Setting up ldap auth

nsideras edited this page Feb 1, 2013 · 9 revisions

Gitlab supports the use of LDAP user authentication. This means user accounts can be tied to Windows domain accounts via ActiveDirectory which is an LDAP service.

Please note that LDAP accounts to be used with Gitlab must have an email address configured. When LDAP is enabled the initial login dialog will request the users LDAP login and password (this is their Windows domain login and password under ActiveDirectory). These details are then used to authenticate the user against the configured LDAP domain. This means the user credentials are not stored within Gitlab. If no local Gitlab account exists then one is created using the LDAP account's email address and a backup password is mailed to the new user so that Gitlab may be used even if the LDAP service is unavailable. Such local Gitlab accounts are identified using the email address. Only the password for the backup email login is stored within the Gitlab application database.


Since 2.9 this is now part of the gitlab.yml configuration file.

Edit the auth settings in section 2. This requires configuration details applicable to your local network. For OpenLDAP, the uid field should be 'uid' but when using ActiveDirectory this should probably be 'sAMAccountName'. The default setup uses secure ldap (ldaps) on port 636 but you can also use port 389 for non-secured ldap. Which to use depends on your local servers.

The bind_dn field is the user id to be used to initially bind to the database and must be the full DN of that user account. ie: CN=gitlab,OU=People,DC=example,DC=com. The password field is the password for the bind_dn account. If these two fields are incorrect you will get an "Invalid credentials" error for all LDAP logins. You can check them with a utility like ldapsearch or ldapwhoami. eg: ldapwhoami -D 'uid=gitlab,ou=people,dc=example,dc=com' -w '5iveL!fe'

See for further details.

Remember to restart gitlab to apply the changes.