Commit 8a822b91 authored by Evan Read's avatar Evan Read Committed by Suzanne Selhorn

Split user and group sync from main LDAP content

parent 4f1c3fc0
......@@ -35,7 +35,7 @@ The steps below cover:
credentials' and 'Read user information'. Select 'Add LDAP Client'
NOTE:
If you plan to use GitLab [LDAP Group Sync](index.md#group-sync)
If you plan to use GitLab [LDAP Group Sync](ldap_synchronization.md#group-sync)
, turn on 'Read group information'.
![Add LDAP Client Step 2](img/google_secure_ldap_add_step_2.png)
......
This diff is collapsed.
......@@ -229,7 +229,7 @@ ldapsearch -H ldaps://$host:$port -D "$bind_dn" -y bind_dn_password.txt -b "$ba
#### Sync all users **(PREMIUM SELF)**
The output from a manual [user sync](index.md#user-sync) can show you what happens when
The output from a manual [user sync](ldap_synchronization.md#user-sync) can show you what happens when
GitLab tries to sync its users against LDAP. Enter the [rails console](#rails-console)
and then run:
......@@ -239,8 +239,7 @@ Rails.logger.level = Logger::DEBUG
LdapSyncWorker.new.perform
```
Next, [learn how to read the
output](#example-console-output-after-a-user-sync).
Next, [learn how to read the output](#example-console-output-after-a-user-sync).
##### Example console output after a user sync **(PREMIUM SELF)**
......@@ -342,9 +341,8 @@ LDAP group sync, but for some reason it's not happening. There are several
things to check to debug the situation.
- Ensure LDAP configuration has a `group_base` specified.
[This configuration](index.md#group-sync) is required for group sync to work properly.
- Ensure the correct [LDAP group link is added to the GitLab
group](index.md#add-group-links).
[This configuration](ldap_synchronization.md#group-sync) is required for group sync to work properly.
- Ensure the correct [LDAP group link is added to the GitLab group](ldap_synchronization.md#add-group-links).
- Check that the user has an LDAP identity:
1. Sign in to GitLab as an administrator user.
1. On the top bar, select **Menu > Admin**.
......@@ -354,7 +352,7 @@ things to check to debug the situation.
1. Select the **Identities** tab. There should be an LDAP identity with
an LDAP DN as the 'Identifier'. If not, this user hasn't signed in with
LDAP yet and must do so first.
- You've waited an hour or [the configured interval](index.md#adjust-ldap-group-sync-schedule) for
- You've waited an hour or [the configured interval](ldap_synchronization.md#adjust-ldap-group-sync-schedule) for
the group to sync. To speed up the process, either go to the GitLab group **Group information > Members**
and press **Sync now** (sync one group) or [run the group sync Rake task](../../raketasks/ldap.md#run-a-group-sync)
(sync all groups).
......@@ -366,8 +364,7 @@ the rails console.
1. Choose a GitLab group to test with. This group should have an LDAP group link
already configured.
1. [Enable debug logging, find the above GitLab group, and sync it with LDAP](#sync-one-group).
1. Look through the output of the sync. See [example log
output](#example-console-output-after-a-group-sync)
1. Look through the output of the sync. See [example log output](#example-console-output-after-a-group-sync)
for how to read the output.
1. If you still aren't able to see why the user isn't being added, [query the LDAP group directly](#query-a-group-in-ldap)
to see what members are listed.
......@@ -377,20 +374,20 @@ the rails console.
#### Administrator privileges not granted
When [Administrator sync](index.md#administrator-sync) has been configured
When [Administrator sync](ldap_synchronization.md#administrator-sync) has been configured
but the configured users aren't granted the correct administrator privileges, confirm
the following are true:
- A [`group_base` is also configured](index.md#group-sync).
- A [`group_base` is also configured](ldap_synchronization.md#group-sync).
- The configured `admin_group` in the `gitlab.rb` is a CN, rather than a DN or an array.
- This CN falls under the scope of the configured `group_base`.
- The members of the `admin_group` have already signed into GitLab with their LDAP
credentials. GitLab only grants the Administrator role to the users whose
accounts are already connected to LDAP.
If all the above are true and the users are still not getting access, [run a manual
group sync](#sync-all-groups) in the rails console and [look through the
output](#example-console-output-after-a-group-sync) to see what happens when
If all the above are true and the users are still not getting access,
[run a manual group sync](#sync-all-groups) in the rails console and
[look through the output](#example-console-output-after-a-group-sync) to see what happens when
GitLab syncs the `admin_group`.
#### Sync all groups
......@@ -399,7 +396,7 @@ NOTE:
To sync all groups manually when debugging is unnecessary,
[use the Rake task](../../raketasks/ldap.md#run-a-group-sync) instead.
The output from a manual [group sync](index.md#group-sync) can show you what happens
The output from a manual [group sync](ldap_synchronization.md#group-sync) can show you what happens
when GitLab syncs its LDAP group memberships against LDAP.
```ruby
......@@ -494,7 +491,7 @@ this line indicates the sync is finished:
Finished syncing admin users for 'ldapmain' provider
```
If [administrator sync](index.md#administrator-sync) is not configured, you see a message
If [administrator sync](ldap_synchronization.md#administrator-sync) is not configured, you see a message
stating as such:
```shell
......@@ -610,8 +607,7 @@ If a user account is blocked or unblocked due to the LDAP configuration, a
message is [logged to `application.log`](../../logs.md#applicationlog).
If there is an unexpected error during an LDAP lookup (configuration error,
timeout), the sign-in is rejected and a message is [logged to
`production.log`](../../logs.md#productionlog).
timeout), the sign-in is rejected and a message is [logged to `production.log`](../../logs.md#productionlog).
### ldapsearch
......
This diff is collapsed.
......@@ -22,8 +22,8 @@ relevant compliance standards.
|**[Email all users of a project, group, or entire server](../tools/email.md)**<br>An administrator can email groups of users based on project or group membership, or email everyone using the GitLab instance. This is great for scheduled maintenance or upgrades. | Premium+ | **{dotted-circle}** No | Instance |
|**[Omnibus package supports log forwarding](https://docs.gitlab.com/omnibus/settings/logs.html#udp-log-forwarding)**<br>Forward your logs to a central system. | Premium+ | **{dotted-circle}** No | Instance |
|**[Lock project membership to group](../user/group/index.md#prevent-members-from-being-added-to-a-group)**<br>Group owners can prevent new members from being added to projects within a group. | Premium+ | **{check-circle}** Yes | Group |
|**[LDAP group sync](auth/ldap/index.md#group-sync)**<br>GitLab Enterprise Edition gives administrators the ability to automatically sync groups and manage SSH keys, permissions, and authentication, so you can focus on building your product, not configuring your tools. | Premium+ | **{dotted-circle}** No | Instance |
|**[LDAP group sync filters](auth/ldap/index.md#group-sync)**<br>GitLab Enterprise Edition Premium gives more flexibility to synchronize with LDAP based on filters, meaning you can leverage LDAP attributes to map GitLab permissions. | Premium+ | **{dotted-circle}** No | Instance |
|**[LDAP group sync](auth/ldap/ldap_synchronization.md#group-sync)**<br>GitLab Enterprise Edition gives administrators the ability to automatically sync groups and manage SSH keys, permissions, and authentication, so you can focus on building your product, not configuring your tools. | Premium+ | **{dotted-circle}** No | Instance |
|**[LDAP group sync filters](auth/ldap/ldap_synchronization.md#group-sync)**<br>GitLab Enterprise Edition Premium gives more flexibility to synchronize with LDAP based on filters, meaning you can leverage LDAP attributes to map GitLab permissions. | Premium+ | **{dotted-circle}** No | Instance |
|**[Audit events](audit_events.md)**<br>To maintain the integrity of your code, GitLab Enterprise Edition Premium gives administrators the ability to view any modifications made within the GitLab server in an advanced audit events system, so you can control, analyze, and track every change. | Premium+ | **{check-circle}** Yes | Instance, Group, Project |
|**[Auditor users](auditor_users.md)**<br>Auditor users are users who are given read-only access to all projects, groups, and other resources on the GitLab instance. | Premium+ | **{dotted-circle}** No | Instance |
|**[Credentials inventory](../user/admin_area/credentials_inventory.md)**<br>With a credentials inventory, GitLab administrators can keep track of the credentials used by all of the users in their GitLab instance. | Ultimate | **{dotted-circle}** No | Instance |
......
......@@ -44,7 +44,7 @@ Get started:
**More resources**
- Learn more about [running multiple Agile teams](https://www.youtube.com/watch?v=VR2r1TJCDew).
- Sync group memberships [by using LDAP](../administration/auth/ldap/index.md#group-sync).
- Sync group memberships [by using LDAP](../administration/auth/ldap/ldap_synchronization.md#group-sync).
- Manage user access with inherited permissions. Use up to 20 levels of subgroups to organize both teams and projects.
- Learn more about [inherited permissions](../user/project/members/index.md#inherited-membership).
- View [nested category examples](../user/group/subgroups/index.md#overview).
......
......@@ -38,13 +38,13 @@ rake gitlab:ldap:check[50]
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/14735) in GitLab 12.2.
The following task runs a [group sync](../auth/ldap/index.md#group-sync) immediately. This is valuable
when you'd like to update all configured group memberships against LDAP without
The following task runs a [group sync](../auth/ldap/ldap_synchronization.md#group-sync) immediately.
This is valuable when you'd like to update all configured group memberships against LDAP without
waiting for the next scheduled group sync to be run.
NOTE:
If you'd like to change the frequency at which a group sync is performed,
[adjust the cron schedule](../auth/ldap/index.md#adjust-ldap-group-sync-schedule)
[adjust the cron schedule](../auth/ldap/ldap_synchronization.md#adjust-ldap-group-sync-schedule)
instead.
**Omnibus Installation**
......
......@@ -50,15 +50,15 @@ the tiers are no longer mentioned in GitLab documentation:
- [Group management through LDAP](../administration/auth/ldap/ldap-troubleshooting.md#group-memberships)
- Syncing information through LDAP:
- Groups: [one group](../administration/auth/ldap/ldap-troubleshooting.md#sync-one-group),
[all groups programmatically](../administration/auth/ldap/index.md#group-sync),
[group sync schedule](../administration/auth/ldap/index.md#adjust-ldap-group-sync-schedule), and
[all groups programmatically](../administration/auth/ldap/ldap_synchronization.md#group-sync),
[group sync schedule](../administration/auth/ldap/ldap_synchronization.md#adjust-ldap-group-sync-schedule), and
[all groups manually](../administration/auth/ldap/ldap-troubleshooting.md#sync-all-groups)
- [Configuration settings](../administration/auth/ldap/index.md#ldap-sync-configuration-settings)
- Users: [all users](../administration/auth/ldap/index.md#user-sync),
[administrators](../administration/auth/ldap/index.md#administrator-sync),
[user sync schedule](../administration/auth/ldap/index.md#adjust-ldap-user-sync-schedule)
- [Adding group links](../administration/auth/ldap/index.md#add-group-links)
- [Lock memberships to LDAP synchronization](../administration/auth/ldap/index.md#global-group-memberships-lock)
- Users: [all users](../administration/auth/ldap/ldap_synchronization.md#user-sync),
[administrators](../administration/auth/ldap/ldap_synchronization.md#administrator-sync),
[user sync schedule](../administration/auth/ldap/ldap_synchronization.md#adjust-ldap-user-sync-schedule)
- [Adding group links](../administration/auth/ldap/ldap_synchronization.md#add-group-links)
- [Lock memberships to LDAP synchronization](../administration/auth/ldap/ldap_synchronization.md#global-group-memberships-lock)
- Rake tasks for [LDAP tasks](../administration/raketasks/ldap.md), including
[syncing groups](../administration/raketasks/ldap.md#run-a-group-sync)
- Logging:
......
......@@ -329,7 +329,7 @@ Group syncing allows LDAP groups to be mapped to GitLab groups. This provides mo
Group links can be created by using either a CN or a filter. To create these group links, go to the group's **Settings > LDAP Synchronization** page. After configuring the link, it may take more than an hour for the users to sync with the GitLab group.
For more information on the administration of LDAP and group sync, refer to the [main LDAP documentation](../../administration/auth/ldap/index.md#group-sync).
For more information on the administration of LDAP and group sync, refer to the [main LDAP documentation](../../administration/auth/ldap/ldap_synchronization.md#group-sync).
NOTE:
When you add LDAP synchronization, if an LDAP user is a group member and they are not part of the LDAP group, they are removed from the group.
......
......@@ -384,8 +384,10 @@ An administrator can flag a user as external by either of the following methods:
1. On the left sidebar, select **Overview > Users** to create a new user or edit an existing one.
There, you can find the option to flag the user as external.
Additionally users can be set as external users using [SAML groups](../integration/saml.md#external-groups)
and [LDAP groups](../administration/auth/ldap/index.md#external-groups).
Additionally users can be set as external users using:
- [SAML groups](../integration/saml.md#external-groups).
- [LDAP groups](../administration/auth/ldap/ldap_synchronization.md#external-groups).
### Setting new users to external
......
......@@ -11,7 +11,7 @@
= _('Lock memberships to LDAP synchronization')
%span.form-text.text-muted
= _('If checked, new group memberships and permissions can only be added via LDAP synchronization')
= link_to sprite_icon('question-o'), help_page_path('administration/auth/ldap/index.md', anchor: 'global-group-memberships-lock')
= link_to sprite_icon('question-o'), help_page_path('administration/auth/ldap/ldap_synchronization.md', anchor: 'global-group-memberships-lock')
.form-check
= form.check_box :allow_group_owners_to_manage_ldap, class: 'form-check-input'
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment