Added LDAP configuration options, close #36

Changelog.md

@@ -1,5 +1,8 @@
 # Changelog
 
+**latest**
+- added LDAP configuration options.
+
 **6.7.3**
 - upgrade gitlab to 6.7.3
 - install ruby2.0 from ppa

README.md

@@ -292,6 +292,16 @@ Below is the complete list of available options that can be used to customize yo
 - **SMTP_USER**: SMTP username.
 - **SMTP_PASS**: SMTP password.
 - **SMTP_STARTTLS**: Enable STARTTLS. Defaults to true.
+- **LDAP_ENABLED**: Enable LDAP. Defaults to false
+- **LDAP_HOST**: LDAP Host
+- **LDAP_PORT**: LDAP Port. Defaults to 636
+- **LDAP_UID**: LDAP UID. Defaults to sAMAccountName
+- **LDAP_METHOD**: LDAP method, Possible values are ssl, tls and plain. Defaults to ssl
+- **LDAP_BIND_DN**:
+- **LDAP_PASS**: LDAP password
+- **LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN**: If enabled, GitLab will ignore everything after the first '@' in the LDAP username submitted by the user on login. Defaults to false if LDAP_UID is userPrincipalName, else true.
+- **LDAP_BASE**: Base where we can search for users. No default.
+- **LDAP_USER_FILTER**: Filter LDAP users. No default.
 
 # Maintenance
 

assets/init

@@ -37,6 +37,17 @@ SMTP_USER=${SMTP_USER:-}
 SMTP_PASS=${SMTP_PASS:-}
 SMTP_STARTTLS=${SMTP_STARTTLS:-true}
 
+LDAP_ENABLED=${LDAP_ENABLED:-false}
+LDAP_HOST=${LDAP_HOST:-}
+LDAP_PORT=${LDAP_PORT:-636}
+LDAP_UID=${LDAP_UID:-sAMAccountName}
+LDAP_METHOD=${LDAP_METHOD:-ssl}
+LDAP_BIND_DN=${LDAP_BIND_DN:-}
+LDAP_PASS=${LDAP_PASS:-}
+LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-}
+LDAP_BASE=${LDAP_BASE:-}
+LDAP_USER_FILTER=${LDAP_USER_FILTER:-}
+
 case "${DB_TYPE}" in
 	mysql) DB_PORT=${DB_PORT:-3306} ;;
 	postgres) DB_PORT=${DB_PORT:-5432} ;;
@@ -48,6 +59,11 @@ case "${GITLAB_BACKUPS}" in
 	disable|*) GITLAB_BACKUP_EXPIRY=${GITLAB_BACKUP_EXPIRY:-0} ;;
 esac
 
+case "${LDAP_UID}" in
+	userPrincipalName) LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-false} ;;
+	*) LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN=${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN:-true}
+esac
+
 # generate a password for root.
 ROOT_PASSWORD=$(pwgen -c -n -1 12)
 echo "root:$ROOT_PASSWORD" | chpasswd
@@ -179,6 +195,18 @@ sed 's/{{SMTP_PASS}}/'${SMTP_PASS}'/' -i /home/git/gitlab/config/initializers/sm
 sed 's/{{SMTP_DOMAIN}}/'${SMTP_DOMAIN}'/' -i /home/git/gitlab/config/initializers/smtp_settings.rb
 sed 's/{{SMTP_STARTTLS}}/'${SMTP_STARTTLS}'/' -i /home/git/gitlab/config/initializers/smtp_settings.rb
 
+# apply LDAP configuration
+sudo -u git -H sed 's/{{LDAP_ENABLED}}/'${LDAP_ENABLED}'/' -i /home/git/gitlab/config/gitlab.yml
+sudo -u git -H sed 's/{{LDAP_HOST}}/'${LDAP_HOST}'/' -i /home/git/gitlab/config/gitlab.yml
+sudo -u git -H sed 's/{{LDAP_PORT}}/'${LDAP_PORT}'/' -i /home/git/gitlab/config/gitlab.yml
+sudo -u git -H sed 's/{{LDAP_UID}}/'${LDAP_UID}'/' -i /home/git/gitlab/config/gitlab.yml
+sudo -u git -H sed 's/{{LDAP_METHOD}}/'${LDAP_METHOD}'/' -i /home/git/gitlab/config/gitlab.yml
+sudo -u git -H sed 's/{{LDAP_BIND_DN}}/'${LDAP_BIND_DN}'/' -i /home/git/gitlab/config/gitlab.yml
+sudo -u git -H sed 's/{{LDAP_PASS}}/'${LDAP_PASS}'/' -i /home/git/gitlab/config/gitlab.yml
+sudo -u git -H sed 's/{{LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN}}/'${LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN}'/' -i /home/git/gitlab/config/gitlab.yml
+sudo -u git -H sed 's/{{LDAP_BASE}}/'${LDAP_BASE}'/' -i /home/git/gitlab/config/gitlab.yml
+sudo -u git -H sed 's/{{LDAP_USER_FILTER}}/'${LDAP_USER_FILTER}'/' -i /home/git/gitlab/config/gitlab.yml
+
 # take ownership of /home/git/data
 chown git:git /home/git/data
 

assets/setup/config/gitlabhq/gitlab.yml

@@ -119,13 +119,13 @@ production: &base
   # You can inspect a sample of the LDAP users with login access by running:
   #   bundle exec rake gitlab:ldap:check RAILS_ENV=production
   ldap:
-    enabled: false
-    host: '_your_ldap_server'
-    port: 636
-    uid: 'sAMAccountName'
-    method: 'ssl' # "tls" or "ssl" or "plain"
-    bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
-    password: '_the_password_of_the_bind_user'
+    enabled: {{LDAP_ENABLED}}
+    host: '{{LDAP_HOST}}'
+    port: {{LDAP_PORT}}
+    uid: '{{LDAP_UID}}'
+    method: '{{LDAP_METHOD}}' # "tls" or "ssl" or "plain"
+    bind_dn: '{{LDAP_BIND_DN}}'
+    password: '{{LDAP_PASS}}'
     # If allow_username_or_email_login is enabled, GitLab will ignore everything
     # after the first '@' in the LDAP username submitted by the user on login.
     #
@@ -135,20 +135,20 @@ production: &base
     #
     # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
     # disable this setting, because the userPrincipalName contains an '@'.
-    allow_username_or_email_login: true
+    allow_username_or_email_login: {{LDAP_ALLOW_USERNAME_OR_EMAIL_LOGIN}}
 
     # Base where we can search for users
     #
     #   Ex. ou=People,dc=gitlab,dc=example
     #
-    base: ''
+    base: '{{LDAP_BASE}}'
 
     # Filter LDAP users
     #
     #   Format: RFC 4515
     #   Ex. (employeeType=developer)
     #
-    user_filter: ''
+    user_filter: '{{LDAP_USER_FILTER}}'
 
 
   ## OmniAuth settings