GitLab 使用FreeIPA进行身份认证


  • GitLab: gitlab-ce_11.10.7-ce.0_amd64.deb
  • FreeIPA: VERSION: 4.6.90.pre1+git20180411, API_VERSION: 2.229
  • OS: Ubuntu 1804




  • 修改主机名
$ sudo hostnamectl set-hostname  #ipa server
$ sudo hostnamectl set-hostname  #gitlab server
  • 配置解析
$ echo "" | sudo tee -a /etc/hosts
$ echo "" | sudo tee -a /etc/hosts



$ sudo apt update
$ sudo apt install rng-tools


$ sudo vim  /etc/default/rng-tools
# for the viapadlock and tpm drivers.
  • 启用并启动rng-tools
$ sudo systemctl enable --now rng-tools



  • 运行以下命令安装FreeIPA包:
$ sudo apt -y install freeipa-server


$ sudo ipa-server-install
The log file for this installation can be found in /var/log/ipaserver-install.log
This program will set up the FreeIPA Server.

This includes:
  * Configure a stand-alone CA (dogtag) for certificate management
  * Configure the NTP client (chronyd)
  * Create and configure an instance of Directory Server
  * Create and configure a Kerberos Key Distribution Center (KDC)
  * Configure Apache (httpd)
  * Configure the KDC to enable PKINIT

To accept the default shown in brackets, press the Enter key.

WARNING: conflicting time&date synchronization service 'ntp' will be disabled
in favor of chronyd

Do you want to configure integrated DNS (BIND)? [no]: no

Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form

Server host name []:

The domain name has been determined based on the host name.

Please confirm the domain name []:

The kerberos protocol requires a Realm name to be defined.
This is typically the domain name converted to uppercase.

Please provide a realm name [CCAV.COM]: CCAV.COM
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and has full access
to the Directory for system management tasks and will be added to the
instance of directory server created for IPA.
The password must be at least 8 characters long.

Directory Manager password:
Password (confirm):

The IPA server requires an administrative user, named 'admin'.
This user is a regular system account used for IPA server administration.

IPA admin password:
Password (confirm):

The IPA Master Server will be configured with:
IP address(es):
Domain name:
Realm name:     CCAV.COM

The CA will be configured with:
Subject DN:   CN=Certificate Authority,O=CCAV.COM
Subject base: O=CCAV.COM
Chaining:     self-signed

Continue to configure the system with these values? [no]: yes

The following operations may take some minutes to complete.
Please wait until the prompt is returned.
Setup complete

Next steps:
    1. You must make sure these network ports are open:
        TCP Ports:
          * 80, 443: HTTP/HTTPS
          * 389, 636: LDAP/LDAPS
          * 88, 464: kerberos
        UDP Ports:
          * 88, 464: kerberos
          * 123: ntp

    2. You can now obtain a kerberos ticket using the command: 'kinit admin'
       This ticket will allow you to use the IPA tools (e.g., ipa user-add)
       and the web user interface.

Be sure to back up the CA certificates stored in /root/cacert.p12
These files are required to create replicas. The password for these
files is the Directory Manager password
  • 配置防火墙
$ sudo ufw enable
$ for i in 22 80 443 389 636 88 464; do sudo ufw allow proto tcp from any to any port $i; done
$ for i in 88 464 123; do sudo ufw allow proto udp from any to any port $i; done



$ kinit admin
Password for admin@CCAV.COM:
  • 检查Kerberos:
$ klist
Ticket cache: KEYRING:persistent:0:0
Default principal: admin@CCAV.COM

Valid starting       Expires              Service principal
09/21/2019 00:41:06  09/22/2019 00:41:03  krbtgt/CCAV.COM@CCAV.COM
  • 查找FreeIPA服务器上是否存在用户admin:
$ ipa user-find admin
1 user matched
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: admin@CCAV.COM
  UID: 1404200000
  GID: 1404200000
  Account disabled: False
Number of entries returned 1




  • 创建gitlab_user
$ ipa group-add --desc='DevOps' gitlab_user
  • 创建用户
$ ipa user-add gitlab --first=Git --last=Lab --password
$ ipa user-add jenkins --first=CI --last=CD  --shell=/bin/bash --password
  • 将用户添加到组
$ ipa group-add-member --users=gitlab,jenkins gitlab_user



  • 安装


$ wget --content-disposition
$ dpkg -i download.deb
$ curl -s | sudo bash
$ sudo apt install gitlab-ce=11.10.7-ce.0
  • 配置


$ sudo vim /etc/gitlab/gitlab.rb
external_url ''
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
    label: 'LDAP'
    host: ''
    port: 389
    uid: 'uid'
    bind_dn: 'uid=admin,cn=users,cn=accounts,dc=ccav,dc=com'
    password: 'manunkind'
    encryption: 'plain'
    active_directory: ture
    allow_username_or_email_login: false
    lowercase_usernames: false
    block_auto_created_users: false
    base: 'cn=users,cn=accounts,dc=ccav,dc=com'
    user_filter: (memberOf=cn=gitlab_user,cn=groups,cn=accounts,dc=ccav,dc=com)
  • 重新加载新配置
$ gitlab-ctl reconfigure
  • 查看是否能正常获取用户列表


$ gitlab-rake gitlab:ldap:check
Checking LDAP ...

LDAP: ... Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
    DN: uid=s4lm0x,cn=users,cn=accounts,dc=ccav,dc=com     uid: s4lm0x
    DN: uid=gitlab,cn=users,cn=accounts,dc=ccav,dc=com     uid: gitlab
    DN: uid=gitlab1,cn=users,cn=accounts,dc=ccav,dc=com     uid: gitlab1

Checking LDAP ... Finished
  • 重启gitlab
$ gitlab-ctl restart








This is just a placeholder img.