Re: ACL to authenticate gitlab users

[Quanah Gibson-Mount <quanah@symas.com>]

--On Sunday, May 07, 2017 5:49 PM +0200 Xaar <xaar@linux.pl> wrote:

> Hello,
>
> I want to authenticate users via OpenLDAP to Gitlab. In Gitlab
> configuration there is a gitlab.rb file, where I can write some special
> user (let it be gitlabuser) with credentials who will be bind to ldap
> server. Now my question is, what acl should I provide to this user on
> OpenLDAP server to allow other users authenticate to Gitlab ?
>
> Now my DIT looks like this:
>
> dc=company,dc=com
> |
> |
> - cn=admin
> - cn=gitlabuser
> |
> |
> - ou=Groups
> - ou=Users -> here are users which I want to give access to Gitlab
>
> Is this entry is fair enough ?
>
> dn: olcDatabase={1}hdb,cn=config
> changetype: modify
> replace: olcAccess
> olcAccess: {0} to attrs=userPassword by anonymous auth by
> dn=„cn=admin,dc=company,dc=com" write by * none olcAccess: {1} to
> dn.base=„" by * read
> olcAccess: {2} to * by * read

It would allow anyone (anonymous or authenticated) to read all your 
entries, minus the userPassword attribute.  Depending on your security 
requirements, this may or may not be desirable.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>