fix: first

GITLAB-LDAP-SETUP.md

@@ -0,0 +1,192 @@
+# GitLab LDAP集成部署指南
+
+本指南将帮助您将现有的GitLab实例与LDAP服务器集成，实现统一的用户认证。
+
+## 部署方案
+
+我们提供了两种部署方案：
+
+### 方案一：使用Docker Compose（推荐）
+使用提供的 `docker-compose.yml` 文件，一次性部署GitLab + OpenLDAP + phpLDAPadmin
+
+### 方案二：修改现有GitLab配置
+修改您现有的GitLab容器配置以连接到LDAP服务器
+
+## 快速开始
+
+### 1. 停止现有的GitLab容器
+
+```bash
+docker stop gitlab
+docker rm gitlab
+```
+
+### 2. 使用Docker Compose部署
+
+```bash
+# 在项目目录中运行
+docker-compose up -d
+```
+
+这将启动以下服务：
+- **OpenLDAP**: LDAP服务器 (端口 389)
+- **phpLDAPadmin**: LDAP管理界面 (端口 8081)
+- **GitLab**: GitLab服务器 (端口 8880)
+
+### 3. 初始化LDAP数据
+
+等待所有容器启动后，导入初始数据：
+
+```bash
+# 将LDIF文件复制到OpenLDAP容器
+docker cp ldap-init.ldif openldap:/tmp/
+
+# 导入数据
+docker exec openldap ldapadd -x -D "cn=admin,dc=example,dc=com" -w admin -f /tmp/ldap-init.ldif
+```
+
+### 4. 验证部署
+
+#### 访问服务
+- **GitLab**: http://localhost:8880
+- **phpLDAPadmin**: http://localhost:8081
+- **LDAP管理系统**: http://localhost:8080/ldap-demo/web/
+
+#### 测试LDAP连接
+```bash
+# 测试LDAP连接
+docker exec openldap ldapsearch -x -H ldap://localhost -b dc=example,dc=com -D "cn=admin,dc=example,dc=com" -w admin
+```
+
+## 配置说明
+
+### LDAP服务器配置
+
+- **服务器地址**: openldap (容器内) / localhost:389 (外部)
+- **基础DN**: dc=example,dc=com
+- **管理员DN**: cn=admin,dc=example,dc=com
+- **管理员密码**: admin
+- **用户基础**: ou=people,dc=example,dc=com
+- **组基础**: ou=groups,dc=example,dc=com
+
+### GitLab LDAP配置
+
+GitLab已配置为：
+- 允许LDAP用户登录
+- 自动创建LDAP用户账户
+- 支持用户名或邮箱登录
+- 映射LDAP属性到GitLab用户信息
+
+### 测试用户
+
+系统已创建以下测试用户：
+
+| 用户名 | 密码 | 邮箱 | 角色 | 组 |
+|--------|------|------|------|-----|
+| john.doe | password123 | john.doe@example.com | Senior Developer | developers |
+| jane.smith | password123 | jane.smith@example.com | Project Manager | administrators |
+| bob.wilson | password123 | bob.wilson@example.com | DevOps Engineer | developers |
+
+## 使用您现有的GitLab容器
+
+如果您想继续使用现有的GitLab容器，请按以下步骤操作：
+
+### 1. 启动LDAP服务器
+
+```bash
+# 只启动LDAP相关服务
+docker-compose up -d openldap phpldapadmin
+```
+
+### 2. 修改GitLab配置
+
+将 `gitlab-ldap-config.rb` 中的配置添加到您的GitLab配置文件：
+`/d/23_Gitlab/DockerData/GitlabData/config/gitlab.rb`
+
+### 3. 重新配置GitLab
+
+```bash
+docker exec gitlab gitlab-ctl reconfigure
+docker exec gitlab gitlab-ctl restart
+```
+
+## 自定义配置
+
+### 修改LDAP域名
+
+如果您想使用不同的域名，请修改以下文件：
+- `docker-compose.yml` 中的环境变量
+- `ldap-init.ldif` 中的DN
+- GitLab配置中的base DN
+
+### 添加更多用户
+
+您可以通过以下方式添加用户：
+1. 使用phpLDAPadmin Web界面 (http://localhost:8081)
+2. 使用您的LDAP管理系统 (http://localhost:8080/ldap-demo/web/)
+3. 使用LDIF文件和ldapadd命令
+
+### SSL/TLS配置
+
+生产环境建议启用SSL/TLS：
+
+```bash
+# 生成自签名证书（仅用于测试）
+docker exec openldap openssl req -new -x509 -nodes -out /container/service/slapd/assets/certs/ldap.crt -keyout /container/service/slapd/assets/certs/ldap.key -days 365
+```
+
+## 故障排除
+
+### 常见问题
+
+1. **GitLab无法连接LDAP**
+   - 检查容器网络连接
+   - 验证LDAP服务器是否正常运行
+   - 检查防火墙设置
+
+2. **LDAP用户无法登录GitLab**
+   - 验证用户DN格式
+   - 检查用户密码
+   - 查看GitLab日志
+
+3. **权限问题**
+   - 确保LDAP管理员有足够权限
+   - 检查组映射配置
+
+### 查看日志
+
+```bash
+# GitLab日志
+docker logs gitlab
+
+# LDAP日志
+docker logs openldap
+
+# GitLab LDAP调试
+docker exec gitlab grep -i ldap /var/log/gitlab/gitlab-rails/production.log
+```
+
+### 测试LDAP认证
+
+```bash
+# 测试用户认证
+docker exec openldap ldapwhoami -x -D "uid=john.doe,ou=people,dc=example,dc=com" -w password123
+```
+
+## 安全建议
+
+1. **更改默认密码**: 修改LDAP管理员密码
+2. **启用TLS**: 在生产环境中启用LDAP over TLS
+3. **网络隔离**: 使用防火墙限制LDAP服务器访问
+4. **定期备份**: 备份LDAP数据和GitLab配置
+5. **监控日志**: 定期检查认证日志
+
+## 下一步
+
+1. 测试LDAP用户登录GitLab
+2. 配置GitLab项目权限
+3. 设置LDAP组到GitLab角色的映射
+4. 配置邮件通知
+5. 设置备份策略
+
+如有问题，请查看日志文件或联系系统管理员。

docker-compose.yml

@@ -0,0 +1,95 @@
+version: "3.6"
+
+services:
+  # OpenLDAP服务器
+  openldap:
+    image: osixia/openldap:1.5.0
+    container_name: openldap
+    hostname: openldap
+    ports:
+      - "389:389"
+      - "636:636"
+    environment:
+      LDAP_LOG_LEVEL: "256"
+      LDAP_ORGANISATION: "Example Inc."
+      LDAP_DOMAIN: "example.com"
+      LDAP_BASE_DN: "dc=example,dc=com"
+      LDAP_ADMIN_PASSWORD: "admin"
+      LDAP_CONFIG_PASSWORD: "config"
+      LDAP_READONLY_USER: "false"
+      LDAP_RFC2307BIS_SCHEMA: "false"
+      LDAP_BACKEND: "mdb"
+      LDAP_TLS: "false"
+      LDAP_REPLICATION: "false"
+      KEEP_EXISTING_CONFIG: "false"
+      LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
+    volumes:
+      - ./ldap_data:/var/lib/ldap
+      - ./ldap_config:/etc/ldap/slapd.d
+    networks:
+      - gitlab_network
+    restart: unless-stopped
+
+  # LDAP管理界面 (phpLDAPadmin)
+  phpldapadmin:
+    image: osixia/phpldapadmin:latest
+    container_name: phpldapadmin
+    hostname: phpldapadmin
+    ports:
+      - "8081:80"
+    environment:
+      PHPLDAPADMIN_LDAP_HOSTS: "openldap"
+      PHPLDAPADMIN_HTTPS: "false"
+    depends_on:
+      - openldap
+    networks:
+      - gitlab_network
+    restart: unless-stopped
+
+  # GitLab
+  gitlab:
+    image: gitlab/gitlab-ce:latest
+    container_name: gitlab
+    hostname: localhost
+    ports:
+      - "8880:8880"
+      - "443:443"
+      - "22:22"
+    environment:
+      GITLAB_OMNIBUS_CONFIG: |
+        external_url 'http://localhost:8880'
+        gitlab_rails['ldap_enabled'] = true
+        gitlab_rails['ldap_servers'] = {
+          'main' => {
+            'label' => 'LDAP',
+            'host' => 'openldap',
+            'port' => 389,
+            'uid' => 'uid',
+            'bind_dn' => 'cn=admin,dc=example,dc=com',
+            'password' => 'admin',
+            'encryption' => 'plain',
+            'verify_certificates' => false,
+            'timeout' => 10,
+            'active_directory' => false,
+            'user_filter' => '',
+            'base' => 'dc=example,dc=com',
+            'lowercase_usernames' => false,
+            'allow_username_or_email_login' => true,
+            'block_auto_created_users' => false
+          }
+        }
+    volumes:
+      - ./gitlab_config:/etc/gitlab
+      - ./gitlab_log:/var/log/gitlab
+      - ./gitlab_data:/var/opt/gitlab
+    depends_on:
+      - openldap
+    networks:
+      - gitlab_network
+    restart: unless-stopped
+
+
+
+networks:
+  gitlab_network:
+    driver: bridge

docker-compose1.yml

@@ -0,0 +1,97 @@
+version: "3.6"
+
+services:
+  # OpenLDAP服务器
+  openldap:
+    image: osixia/openldap:1.5.0
+    container_name: openldap
+    hostname: openldap
+    ports:
+      - "389:389"
+      - "636:636"
+    environment:
+      LDAP_LOG_LEVEL: "256"
+      LDAP_ORGANISATION: "Example Inc."
+      LDAP_DOMAIN: "example.com"
+      LDAP_BASE_DN: "dc=example,dc=com"
+      LDAP_ADMIN_PASSWORD: "admin"
+      LDAP_CONFIG_PASSWORD: "config"
+      LDAP_READONLY_USER: "false"
+      LDAP_RFC2307BIS_SCHEMA: "false"
+      LDAP_BACKEND: "mdb"
+      LDAP_TLS: "false"
+      LDAP_REPLICATION: "false"
+      KEEP_EXISTING_CONFIG: "false"
+      LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
+    volumes:
+      - ./ldap_data:/var/lib/ldap
+      - ./ldap_config:/etc/ldap/slapd.d
+    networks:
+      - gitlab_network
+    restart: unless-stopped
+
+  # LDAP管理界面 (phpLDAPadmin)
+  phpldapadmin:
+    image: osixia/phpldapadmin:latest
+    container_name: phpldapadmin
+    hostname: phpldapadmin
+    ports:
+      - "8081:80"
+    environment:
+      PHPLDAPADMIN_LDAP_HOSTS: "openldap"
+      PHPLDAPADMIN_HTTPS: "false"
+    depends_on:
+      - openldap
+    networks:
+      - gitlab_network
+    restart: unless-stopped
+
+  # GitLab
+  gitlab:
+    image: gitlab/gitlab-ce:latest
+    container_name: gitlab
+    hostname: localhost
+    ports:
+      - "8880:8880"
+      - "443:443"
+      - "22:22"
+    environment:
+      GITLAB_OMNIBUS_CONFIG: |
+        external_url 'http://localhost:8880'
+        gitlab_rails['ldap_enabled'] = true
+        gitlab_rails['ldap_servers'] = {
+          'main' => {
+            'label' => 'LDAP',
+            'host' => 'openldap',
+            'port' => 389,
+            'uid' => 'uid',
+            'bind_dn' => 'cn=admin,dc=example,dc=com',
+            'password' => 'admin',
+            'encryption' => 'plain',
+            'verify_certificates' => false,
+            'timeout' => 10,
+            'active_directory' => false,
+            'user_filter' => '',
+            'base' => 'dc=example,dc=com',
+            'lowercase_usernames' => false,
+            'allow_username_or_email_login' => true,
+            'block_auto_created_users' => false
+          }
+        }
+    volumes:
+      - /d/23_Gitlab/DockerData/GitlabData/config:/etc/gitlab
+      - /d/23_Gitlab/DockerData/GitlabData/log:/var/log/gitlab
+      - /d/23_Gitlab/DockerData/GitlabData/data:/var/opt/gitlab
+    depends_on:
+      - openldap
+    networks:
+      - gitlab_network
+    restart: unless-stopped
+
+volumes:
+  ldap_data:
+  ldap_config:
+
+networks:
+  gitlab_network:
+    driver: bridge

gitlab-ldap-config.rb

@@ -0,0 +1,66 @@
+# GitLab LDAP配置文件
+# 将此配置添加到 /d/23_Gitlab/DockerData/GitlabData/config/gitlab.rb 文件中
+
+# 外部URL配置
+external_url 'http://localhost:8880'
+
+# LDAP配置
+gitlab_rails['ldap_enabled'] = true
+gitlab_rails['prevent_ldap_sign_in'] = false
+
+# LDAP服务器配置
+gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
+  main: # 'main' 是任意的标签，用于标识LDAP服务器
+    label: 'LDAP'
+    host: 'host.docker.internal'  # 如果LDAP服务器在宿主机上运行
+    port: 389
+    uid: 'uid'  # 用户名属性，根据您的LDAP架构调整
+    bind_dn: 'cn=admin,dc=example,dc=com'  # 管理员DN
+    password: 'admin'  # 管理员密码
+    encryption: 'plain' # 可选: 'start_tls' 或 'simple_tls'
+    verify_certificates: false
+    smartcard_auth: false
+    active_directory: false
+    allow_username_or_email_login: true
+    lowercase_usernames: false
+    block_auto_created_users: false
+    base: 'dc=example,dc=com'  # LDAP基础DN
+    user_filter: ''
+    ## EE only
+    group_base: 'ou=groups,dc=example,dc=com'  # 组基础DN
+    admin_group: 'administrators'  # 管理员组
+    sync_ssh_keys: false
+    
+    # 用户属性映射
+    attributes:
+      username: ['uid', 'userid', 'sAMAccountName']
+      email: ['mail', 'email', 'userPrincipalName']
+      name: 'cn'
+      first_name: 'givenName'
+      last_name: 'sn'
+EOS
+
+# 其他GitLab配置
+gitlab_rails['time_zone'] = 'Asia/Shanghai'
+
+# 邮件配置（可选）
+gitlab_rails['gitlab_email_enabled'] = true
+gitlab_rails['gitlab_email_from'] = 'gitlab@example.com'
+gitlab_rails['gitlab_email_display_name'] = 'GitLab'
+
+# 备份配置（可选）
+gitlab_rails['backup_keep_time'] = 604800  # 7天
+
+# 日志级别
+gitlab_rails['log_level'] = 'INFO'
+
+# 禁用一些不需要的服务以节省资源（可选）
+prometheus_monitoring['enable'] = false
+alertmanager['enable'] = false
+grafana['enable'] = false
+
+# 如果您想要启用HTTPS，取消注释以下配置
+# external_url 'https://localhost'
+# nginx['redirect_http_to_https'] = true
+# nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.crt"
+# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.key"

ldap-init.ldif

@@ -0,0 +1,109 @@
+# LDAP初始化数据文件
+# 用于创建基本的组织单位、用户和组
+
+# 创建组织单位 - 用户
+dn: ou=people,dc=example,dc=com
+objectClass: organizationalUnit
+ou: people
+description: 用户组织单位
+
+# 创建组织单位 - 组
+dn: ou=groups,dc=example,dc=com
+objectClass: organizationalUnit
+ou: groups
+description: 组织单位
+
+# 创建管理员组
+dn: cn=administrators,ou=groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: administrators
+description: 系统管理员组
+member: cn=admin,dc=example,dc=com
+
+# 创建开发者组
+dn: cn=developers,ou=groups,dc=example,dc=com
+objectClass: groupOfNames
+cn: developers
+description: 开发者组
+member: cn=admin,dc=example,dc=com
+
+# 创建测试用户1
+dn: uid=john.doe,ou=people,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: shadowAccount
+uid: john.doe
+sn: Doe
+givenName: John
+cn: John Doe
+displayName: John Doe
+uidNumber: 1001
+gidNumber: 1001
+userPassword: password123
+gecos: John Doe
+loginShell: /bin/bash
+homeDirectory: /home/john.doe
+mail: john.doe@example.com
+telephoneNumber: +1-555-0001
+title: Senior Developer
+departmentNumber: IT
+description: Senior Software Developer
+
+# 创建测试用户2
+dn: uid=jane.smith,ou=people,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: shadowAccount
+uid: jane.smith
+sn: Smith
+givenName: Jane
+cn: Jane Smith
+displayName: Jane Smith
+uidNumber: 1002
+gidNumber: 1002
+userPassword: password123
+gecos: Jane Smith
+loginShell: /bin/bash
+homeDirectory: /home/jane.smith
+mail: jane.smith@example.com
+telephoneNumber: +1-555-0002
+title: Project Manager
+departmentNumber: IT
+description: IT Project Manager
+
+# 创建测试用户3
+dn: uid=bob.wilson,ou=people,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: shadowAccount
+uid: bob.wilson
+sn: Wilson
+givenName: Bob
+cn: Bob Wilson
+displayName: Bob Wilson
+uidNumber: 1003
+gidNumber: 1003
+userPassword: password123
+gecos: Bob Wilson
+loginShell: /bin/bash
+homeDirectory: /home/bob.wilson
+mail: bob.wilson@example.com
+telephoneNumber: +1-555-0003
+title: DevOps Engineer
+departmentNumber: IT
+description: DevOps and Infrastructure Engineer
+
+# 将用户添加到开发者组
+dn: cn=developers,ou=groups,dc=example,dc=com
+changetype: modify
+add: member
+member: uid=john.doe,ou=people,dc=example,dc=com
+-
+add: member
+member: uid=bob.wilson,ou=people,dc=example,dc=com
+
+# 将管理员用户添加到管理员组
+dn: cn=administrators,ou=groups,dc=example,dc=com
+changetype: modify
+add: member
+member: uid=jane.smith,ou=people,dc=example,dc=com

step.md

@@ -0,0 +1,9 @@
+# 将LDIF文件复制到OpenLDAP容器
+docker cp ldap-init.ldif openldap:/tmp/
+
+# 导入数据
+docker exec openldap ldapadd -x -D "cn=admin,dc=example,dc=com" -w admin -f /tmp/ldap-init.ldif
+
+ldap
+用户DN: cn=admin,dc=example,dc=com
+密码: admin

update-passwords.ldif

@@ -0,0 +1,15 @@
+# 更新用户密码
+dn: uid=john.doe,ou=people,dc=example,dc=com
+changetype: modify
+replace: userPassword
+userPassword: password123
+
+dn: uid=jane.smith,ou=people,dc=example,dc=com
+changetype: modify
+replace: userPassword
+userPassword: password123
+
+dn: uid=bob.wilson,ou=people,dc=example,dc=com
+changetype: modify
+replace: userPassword
+userPassword: password123

users-only.ldif

@@ -0,0 +1,67 @@
+# 只创建用户，不包含已存在的组织单位
+
+# 创建测试用户1
+dn: uid=john.doe,ou=people,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: shadowAccount
+uid: john.doe
+sn: Doe
+givenName: John
+cn: John Doe
+displayName: John Doe
+uidNumber: 1001
+gidNumber: 1001
+userPassword: password123
+gecos: John Doe
+loginShell: /bin/bash
+homeDirectory: /home/john.doe
+mail: john.doe@example.com
+telephoneNumber: +1-555-0001
+title: Senior Developer
+departmentNumber: IT
+description: Senior Software Developer
+
+# 创建测试用户2
+dn: uid=jane.smith,ou=people,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: shadowAccount
+uid: jane.smith
+sn: Smith
+givenName: Jane
+cn: Jane Smith
+displayName: Jane Smith
+uidNumber: 1002
+gidNumber: 1002
+userPassword: password123
+gecos: Jane Smith
+loginShell: /bin/bash
+homeDirectory: /home/jane.smith
+mail: jane.smith@example.com
+telephoneNumber: +1-555-0002
+title: Project Manager
+departmentNumber: IT
+description: IT Project Manager
+
+# 创建测试用户3
+dn: uid=bob.wilson,ou=people,dc=example,dc=com
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: shadowAccount
+uid: bob.wilson
+sn: Wilson
+givenName: Bob
+cn: Bob Wilson
+displayName: Bob Wilson
+uidNumber: 1003
+gidNumber: 1003
+userPassword: password123
+gecos: Bob Wilson
+loginShell: /bin/bash
+homeDirectory: /home/bob.wilson
+mail: bob.wilson@example.com
+telephoneNumber: +1-555-0003
+title: DevOps Engineer
+departmentNumber: IT
+description: DevOps and Infrastructure Engineer