap-troubleshooting.md#group-memberships) - [Group management through LDAP](../administration/auth/ldap/ldap-troubleshooting.md#group-memberships)
- Syncing information through LDAP: - Syncing information through LDAP:
- Groups: [one group](../administration/auth/ldap/ldap-troubleshooting.md#sync-one-group), - Groups: [one group](../administration/auth/ldap/ldap-troubleshooting.md#sync-one-group),
[all groups programmatically](../administration/auth/ldap/index.md#group-sync), [all groups programmatically](../administration/auth/ldap/ldap_synchronization.md#group-sync),
[group sync schedule](../administration/auth/ldap/index.md#adjust-ldap-group-sync-schedule), and [group sync schedule](../administration/auth/ldap/ldap_synchronization.md#adjust-ldap-group-sync-schedule), and
[all groups manually](../administration/auth/ldap/ldap-troubleshooting.md#sync-all-groups) [all groups manually](../administration/auth/ldap/ldap-troubleshooting.md#sync-all-groups)
- [Configuration settings](../administration/auth/ldap/index.md#ldap-sync-configuration-settings) - [Configuration settings](../administration/auth/ldap/index.md#ldap-sync-configuration-settings)
- Users: [all users](../administration/auth/ldap/index.md#user-sync), - Users: [all users](../administration/auth/ldap/ldap_synchronization.md#user-sync),
[administrators](../administration/auth/ldap/index.md#administrator-sync), [administrators](../administration/auth/ldap/ldap_synchronization.md#administrator-sync),
[user sync schedule](../administration/auth/ldap/index.md#adjust-ldap-user-sync-schedule) [user sync schedule](../administration/auth/ldap/ldap_synchronization.md#adjust-ldap-user-sync-schedule)
- [Adding group links](../administration/auth/ldap/index.md#add-group-links) - [Adding group links](../administration/auth/ldap/ldap_synchronization.md#add-group-links)
- [Lock memberships to LDAP synchronization](../administration/auth/ldap/index.md#global-group-memberships-lock) - [Lock memberships to LDAP synchronization](../administration/auth/ldap/ldap_synchronization.md#global-group-memberships-lock)
- Rake tasks for [LDAP tasks](../administration/raketasks/ldap.md), including - Rake tasks for [LDAP tasks](../administration/raketasks/ldap.md), including
[syncing groups](../administration/raketasks/ldap.md#run-a-group-sync) [syncing groups](../administration/raketasks/ldap.md#run-a-group-sync)
- Logging: - Logging:
......
...@@ -329,7 +329,7 @@ Group syncing allows LDAP groups to be mapped to GitLab groups. This provides mo ...@@ -329,7 +329,7 @@ Group syncing allows LDAP groups to be mapped to GitLab groups. This provides mo
Group links can be created by using either a CN or a filter. To create these group links, go to the group's **Settings > LDAP Synchronization** page. After configuring the link, it may take more than an hour for the users to sync with the GitLab group. Group links can be created by using either a CN or a filter. To create these group links, go to the group's **Settings > LDAP Synchronization** page. After configuring the link, it may take more than an hour for the users to sync with the GitLab group.
For more information on the administration of LDAP and group sync, refer to the [main LDAP documentation](../../administration/auth/ldap/index.md#group-sync). For more information on the administration of LDAP and group sync, refer to the [main LDAP documentation](../../administration/auth/ldap/ldap_synchronization.md#group-sync).
NOTE: NOTE:
When you add LDAP synchronization, if an LDAP user is a group member and they are not part of the LDAP group, they are removed from the group. When you add LDAP synchronization, if an LDAP user is a group member and they are not part of the LDAP group, they are removed from the group.
......
...@@ -384,8 +384,10 @@ An administrator can flag a user as external by either of the following methods: ...@@ -384,8 +384,10 @@ An administrator can flag a user as external by either of the following methods:
1. On the left sidebar, select **Overview > Users** to create a new user or edit an existing one. 1. On the left sidebar, select **Overview > Users** to create a new user or edit an existing one.
There, you can find the option to flag the user as external. There, you can find the option to flag the user as external.
Additionally users can be set as external users using [SAML groups](../integration/saml.md#external-groups) Additionally users can be set as external users using:
and [LDAP groups](../administration/auth/ldap/index.md#external-groups).
- [SAML groups](../integration/saml.md#external-groups).
- [LDAP groups](../administration/auth/ldap/ldap_synchronization.md#external-groups).
### Setting new users to external ### Setting new users to external
......
...@@ -11,7 +11,7 @@ ...@@ -11,7 +11,7 @@
= _('Lock memberships to LDAP synchronization') = _('Lock memberships to LDAP synchronization')
%span.form-text.text-muted %span.form-text.text-muted
= _('If checked, new group memberships and permissions can only be added via LDAP synchronization') = _('If checked, new group memberships and permissions can only be added via LDAP synchronization')
= link_to sprite_icon('question-o'), help_page_path('administration/auth/ldap/index.md', anchor: 'global-group-memberships-lock') = link_to sprite_icon('question-o'), help_page_path('administration/auth/ldap/ldap_synchronization.md', anchor: 'global-group-memberships-lock')
.form-check .form-check
= form.check_box :allow_group_owners_to_manage_ldap, class: 'form-check-input' = form.check_box :allow_group_owners_to_manage_ldap, class: 'form-check-input'
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment