Add Kerberos LDAP mapping configuration

Add support for the GitLab configuration option for simple_ldap_linking_allowed_realms.

Add Kerberos LDAP mapping configuration
3ffdeef8 · Drew Blessing · Drew Blessing · 55d71a63 · 3ffdeef8 · 3ffdeef8
Unverified Commit 3ffdeef8 authored 4 years ago by Drew Blessing Committed by Drew Blessing 4 years ago
--- a/changelogs/unreleased/dblessing_ldap_kerberos_mapping.yml
+++ b/changelogs/unreleased/dblessing_ldap_kerberos_mapping.yml
+---
+title: Add Kerberos LDAP mapping configuration
+merge_request: 4608
+author:
+type: added
--- a/files/gitlab-config-template/gitlab.rb.template
+++ b/files/gitlab-config-template/gitlab.rb.template
@@ -2073,6 +2073,7 @@ gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = nil
 # gitlab_rails['kerberos_enabled'] = true
 # gitlab_rails['kerberos_keytab'] = /etc/http.keytab
 # gitlab_rails['kerberos_service_principal_name'] = HTTP/gitlab.example.com@EXAMPLE.COM
+# gitlab_rails['kerberos_simple_ldap_linking_allowed_realms'] = ['example.com','kerberos.example.com']
 # gitlab_rails['kerberos_use_dedicated_port'] = true
 # gitlab_rails['kerberos_port'] = 8443
 # gitlab_rails['kerberos_https'] = true

--- a/files/gitlab-cookbooks/gitlab/attributes/default.rb
+++ b/files/gitlab-cookbooks/gitlab/attributes/default.rb
@@ -311,6 +311,7 @@ default['gitlab']['gitlab-rails']['smartcard_san_extensions'] = false
 default['gitlab']['gitlab-rails']['kerberos_enabled'] = nil
 default['gitlab']['gitlab-rails']['kerberos_keytab'] = nil
 default['gitlab']['gitlab-rails']['kerberos_service_principal_name'] = nil
+default['gitlab']['gitlab-rails']['kerberos_simple_ldap_linking_allowed_realms'] = nil
 default['gitlab']['gitlab-rails']['kerberos_use_dedicated_port'] = nil
 default['gitlab']['gitlab-rails']['kerberos_port'] = nil
 default['gitlab']['gitlab-rails']['kerberos_https'] = nil

--- a/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
@@ -609,6 +609,12 @@ production: &base
    # (default: accept any service name in keytab file)
    service_principal_name: <%= @kerberos_service_principal_name %>
  
+    # Kerberos realms/domains that are allowed to automatically link LDAP identities.
+    # By default, GitLab accepts a realm that matches the domain derived from the
+    # LDAP `base` DN. For example, `ou=users,dc=example,dc=com` would allow users
+    # with a realm matching `example.com`.
+    simple_ldap_linking_allowed_realms: <%= @kerberos_simple_ldap_linking_allowed_realms.to_json %>
+
    # Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails.
    # To support both Basic and Negotiate methods with older versions of Git, configure
    # nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines