Commit fd700992 authored by Suzanne Selhorn's avatar Suzanne Selhorn

Merge branch 'eread/move-and-edit-multiple-ldap-servers-content' into 'master'

Move multiple LDAP servers content and edit for CTRT

See merge request gitlab-org/gitlab!75062
parents 7352e14e d720a95b
...@@ -222,6 +222,51 @@ These LDAP sync configuration settings are available: ...@@ -222,6 +222,51 @@ These LDAP sync configuration settings are available:
| `external_groups` | An array of CNs of groups containing users that should be considered external. Not `cn=interns` or the full DN. | **{dotted-circle}** No | `['interns', 'contractors']` | | `external_groups` | An array of CNs of groups containing users that should be considered external. Not `cn=interns` or the full DN. | **{dotted-circle}** No | `['interns', 'contractors']` |
| `sync_ssh_keys` | The LDAP attribute containing a user's public SSH key. | **{dotted-circle}** No | `'sshPublicKey'` or false if not set | | `sync_ssh_keys` | The LDAP attribute containing a user's public SSH key. | **{dotted-circle}** No | `'sshPublicKey'` or false if not set |
### Use multiple LDAP servers **(PREMIUM SELF)**
If you have users on multiple LDAP servers, you can configure GitLab to use them. To add additional LDAP servers:
1. Duplicate the [`main` LDAP configuration](#configure-ldap).
1. Edit each duplicate configuration with the details of the additional servers.
- For each additional server, choose a different provider ID, like `main`, `secondary`, or `tertiary`. Use lowercase
alphanumeric characters. GitLab uses the provider ID to associate each user with a specific LDAP server.
- For each entry, use a unique `label` value. These values are used for the tab names on the sign-in page.
#### Example of multiple LDAP servers
The following example shows how to configure three LDAP servers in `gitlab.rb`:
```ruby
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = {
'main' => {
'label' => 'GitLab AD',
'host' => 'ad.example.org',
'port' => 636,
...
},
'secondary' => {
'label' => 'GitLab Secondary AD',
'host' => 'ad-secondary.example.net',
'port' => 636,
...
},
'tertiary' => {
'label' => 'GitLab Tertiary AD',
'host' => 'ad-tertiary.example.net',
'port' => 636,
...
}
}
```
This example results in the following sign-in page:
![Multiple LDAP servers sign in](img/multi_login.gif)
### Set up LDAP user filter ### Set up LDAP user filter
To limit all GitLab access to a subset of the LDAP users on your LDAP server, first narrow the To limit all GitLab access to a subset of the LDAP users on your LDAP server, first narrow the
...@@ -452,56 +497,6 @@ If initially your LDAP configuration looked like: ...@@ -452,56 +497,6 @@ If initially your LDAP configuration looked like:
1. [Restart GitLab](../../restart_gitlab.md#installations-from-source) for the changes to take effect. 1. [Restart GitLab](../../restart_gitlab.md#installations-from-source) for the changes to take effect.
## Multiple LDAP servers **(PREMIUM SELF)**
With GitLab, you can configure multiple LDAP servers that your GitLab instance
connects to.
To add another LDAP server:
1. Duplicate the settings under [the main configuration](#configure-ldap).
1. Edit them to match the additional LDAP server.
Be sure to choose a different provider ID made of letters a-z and numbers 0-9.
This ID is stored in the database so that GitLab can remember which LDAP
server a user belongs to.
![Multiple LDAP Servers Sign in](img/multi_login.gif)
Based on the example illustrated on the image above,
our `gitlab.rb` configuration would look like:
```ruby
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = {
'main' => {
'label' => 'GitLab AD',
'host' => 'ad.example.org',
'port' => 636,
...
},
'secondary' => {
'label' => 'GitLab Secondary AD',
'host' => 'ad-secondary.example.net',
'port' => 636,
...
},
'tertiary' => {
'label' => 'GitLab Tertiary AD',
'host' => 'ad-tertiary.example.net',
'port' => 636,
...
}
}
```
If you configure multiple LDAP servers, use a unique naming convention for the
`label` section of each entry. That label is used as the display name of the tab
shown on the sign-in page.
## Disable anonymous LDAP authentication ## Disable anonymous LDAP authentication
GitLab doesn't support TLS client authentication. Complete these steps on your LDAP server. GitLab doesn't support TLS client authentication. Complete these steps on your LDAP server.
......
...@@ -582,8 +582,8 @@ for each of these users. ...@@ -582,8 +582,8 @@ for each of these users.
## Expired license causes errors with multiple LDAP servers ## Expired license causes errors with multiple LDAP servers
Using [multiple LDAP servers](index.md#multiple-ldap-servers) requires a valid license. An expired Using [multiple LDAP servers](index.md#use-multiple-ldap-servers) requires a valid license. An expired license can
license can cause: cause:
- `502` errors in the web interface. - `502` errors in the web interface.
- The following error in logs (the actual strategy name depends on the name configured in `/etc/gitlab/gitlab.rb`): - The following error in logs (the actual strategy name depends on the name configured in `/etc/gitlab/gitlab.rb`):
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment