Skip to content
Permalink
Browse files

[debops.gitlab] Integrate with 'debops.ldap' role

  • Loading branch information...
drybjed committed Sep 29, 2019
1 parent cbd7907 commit 3d763573bf105516b6e330c86bfea9ce37779516
@@ -122,6 +122,22 @@ General

- Support Debian Buster in :ref:`apt_preferences__list`.

:ref:`debops.gitlab` role
'''''''''''''''''''''''''

- The LDAP support in GitLab has been converted to use the
:ref:`debops.ldap` infrastructure and not configure LDAP objects directly.
LDAP support in GitLab will be enabled automatically if it's enabled on
the host. Some of the configuration variables have been changed; see the
:ref:`upgrade_notes` for more details.

- The default LDAP filter configured in the
:envvar:`gitlab__ldap_user_filter` variable has been modified to limit
access to the service to objects with specific attributes. See the
:ref:`GitLab LDAP access control <gitlab__ref_ldap_dit_access>`
documentation page for details about the required attributes and their
values.

:ref:`debops.golang` role
'''''''''''''''''''''''''

@@ -40,10 +40,12 @@
- '{{ gitlab__python__dependent_packages3 }}'
- '{{ nginx__python__dependent_packages3 }}'
- '{{ postgresql__python__dependent_packages3 if gitlab__database == "postgresql" else [] }}'
- '{{ ldap__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ gitlab__python__dependent_packages2 }}'
- '{{ nginx__python__dependent_packages2 }}'
- '{{ postgresql__python__dependent_packages2 if gitlab__database == "postgresql" else [] }}'
- '{{ ldap__python__dependent_packages2 }}'

- role: debops.golang
tags: [ 'role::golang', 'skip::golang' ]
@@ -84,6 +86,11 @@
- '{{ gitlab__postgresql__dependent_pgpass }}'
when: gitlab__database == 'postgresql'

- role: debops.ldap
tags: [ 'role::ldap', 'skip::ldap' ]
ldap__dependent_tasks:
- '{{ gitlab__ldap__dependent_tasks }}'

- role: debops.nginx
tags: [ 'role::nginx', 'skip::nginx' ]
nginx__dependent_servers:
@@ -741,90 +741,184 @@ gitlab_ce_bundle_install_without:
# More information about LDAP support in GitLab can be found at
# https://gitlab.com/help/administration/auth/ldap.md

# .. envvar:: gitlab_ldap_enable [[[
# .. envvar:: gitlab__ldap_enabled [[[
#
# Enable or disable LDAP support.
gitlab_ldap_enable: False
gitlab__ldap_enabled: '{{ True
if (ansible_local|d() and ansible_local.ldap|d() and
(ansible_local.ldap.enabled|d())|bool)
else False }}'

# ]]]
# .. envvar:: gitlab_ldap_manage [[[
# .. envvar:: gitlab__ldap_base_dn [[[
#
# If enabled, the role will try to create/manage the relevant entries on the
# LDAP server. If disabled, only the configuration file entries will be
# created, you will need to configure the LDAP server yourself.
gitlab_ldap_manage: True
# The base Distinguished Name which should be used to create Distinguished
# Names of the LDAP directory objects, defined as a YAML list. If this variable
# is empty, LDAP configuration will not be generated.
gitlab__ldap_base_dn: '{{ ansible_local.ldap.base_dn
if (ansible_local|d() and ansible_local.ldap|d() and
ansible_local.ldap.base_dn|d())
else [] }}'

# ]]]
# .. envvar:: gitlab_ldap_domain [[[
# .. envvar:: gitlab__ldap_device_dn [[[
#
# The base DNS domain used to generate LDAP configuration parameters.
gitlab_ldap_domain: '{{ gitlab_domain }}'
# The Distinguished Name of the current host LDAP object, defined as a YAML
# list. It will be used as a base for the GitLab service account LDAP object.
# If the list is empty, the role will not create the account LDAP object
# automatically.
gitlab__ldap_device_dn: '{{ ansible_local.ldap.device_dn
if (ansible_local|d() and ansible_local.ldap|d() and
ansible_local.ldap.device_dn|d())
else [] }}'

# ]]]
# .. envvar:: gitlab_ldap_label [[[
# .. envvar:: gitlab__ldap_self_rdn [[[
#
# Specify the name of the LDAP server displayed on the login page.
gitlab_ldap_label: '{{ gitlab_ldap_domain }}'
# The Relative Distinguished Name of the account LDAP object used by the
# GitLab service to access the LDAP directory.
gitlab__ldap_self_rdn: 'uid=gitlab'

# ]]]
# .. envvar:: gitlab_ldap_host [[[
# .. envvar:: gitlab__ldap_self_object_classes [[[
#
# FQDN address of the LDAP server to connect to.
gitlab_ldap_host: 'ldap.{{ gitlab_domain }}'
# List of the LDAP object classes which will be used to create the LDAP object
# used by the Gitlab service to access the LDAP directory.
gitlab__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]

# ]]]
# .. envvar:: gitlab_ldap_port [[[
# .. envvar:: gitlab__ldap_self_attributes [[[
#
# The LDAP service port to use for connections.
gitlab_ldap_port: '389'
# YAML dictionary that defines the attributes of the LDAP object used by the
# GitLab service to access the LDAP directory.
gitlab__ldap_self_attributes:
uid: '{{ gitlab__ldap_self_rdn.split("=")[1] }}'
userPassword: '{{ gitlab__ldap_bindpw }}'
host: '{{ [ ansible_fqdn, ansible_hostname ] | unique }}'
description: 'Account used by the "GitLab" service to access the LDAP directory'

# ]]]
# .. envvar:: gitlab_ldap_method [[[
# .. envvar:: gitlab__ldap_binddn [[[
#
# The connection method that should be used to connect to the LDAP server.
# Available methods: ``tls``, ``ssl``, ``plain``.
gitlab_ldap_method: 'tls'
# The Distinguished Name of the account LDAP object used by the
# GitLab service to bind to the LDAP directory.
gitlab__ldap_binddn: '{{ ([ gitlab__ldap_self_rdn ] + gitlab__ldap_device_dn) | join(",") }}'

# ]]]
# .. envvar:: gitlab_ldap_basedn [[[
# .. envvar:: gitlab__ldap_bindpw [[[
#
# The LDAP BaseDN string used to connect to the LDAP server.
gitlab_ldap_basedn: '{{ "dc=" + gitlab_ldap_domain.split(".") | join(",dc=") }}'
# The password stored in the account LDAP object used by the GitLab service to
# bind to the LDAP directory.
gitlab__ldap_bindpw: '{{ lookup("password", secret + "/ldap/credentials/"
+ gitlab__ldap_binddn | to_uuid + ".password length=32") }}'

# ]]]
# .. envvar:: gitlab_ldap_binddn [[[
# .. envvar:: gitlab__ldap_sync_time [[[
#
# The GitLab user account on the LDAP server, used to bind to the LDAP server.
gitlab_ldap_binddn: '{{ "cn=gitlab," + secret_ldap_services_dn }}'
# Specify the time in seconds between LDAP permission checks. The checks will
# be performed on the next GitLab interaction after the timeout.
gitlab__ldap_sync_time: '3600'

# ]]]
# .. envvar:: gitlab_ldap_password_file [[[
# .. envvar:: gitlab__ldap_label [[[
#
# Path to the LDAP bind account password file on the Ansible Controller.
# See the :ref:`debops.secret` role for more details.
gitlab_ldap_password_file: '{{ secret + "/credentials/" + gitlab_ldap_host
+ "/slapd/" + gitlab_ldap_basedn + "/"
+ gitlab_ldap_binddn + ".password" }}'
# Specify the name of the LDAP server displayed on the login page.
gitlab__ldap_label: 'LDAP'

# ]]]
# .. envvar:: gitlab_ldap_password [[[
# .. envvar:: gitlab__ldap_host [[[
#
# The password of the LDAP bind account.
gitlab_ldap_password: '{{ lookup("password", gitlab_ldap_password_file) }}'
# FQDN address of the LDAP server to connect to.
gitlab__ldap_host: '{{ (ansible_local.ldap.hosts
if (ansible_local|d() and ansible_local.ldap|d() and
ansible_local.ldap.hosts|d())
else []) | first }}'

# ]]]
# .. envvar:: gitlab__ldap_port [[[
#
# The LDAP service port to use for connections.
gitlab__ldap_port: '{{ ansible_local.ldap.port
if (ansible_local|d() and ansible_local.ldap|d() and
ansible_local.ldap.port|d())
else "389" }}'

# ]]]
# .. envvar:: gitlab_ldap_activedirectory [[[
# .. envvar:: gitlab__ldap_encryption [[[
#
# The encryption method that should be used to connect to the LDAP server.
# Available methods: ``start_tls``, ``simple_tls``, ``plain``.
gitlab__ldap_encryption: '{{ "start_tls"
if (ansible_local|d() and ansible_local.ldap|d() and
(ansible_local.ldap.start_tls|d())|bool)
else "simple_tls" }}'

# ]]]
# .. envvar:: gitlab__ldap_timeout [[[
#
# Set timeout in seconds for LDAP queries.
gitlab__ldap_timeout: '10'

# ]]]
# .. envvar:: gitlab__ldap_activedirectory [[[
#
# Enable or disable support for ActiveDirectory servers.
gitlab_ldap_activedirectory: False
gitlab__ldap_activedirectory: False

# ]]]
# .. envvar:: gitlab_ldap_uid [[[
# .. envvar:: gitlab__ldap_account_attribute [[[
#
# Name of the LDAP attribute to use for account lookups. On plain LDAP servers
# it's usually ``uid``, on older ActiveDirectory installations it could be
# ``sAMAccountName``.
gitlab_ldap_uid: 'uid'
gitlab__ldap_account_attribute: '{{ "sAMAccountName"
if (gitlab__ldap_activedirectory|bool)
else "uid" }}'

# ]]]
# .. envvar:: gitlab__ldap_user_filter [[[
#
# LDAP search query which will be used by the GitLab service to filter the
# available user accounts.
gitlab__ldap_user_filter: '(&
(objectClass=inetOrgPerson)
(|
(authorizedService=gitlab)
(authorizedService=web-public)
(authorizedService=*)
)
)'

# ]]]
# .. envvar:: gitlab__ldap_username_or_email_login [[[
#
# If this variable is enabled, GitLab will ignore everything
# after the first '@' in the LDAP username submitted by the user on login.
#
# Example:
# - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials;
# - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.
#
# If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
# disable this setting, because the userPrincipalName contains an '@'.
gitlab__ldap_username_or_email_login: '{{ True
if (gitlab__ldap_account_attribute in
[ "uid", "sAMAccountName" ])
else False }}'

# ]]]
# .. envvar:: gitlab__ldap_block_auto_created_users [[[
#
# Enable this setting to keep new LDAP users blocked until they have been
# cleared by the admin.
gitlab__ldap_block_auto_created_users: False

# ]]]
# .. envvar:: gitlab__ldap_lowercase_usernames [[[
#
# If enabled, GitLab will convert usernames to lowercase before searching the
# for the LDAP user accounts.
gitlab__ldap_lowercase_usernames: True
# ]]]
# ]]]
# Piwik configuration [[[
@@ -1102,6 +1196,19 @@ gitlab__postgresql__dependent_pgpass:
database: '{{ gitlab_database_name }}'
role: '{{ gitlab_database_user }}'

# ]]]
# .. envvar:: gitlab__ldap__dependent_tasks [[[
#
# Configuration for the :ref:`debops.ldap` Ansible role.
gitlab__ldap__dependent_tasks:

- name: 'Create GitLab account for {{ gitlab__ldap_device_dn | join(",") }}'
dn: '{{ gitlab__ldap_binddn }}'
objectClass: '{{ gitlab__ldap_self_object_classes }}'
attributes: '{{ gitlab__ldap_self_attributes }}'
no_log: True
state: '{{ "present" if gitlab__ldap_device_dn|d() else "ignore" }}'

# ]]]
# .. envvar:: gitlab__nginx__dependent_upstreams [[[
#

This file was deleted.

@@ -107,6 +107,3 @@
owner: 'root'
group: 'root'
mode: '0644'

- include: ldap_account.yml
when: gitlab_ldap_enable|bool and gitlab_ldap_manage|bool

0 comments on commit 3d76357

Please sign in to comment.
You can’t perform that action at this time.