Add openldap server

0cd625b9 · Jan-Willem van der Meer · 4972c161 · 0cd625b9 · 0cd625b9 · 0cd625b9
Commit 0cd625b9 authored 10 years ago by Jan-Willem van der Meer
--- a/Procfile.example
+++ b/Procfile.example
 redis: redis-server /home/git/redis/redis.conf
 postgresql: postgres -D /home/git/postgresql/data -k /home/git/postgresql -h ''
+openldap: ./gitlab-openldap/run-slapd
\ No newline at end of file
--- a/README.md
+++ b/README.md
@@ -88,6 +88,8 @@ Finally, start the main GitLab rails application:
  
    bundle exec foreman start
  
+To enable the openLDAP server, see the instructions in the README
+
 END Post-installation
  
 ## Development
@@ -132,6 +134,47 @@ This will update both `gitlab` and `gitlab-shell` and run any possible migration
 You can also update them separately by running `make gitlab-update` and
 `make gitlab-shell-update` respectively.
  
+## Openldap
+
+To run the openldap installation included in the GitLab development kit do the following:
+
+```
+vim Procfile # remove the comment before the openldap line
+cd gitlab-openldap
+make # will setup the databases
+```
+
+in the gitlab repository edit config/gitlab.yml;
+
+```yaml
+ldap:
+  enabled: true
+  servers:
+    main:
+      label: LDAP
+      host: 127.0.0.1
+      port: 3890
+      uid: 'uid'
+      method: 'plain' # "tls" or "ssl" or "plain"
+      base: 'dc=example,dc=com'
+      user_filter: ''
+      group_base: 'ou=groups,dc=example,dc=com'
+      admin_group: ''
+    # Alternative server, multiple LDAP servers only work with GitLab-EE
+    # alt:
+    #   label: LDAP-alt
+    #   host: 127.0.0.1
+    #   port: 3890
+    #   uid: 'uid'
+    #   method: 'plain' # "tls" or "ssl" or "plain"
+    #   base: 'dc=example-alt,dc=com'
+    #   user_filter: ''
+    #   group_base: 'ou=groups,dc=example-alt,dc=com'
+    #   admin_group: ''
+```
+
+The second database is optional, and will only work with Gitlab-EE.
+
 ## Troubleshooting
  
 ### Rails cannot connect to Postgres

--- a/gitlab-openldap/.gitignore
+++ b/gitlab-openldap/.gitignore
+slapd.d/
--- a/gitlab-openldap/Makefile
+++ b/gitlab-openldap/Makefile
+default: slapd.d/bootstrap contents alt_contents
+
+contents: slapd.d/schema slapd.d/example-com
+alt_contents: slapd.d/schema slapd.d/alt-example-com
+
+slapd.d:
+	mkdir slapd.d
+	chmod 700 slapd.d
+
+slapd.d/bootstrap: slapd.d
+	slapadd -n 0 -F slapd.d < bootstrap.ldif
+	touch $@
+
+slapd.d/schema:
+	curl 'http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob_plain;f=servers/slapd/schema/core.ldif;hb=HEAD' | slapadd -b 'cn=config' -F slapd.d
+	curl 'http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob_plain;f=servers/slapd/schema/cosine.ldif;hb=HEAD' | slapadd -b 'cn=config' -F slapd.d
+	curl 'http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob_plain;f=servers/slapd/schema/inetorgperson.ldif;hb=HEAD' | slapadd -b 'cn=config' -F slapd.d
+	curl 'http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob_plain;f=servers/slapd/schema/nis.ldif;hb=HEAD' | slapadd -b 'cn=config' -F slapd.d
+	touch $@
+
+slapd.d/example-com:
+	slapadd -b 'dc=example,dc=com' -F slapd.d < frontend.example.com.ldif
+	touch $@
+
+slapd.d/alt-example-com:
+	slapadd -b 'dc=example-alt,dc=com' -F slapd.d < frontend.alt.example.com.ldif
+	touch $@
+
+clean:
+	rm -rf slapd.d
--- a/gitlab-openldap/README.md
+++ b/gitlab-openldap/README.md
+# Set up an OpenLDAP server for GitLab development
+
+This is an attempt to set up an OpenLDAP server for GitLab development.
+
+- Goal is to be able to run as the 'desktop' user from a Procfile, in the style of https://gitlab.com/gitlab-org/gitlab-development-kit
+- Use sockets for connections if possible, but not if this is not supported by omniauth-ldap
+- Passwords in ldifs need to be hashed with `slappasswd` apparently
+- After bootstrapping with `slapadd` and `bootstrap.ldif`, LDIF imports can be run as `cn=admin,cn=config` with password `password`.
+- Maybe a good idea, maybe not: we currently use the 'ldif' storage backend so you can inspect the database with `find` etc.
+
+## Getting it running
+
+```bash
+make # bootstrap LDAP server to run out of slapd.d
+./run-slapd # stays attached in the current terminal
+```
+
+## Repopulate the database
+```
+make clean default
+```
+
+## Configuring gitlab
+
+in gitlab.yml do the following;
+
+```yaml
+ldap:
+  enabled: true
+  servers:
+    main:
+      label: LDAP
+      host: 127.0.0.1
+      port: 3890
+      uid: 'uid'
+      method: 'plain' # "tls" or "ssl" or "plain"
+      base: 'dc=example,dc=com'
+      user_filter: ''
+      group_base: 'ou=groups,dc=example,dc=com'
+      admin_group: ''
+```
+
+alternative database (just using a different base)
+
+```yaml
+ldap:
+  enabled: true
+  servers:
+    alt:
+      label: LDAP-alt
+      host: 127.0.0.1
+      port: 3891
+      uid: 'uid'
+      method: 'plain' # "tls" or "ssl" or "plain"
+      base: 'dc=example-alt,dc=com'
+      user_filter: ''
+      group_base: 'ou=groups,dc=example-alt,dc=com'
+      admin_group: ''
+```
+
+*Note:* We don't use a bind user for this setup, keeping it as simple as possible
+
+# TODO
+
+- integrate into the development kit
+- figure out how to detect the location of `slapd`; on OS X there is `/usr/libexec/slapd`.
--- a/gitlab-openldap/bootstrap.ldif
+++ b/gitlab-openldap/bootstrap.ldif
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+
+dn: olcDatabase={0}config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: {0}config
+olcRootDN: cn=admin,cn=config
+# hash for 'password'
+olcRootPW: {SSHA}A5StgE99fCDUo7AlWas7Nvlyexo0vQfm
+
+# based on https://help.ubuntu.com/10.04/serverguide/openldap-server.html
+dn: olcDatabase=ldif,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcLdifConfig
+olcDatabase: ldif
+olcSuffix: dc=example,dc=com
+olcDbDirectory: slapd.d
+olcRootDN: cn=admin,dc=example,dc=com
+olcRootPW: password
+olcLastMod: TRUE
+olcAccess: to dn.base="" by * read
+olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read
+
+# based on https://help.ubuntu.com/10.04/serverguide/openldap-server.html
+dn: olcDatabase=ldif,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcLdifConfig
+olcDatabase: ldif
+olcSuffix: dc=example-alt,dc=com
+olcDbDirectory: slapd.d
+olcRootDN: cn=admin,dc=example-alt,dc=com
+olcRootPW: password
+olcLastMod: TRUE
+olcAccess: to dn.base="" by * read
+olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read
--- a/gitlab-openldap/frontend.alt.example.com.ldif
+++ b/gitlab-openldap/frontend.alt.example.com.ldif
+# source: https://help.ubuntu.com/10.04/serverguide/openldap-server.html
+
+# Create top-level object in domain
+dn: dc=example-alt,dc=com
+objectClass: top
+objectClass: dcObject
+objectclass: organization
+o: Example Organization
+dc: Example-alt
+description: LDAP Example
+
+# Admin user.
+dn: cn=admin,dc=example-alt,dc=com
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+cn: admin
+description: LDAP administrator
+# hased value for 'password'
+userPassword: {SSHA}ICMhr6Jxt5bk2awD7HL7GxRTM3BZ1pFI
+
+dn: ou=people,dc=example-alt,dc=com
+objectClass: organizationalUnit
+ou: people
+
+dn: ou=groups,dc=example-alt,dc=com
+objectClass: organizationalUnit
+ou: groups
+
+dn: uid=bob,ou=people,dc=example-alt,dc=com
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: shadowAccount
+uid: bob
+sn: Doe
+givenName: bob
+cn: bob Doe
+displayName: bob Doe
+uidNumber: 1000
+gidNumber: 10000
+# hased value for 'password'
+userPassword: {SSHA}qqLFjamdd1cru4RV815+FiSxh/54rfbd
+gecos: bob Doe
+loginShell: /bin/bash
+homeDirectory: /home/bob
+shadowExpire: -1
+shadowFlag: 0
+shadowWarning: 7
+shadowMin: 8
+shadowMax: 999999
+shadowLastChange: 10877
+mail: bob.doe@example.com
+postalCode: 31000
+l: Toulouse
+o: Example
+mobile: +33 (0)6 xx xx xx xx
+homePhone: +33 (0)5 xx xx xx xx
+title: System Administrator
+postalAddress:
+initials: JD
+
+dn: uid=alice,ou=people,dc=example-alt,dc=com
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: shadowAccount
+uid: alice
+sn: Jane
+givenName: alice Jane
+cn: alice Jane
+displayName: alice Jane
+uidNumber: 1001
+gidNumber: 10001
+# hased value for 'password'
+userPassword: {SSHA}qqLFjamdd1cru4RV815+FiSxh/54rfbd
+mail: alice.jane@example.com
+gecos: alice
+loginShell: /bin/bash
+homeDirectory: /home/alice
+shadowExpire: -1
+shadowFlag: 0
+shadowWarning: 7
+shadowMin: 8
+shadowMax: 999999
+shadowLastChange: 10877
+postalCode: 31000
+l: Toulouse
+o: Example
+mobile: +33 (0)6 xx xx xx xx
+homePhone: +33 (0)5 xx xx xx xx
+title: System Administrator
+postalAddress:
+initials: JD
+
+dn: cn=example,ou=groups,dc=example-alt,dc=com
+objectClass: posixGroup
+cn: example
+gidNumber: 10000
+
+dn: cn=group-a,ou=groups,dc=example-alt,dc=com
+objectClass: groupofnames
+ou: groups
+cn: group-a
+member: uid=bob,ou=people,dc=example-alt,dc=com
+member: uid=alice,ou=people,dc=example-alt,dc=com
+
+dn: cn=group-b,ou=groups,dc=example-alt,dc=com
+objectClass: groupofnames
+ou: groups
+cn: group-b
+member: uid=bob,ou=people,dc=example-alt,dc=com
--- a/gitlab-openldap/frontend.example.com.ldif
+++ b/gitlab-openldap/frontend.example.com.ldif
+# source: https://help.ubuntu.com/10.04/serverguide/openldap-server.html
+
+# Create top-level object in domain
+dn: dc=example,dc=com
+objectClass: top
+objectClass: dcObject
+objectclass: organization
+o: Example Organization
+dc: Example
+description: LDAP Example 
+
+# Admin user.
+dn: cn=admin,dc=example,dc=com
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+cn: admin
+description: LDAP administrator
+# hased value for 'password'
+userPassword: {SSHA}ICMhr6Jxt5bk2awD7HL7GxRTM3BZ1pFI
+
+dn: ou=people,dc=example,dc=com
+objectClass: organizationalUnit
+ou: people
+
+dn: ou=groups,dc=example,dc=com
+objectClass: organizationalUnit
+ou: groups
+
+dn: uid=john,ou=people,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: shadowAccount
+uid: john
+sn: Doe
+givenName: John
+cn: John Doe
+displayName: John Doe
+uidNumber: 1000
+gidNumber: 10000
+# hased value for 'password'
+userPassword: {SSHA}qqLFjamdd1cru4RV815+FiSxh/54rfbd
+gecos: John Doe
+loginShell: /bin/bash
+homeDirectory: /home/john
+shadowExpire: -1
+shadowFlag: 0
+shadowWarning: 7
+shadowMin: 8
+shadowMax: 999999
+shadowLastChange: 10877
+mail: john.doe@example.com
+postalCode: 31000
+l: Toulouse
+o: Example
+mobile: +33 (0)6 xx xx xx xx
+homePhone: +33 (0)5 xx xx xx xx
+title: System Administrator
+postalAddress:
+initials: JD
+
+dn: uid=mary,ou=people,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: shadowAccount
+uid: Mary
+sn: Jane
+givenName: Mary Jane
+cn: Mary Jane
+displayName: Mary Jane
+uidNumber: 1001
+gidNumber: 10001
+# hased value for 'password'
+userPassword: {SSHA}qqLFjamdd1cru4RV815+FiSxh/54rfbd
+mail: mary.jane@example.com
+gecos: Mary
+loginShell: /bin/bash
+homeDirectory: /home/mary
+shadowExpire: -1
+shadowFlag: 0
+shadowWarning: 7
+shadowMin: 8
+shadowMax: 999999
+shadowLastChange: 10877
+postalCode: 31000
+l: Toulouse
+o: Example
+mobile: +33 (0)6 xx xx xx xx
+homePhone: +33 (0)5 xx xx xx xx
+title: System Administrator
+postalAddress:
+initials: JD
+
+dn: cn=example,ou=groups,dc=example,dc=com
+objectClass: posixGroup
+cn: example
+gidNumber: 10000
+
+dn: cn=group1,ou=groups,dc=example,dc=com
+objectClass: groupofnames
+ou: groups
+cn: group1
+member: uid=john,ou=people,dc=example,dc=com
+member: uid=mary,ou=people,dc=example,dc=com
+
+dn: cn=group2,ou=groups,dc=example,dc=com
+objectClass: groupofnames
+ou: groups
+cn: group2
+member: uid=john,ou=people,dc=example,dc=com
--- a/gitlab-openldap/run-slapd
+++ b/gitlab-openldap/run-slapd
+#!/bin/sh
+umask 077
+/usr/libexec/slapd -F gitlab-openldap/slapd.d -d2 -h "ldapi://slapd.socket ldap://127.0.0.1:3890"
--- a/gitlab-openldap/run-slapd-alt
+++ b/gitlab-openldap/run-slapd-alt
+#!/bin/sh
+umask 077
+/usr/libexec/slapd -F slapd.d -d1 -h "ldapi://slapd.socket ldap://127.0.0.1:3891"