Setting up GitLab with Active Directory and a Self Signed Cert April, 2015

I really love GitHub but unfortunately not every organization can host code outside of their network or justify the cost of GitHub Enterprise (Which starts at $400+ p/m). After trying out some different packages, GitLab is the only thing that even comes close to GitHub for internal use without breaking the bank (Free Community Edition or starting at $34 p/m for Enterprise). In fact the free community edition would probably be sufficient for most organizations. Below I outline setting up GitLab on Ubuntu 14.04 with Active Directory integration and a self signed cert.

Install

The following installation instructions are taken from the download page.

sudo apt-get install openssh-server

# Omit if using an existing SMTP server
sudo apt-get install postfix

curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | sudo bash
sudo apt-get install gitlab-ce

# If this fails, reboot and try again
sudo gitlab-ctl reconfigure

Browse to your server and make sure everything is up and running. Login as root/5iveL!fe and change the default password. Also disable sign ups (Admin area > Settings > Signup enabled).

Configure Email

The following enables email delivery and sets basic options:

sudo vim /etc/gitlab/gitlab.rb

 gitlab_rails['gitlab_email_enabled'] = true
 gitlab_rails['gitlab_email_from'] = 'gitlab@mydomain.int'
 gitlab_rails['gitlab_email_display_name'] = 'GitLab'

If you you are sending through an existing SMTP server, configure as follows (See here for more options):

 gitlab_rails['smtp_enable'] = true
 gitlab_rails['smtp_address'] = "smtp.mydomain.int"
 gitlab_rails['smtp_port'] = 25

Finally reconfigure for the changes to take effect.

sudo gitlab-ctl reconfigure

Unfortunately there isn’t a test email button anywhere, but you can add an SSH key as this sends a notification.

Configure Active Directory Integration

In order to integrate with Active Directory you will need to either have anonymous queries enabled or create a domain account with query access. By default members of the Domain Users group have this.

sudo vim /etc/gitlab/gitlab.rb

Configure the basic settings, see here for more details and settings.

 gitlab_rails['ldap_enabled'] = true
 gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
   main: # 'main' is the GitLab 'provider ID' of this LDAP server
     label: 'My Organization' # Label shown on the login page
     host: 'ad1.mydomain.int' # AD server
     port: 389
     uid: 'sAMAccountName'
     method: 'plain' # "tls" or "ssl" or "plain"
     bind_dn: 'GitLab' # AD user that has query access
     password: 'P@$$w0rd' # Password of said user
     active_directory: true
     allow_username_or_email_login: false
     base: 'CN=Users,DC=mydomain,DC=int'
     user_filter: '' # Leave blank if not used
 EOS

If you want to filter based on group membership you can use the following user filter:

user_filter: '(memberOf:1.2.840.113556.1.4.1941:=CN=GitLabUsers,CN=Users,DC=mydomain,DC=int)'

Next, run the following to propagate the changes and ensure configuration is correct.

sudo gitlab-ctl reconfigure
sudo gitlab-rake gitlab:ldap:check RAILS_ENV=production

If so, you should see a list of users that match the base and filter:

Checking LDAP ...

LDAP users with access to your GitLab server (only showing the first 100 results)
Server: ldapmain
     DN: CN=GitLab,CN=Users,DC=mydomain,DC=int  sAMAccountName: GitLab
     DN: CN=Guest,CN=Users,DC=mydomain,DC=int  sAMAccountName: Guest
     ...

Checking LDAP ... Finished

GitLab pulls user email addresses from AD so you will need to make sure these are set on users accessing GitLab. These cannot be modified in GitLab.

Now login to GitLab with your domain account and set up your profile. Next, log out and login to GitLab as root. Then give your domain account admin privileges (Admin area > Users > Edit > Admin).

Configure SSL

Create the ssl folder where the cert will saved.

sudo mkdir -p /etc/gitlab/ssl
sudo chmod 700 /etc/gitlab/ssl

Create a self signed cert as outlined below or if you have a cert, copy the crt and key files into the ssl folder as code.mydomain.com.crt and code.mydomain.com.key respectively.

sudo openssl genrsa -out "/etc/gitlab/ssl/code.mydomain.int.key" 2048
sudo openssl req -new -key "/etc/gitlab/ssl/code.mydomain.int.key" -out "gitlab.csr"

# Country Name (2 letter code) [AU]:US
# State or Province Name (full name) [Some-State]:Maryland
# Locality Name (eg, city) []:Fort Meade
# Organization Name (eg, company) [Internet Widgits Pty Ltd]:Setec Astronomy
# Organizational Unit Name (eg, section) []:Research  
# Common Name (e.g. server FQDN or YOUR name) []:code.mydomain.int
# Email Address []:me@mydomain.int
# A challenge password []:
# An optional company name []:

sudo openssl x509 -req -days 3650 -in "gitlab.csr" \
     -signkey "/etc/gitlab/ssl/code.mydomain.int.key" \
     -out "/etc/gitlab/ssl/code.mydomain.int.crt"

sudo rm "gitlab.csr"

Now configure SSL.

sudo vim /etc/gitlab/gitlab.rb

 external_url 'https://code.mydomain.int'
 ...
 nginx['redirect_http_to_https'] = true

Now add the SSL exception to the firewall and propagate configuration changes and restart nginx.

# Enable SSL in the firewall
sudo ufw allow https

sudo gitlab-ctl reconfigure
sudo gitlab-ctl restart

You should now be able to access GitLab over SSL.

Reverse Proxy with SSL

If instead you have SSL setup through a reverse proxy you can change the default url to be https but you will need to disable SSL in nginx.

sudo vim /etc/gitlab/gitlab.rb

 external_url 'https://code.mydomain.com'
 ...
 nginx['listen_https'] = false

sudo gitlab-ctl reconfigure
Posted 04-15-2015
Git, GitLab
Creative Commons License