From 3c688a075778ced5566ba6fbcae8db6043284d49 Mon Sep 17 00:00:00 2001 From: Guwan Date: Thu, 28 Aug 2025 23:01:35 +0800 Subject: [PATCH] fix: first --- GITLAB-LDAP-SETUP.md | 192 ++++++++++++++++++++++++++++++++++++++++++ docker-compose.yml | 95 +++++++++++++++++++++ docker-compose1.yml | 97 +++++++++++++++++++++ gitlab-ldap-config.rb | 66 +++++++++++++++ ldap-init.ldif | 109 ++++++++++++++++++++++++ step.md | 9 ++ update-passwords.ldif | 15 ++++ users-only.ldif | 67 +++++++++++++++ 8 files changed, 650 insertions(+) create mode 100644 GITLAB-LDAP-SETUP.md create mode 100644 docker-compose.yml create mode 100644 docker-compose1.yml create mode 100644 gitlab-ldap-config.rb create mode 100644 ldap-init.ldif create mode 100644 step.md create mode 100644 update-passwords.ldif create mode 100644 users-only.ldif diff --git a/GITLAB-LDAP-SETUP.md b/GITLAB-LDAP-SETUP.md new file mode 100644 index 0000000..7a260e6 --- /dev/null +++ b/GITLAB-LDAP-SETUP.md @@ -0,0 +1,192 @@ +# GitLab LDAP集成部署指南 + +本指南将帮助您将现有的GitLab实例与LDAP服务器集成,实现统一的用户认证。 + +## 部署方案 + +我们提供了两种部署方案: + +### 方案一:使用Docker Compose(推荐) +使用提供的 `docker-compose.yml` 文件,一次性部署GitLab + OpenLDAP + phpLDAPadmin + +### 方案二:修改现有GitLab配置 +修改您现有的GitLab容器配置以连接到LDAP服务器 + +## 快速开始 + +### 1. 停止现有的GitLab容器 + +```bash +docker stop gitlab +docker rm gitlab +``` + +### 2. 使用Docker Compose部署 + +```bash +# 在项目目录中运行 +docker-compose up -d +``` + +这将启动以下服务: +- **OpenLDAP**: LDAP服务器 (端口 389) +- **phpLDAPadmin**: LDAP管理界面 (端口 8081) +- **GitLab**: GitLab服务器 (端口 8880) + +### 3. 初始化LDAP数据 + +等待所有容器启动后,导入初始数据: + +```bash +# 将LDIF文件复制到OpenLDAP容器 +docker cp ldap-init.ldif openldap:/tmp/ + +# 导入数据 +docker exec openldap ldapadd -x -D "cn=admin,dc=example,dc=com" -w admin -f /tmp/ldap-init.ldif +``` + +### 4. 验证部署 + +#### 访问服务 +- **GitLab**: http://localhost:8880 +- **phpLDAPadmin**: http://localhost:8081 +- **LDAP管理系统**: http://localhost:8080/ldap-demo/web/ + +#### 测试LDAP连接 +```bash +# 测试LDAP连接 +docker exec openldap ldapsearch -x -H ldap://localhost -b dc=example,dc=com -D "cn=admin,dc=example,dc=com" -w admin +``` + +## 配置说明 + +### LDAP服务器配置 + +- **服务器地址**: openldap (容器内) / localhost:389 (外部) +- **基础DN**: dc=example,dc=com +- **管理员DN**: cn=admin,dc=example,dc=com +- **管理员密码**: admin +- **用户基础**: ou=people,dc=example,dc=com +- **组基础**: ou=groups,dc=example,dc=com + +### GitLab LDAP配置 + +GitLab已配置为: +- 允许LDAP用户登录 +- 自动创建LDAP用户账户 +- 支持用户名或邮箱登录 +- 映射LDAP属性到GitLab用户信息 + +### 测试用户 + +系统已创建以下测试用户: + +| 用户名 | 密码 | 邮箱 | 角色 | 组 | +|--------|------|------|------|-----| +| john.doe | password123 | john.doe@example.com | Senior Developer | developers | +| jane.smith | password123 | jane.smith@example.com | Project Manager | administrators | +| bob.wilson | password123 | bob.wilson@example.com | DevOps Engineer | developers | + +## 使用您现有的GitLab容器 + +如果您想继续使用现有的GitLab容器,请按以下步骤操作: + +### 1. 启动LDAP服务器 + +```bash +# 只启动LDAP相关服务 +docker-compose up -d openldap phpldapadmin +``` + +### 2. 修改GitLab配置 + +将 `gitlab-ldap-config.rb` 中的配置添加到您的GitLab配置文件: +`/d/23_Gitlab/DockerData/GitlabData/config/gitlab.rb` + +### 3. 重新配置GitLab + +```bash +docker exec gitlab gitlab-ctl reconfigure +docker exec gitlab gitlab-ctl restart +``` + +## 自定义配置 + +### 修改LDAP域名 + +如果您想使用不同的域名,请修改以下文件: +- `docker-compose.yml` 中的环境变量 +- `ldap-init.ldif` 中的DN +- GitLab配置中的base DN + +### 添加更多用户 + +您可以通过以下方式添加用户: +1. 使用phpLDAPadmin Web界面 (http://localhost:8081) +2. 使用您的LDAP管理系统 (http://localhost:8080/ldap-demo/web/) +3. 使用LDIF文件和ldapadd命令 + +### SSL/TLS配置 + +生产环境建议启用SSL/TLS: + +```bash +# 生成自签名证书(仅用于测试) +docker exec openldap openssl req -new -x509 -nodes -out /container/service/slapd/assets/certs/ldap.crt -keyout /container/service/slapd/assets/certs/ldap.key -days 365 +``` + +## 故障排除 + +### 常见问题 + +1. **GitLab无法连接LDAP** + - 检查容器网络连接 + - 验证LDAP服务器是否正常运行 + - 检查防火墙设置 + +2. **LDAP用户无法登录GitLab** + - 验证用户DN格式 + - 检查用户密码 + - 查看GitLab日志 + +3. **权限问题** + - 确保LDAP管理员有足够权限 + - 检查组映射配置 + +### 查看日志 + +```bash +# GitLab日志 +docker logs gitlab + +# LDAP日志 +docker logs openldap + +# GitLab LDAP调试 +docker exec gitlab grep -i ldap /var/log/gitlab/gitlab-rails/production.log +``` + +### 测试LDAP认证 + +```bash +# 测试用户认证 +docker exec openldap ldapwhoami -x -D "uid=john.doe,ou=people,dc=example,dc=com" -w password123 +``` + +## 安全建议 + +1. **更改默认密码**: 修改LDAP管理员密码 +2. **启用TLS**: 在生产环境中启用LDAP over TLS +3. **网络隔离**: 使用防火墙限制LDAP服务器访问 +4. **定期备份**: 备份LDAP数据和GitLab配置 +5. **监控日志**: 定期检查认证日志 + +## 下一步 + +1. 测试LDAP用户登录GitLab +2. 配置GitLab项目权限 +3. 设置LDAP组到GitLab角色的映射 +4. 配置邮件通知 +5. 设置备份策略 + +如有问题,请查看日志文件或联系系统管理员。 diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..12ce45e --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,95 @@ +version: "3.6" + +services: + # OpenLDAP服务器 + openldap: + image: osixia/openldap:1.5.0 + container_name: openldap + hostname: openldap + ports: + - "389:389" + - "636:636" + environment: + LDAP_LOG_LEVEL: "256" + LDAP_ORGANISATION: "Example Inc." + LDAP_DOMAIN: "example.com" + LDAP_BASE_DN: "dc=example,dc=com" + LDAP_ADMIN_PASSWORD: "admin" + LDAP_CONFIG_PASSWORD: "config" + LDAP_READONLY_USER: "false" + LDAP_RFC2307BIS_SCHEMA: "false" + LDAP_BACKEND: "mdb" + LDAP_TLS: "false" + LDAP_REPLICATION: "false" + KEEP_EXISTING_CONFIG: "false" + LDAP_REMOVE_CONFIG_AFTER_SETUP: "true" + volumes: + - ./ldap_data:/var/lib/ldap + - ./ldap_config:/etc/ldap/slapd.d + networks: + - gitlab_network + restart: unless-stopped + + # LDAP管理界面 (phpLDAPadmin) + phpldapadmin: + image: osixia/phpldapadmin:latest + container_name: phpldapadmin + hostname: phpldapadmin + ports: + - "8081:80" + environment: + PHPLDAPADMIN_LDAP_HOSTS: "openldap" + PHPLDAPADMIN_HTTPS: "false" + depends_on: + - openldap + networks: + - gitlab_network + restart: unless-stopped + + # GitLab + gitlab: + image: gitlab/gitlab-ce:latest + container_name: gitlab + hostname: localhost + ports: + - "8880:8880" + - "443:443" + - "22:22" + environment: + GITLAB_OMNIBUS_CONFIG: | + external_url 'http://localhost:8880' + gitlab_rails['ldap_enabled'] = true + gitlab_rails['ldap_servers'] = { + 'main' => { + 'label' => 'LDAP', + 'host' => 'openldap', + 'port' => 389, + 'uid' => 'uid', + 'bind_dn' => 'cn=admin,dc=example,dc=com', + 'password' => 'admin', + 'encryption' => 'plain', + 'verify_certificates' => false, + 'timeout' => 10, + 'active_directory' => false, + 'user_filter' => '', + 'base' => 'dc=example,dc=com', + 'lowercase_usernames' => false, + 'allow_username_or_email_login' => true, + 'block_auto_created_users' => false + } + } + volumes: + - ./gitlab_config:/etc/gitlab + - ./gitlab_log:/var/log/gitlab + - ./gitlab_data:/var/opt/gitlab + depends_on: + - openldap + networks: + - gitlab_network + restart: unless-stopped + + + +networks: + gitlab_network: + driver: bridge diff --git a/docker-compose1.yml b/docker-compose1.yml new file mode 100644 index 0000000..327c302 --- /dev/null +++ b/docker-compose1.yml @@ -0,0 +1,97 @@ +version: "3.6" + +services: + # OpenLDAP服务器 + openldap: + image: osixia/openldap:1.5.0 + container_name: openldap + hostname: openldap + ports: + - "389:389" + - "636:636" + environment: + LDAP_LOG_LEVEL: "256" + LDAP_ORGANISATION: "Example Inc." + LDAP_DOMAIN: "example.com" + LDAP_BASE_DN: "dc=example,dc=com" + LDAP_ADMIN_PASSWORD: "admin" + LDAP_CONFIG_PASSWORD: "config" + LDAP_READONLY_USER: "false" + LDAP_RFC2307BIS_SCHEMA: "false" + LDAP_BACKEND: "mdb" + LDAP_TLS: "false" + LDAP_REPLICATION: "false" + KEEP_EXISTING_CONFIG: "false" + LDAP_REMOVE_CONFIG_AFTER_SETUP: "true" + volumes: + - ./ldap_data:/var/lib/ldap + - ./ldap_config:/etc/ldap/slapd.d + networks: + - gitlab_network + restart: unless-stopped + + # LDAP管理界面 (phpLDAPadmin) + phpldapadmin: + image: osixia/phpldapadmin:latest + container_name: phpldapadmin + hostname: phpldapadmin + ports: + - "8081:80" + environment: + PHPLDAPADMIN_LDAP_HOSTS: "openldap" + PHPLDAPADMIN_HTTPS: "false" + depends_on: + - openldap + networks: + - gitlab_network + restart: unless-stopped + + # GitLab + gitlab: + image: gitlab/gitlab-ce:latest + container_name: gitlab + hostname: localhost + ports: + - "8880:8880" + - "443:443" + - "22:22" + environment: + GITLAB_OMNIBUS_CONFIG: | + external_url 'http://localhost:8880' + gitlab_rails['ldap_enabled'] = true + gitlab_rails['ldap_servers'] = { + 'main' => { + 'label' => 'LDAP', + 'host' => 'openldap', + 'port' => 389, + 'uid' => 'uid', + 'bind_dn' => 'cn=admin,dc=example,dc=com', + 'password' => 'admin', + 'encryption' => 'plain', + 'verify_certificates' => false, + 'timeout' => 10, + 'active_directory' => false, + 'user_filter' => '', + 'base' => 'dc=example,dc=com', + 'lowercase_usernames' => false, + 'allow_username_or_email_login' => true, + 'block_auto_created_users' => false + } + } + volumes: + - /d/23_Gitlab/DockerData/GitlabData/config:/etc/gitlab + - /d/23_Gitlab/DockerData/GitlabData/log:/var/log/gitlab + - /d/23_Gitlab/DockerData/GitlabData/data:/var/opt/gitlab + depends_on: + - openldap + networks: + - gitlab_network + restart: unless-stopped + +volumes: + ldap_data: + ldap_config: + +networks: + gitlab_network: + driver: bridge diff --git a/gitlab-ldap-config.rb b/gitlab-ldap-config.rb new file mode 100644 index 0000000..de9415a --- /dev/null +++ b/gitlab-ldap-config.rb @@ -0,0 +1,66 @@ +# GitLab LDAP配置文件 +# 将此配置添加到 /d/23_Gitlab/DockerData/GitlabData/config/gitlab.rb 文件中 + +# 外部URL配置 +external_url 'http://localhost:8880' + +# LDAP配置 +gitlab_rails['ldap_enabled'] = true +gitlab_rails['prevent_ldap_sign_in'] = false + +# LDAP服务器配置 +gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' + main: # 'main' 是任意的标签,用于标识LDAP服务器 + label: 'LDAP' + host: 'host.docker.internal' # 如果LDAP服务器在宿主机上运行 + port: 389 + uid: 'uid' # 用户名属性,根据您的LDAP架构调整 + bind_dn: 'cn=admin,dc=example,dc=com' # 管理员DN + password: 'admin' # 管理员密码 + encryption: 'plain' # 可选: 'start_tls' 或 'simple_tls' + verify_certificates: false + smartcard_auth: false + active_directory: false + allow_username_or_email_login: true + lowercase_usernames: false + block_auto_created_users: false + base: 'dc=example,dc=com' # LDAP基础DN + user_filter: '' + ## EE only + group_base: 'ou=groups,dc=example,dc=com' # 组基础DN + admin_group: 'administrators' # 管理员组 + sync_ssh_keys: false + + # 用户属性映射 + attributes: + username: ['uid', 'userid', 'sAMAccountName'] + email: ['mail', 'email', 'userPrincipalName'] + name: 'cn' + first_name: 'givenName' + last_name: 'sn' +EOS + +# 其他GitLab配置 +gitlab_rails['time_zone'] = 'Asia/Shanghai' + +# 邮件配置(可选) +gitlab_rails['gitlab_email_enabled'] = true +gitlab_rails['gitlab_email_from'] = 'gitlab@example.com' +gitlab_rails['gitlab_email_display_name'] = 'GitLab' + +# 备份配置(可选) +gitlab_rails['backup_keep_time'] = 604800 # 7天 + +# 日志级别 +gitlab_rails['log_level'] = 'INFO' + +# 禁用一些不需要的服务以节省资源(可选) +prometheus_monitoring['enable'] = false +alertmanager['enable'] = false +grafana['enable'] = false + +# 如果您想要启用HTTPS,取消注释以下配置 +# external_url 'https://localhost' +# nginx['redirect_http_to_https'] = true +# nginx['ssl_certificate'] = "/etc/gitlab/ssl/gitlab.crt" +# nginx['ssl_certificate_key'] = "/etc/gitlab/ssl/gitlab.key" diff --git a/ldap-init.ldif b/ldap-init.ldif new file mode 100644 index 0000000..571949e --- /dev/null +++ b/ldap-init.ldif @@ -0,0 +1,109 @@ +# LDAP初始化数据文件 +# 用于创建基本的组织单位、用户和组 + +# 创建组织单位 - 用户 +dn: ou=people,dc=example,dc=com +objectClass: organizationalUnit +ou: people +description: 用户组织单位 + +# 创建组织单位 - 组 +dn: ou=groups,dc=example,dc=com +objectClass: organizationalUnit +ou: groups +description: 组织单位 + +# 创建管理员组 +dn: cn=administrators,ou=groups,dc=example,dc=com +objectClass: groupOfNames +cn: administrators +description: 系统管理员组 +member: cn=admin,dc=example,dc=com + +# 创建开发者组 +dn: cn=developers,ou=groups,dc=example,dc=com +objectClass: groupOfNames +cn: developers +description: 开发者组 +member: cn=admin,dc=example,dc=com + +# 创建测试用户1 +dn: uid=john.doe,ou=people,dc=example,dc=com +objectClass: inetOrgPerson +objectClass: posixAccount +objectClass: shadowAccount +uid: john.doe +sn: Doe +givenName: John +cn: John Doe +displayName: John Doe +uidNumber: 1001 +gidNumber: 1001 +userPassword: password123 +gecos: John Doe +loginShell: /bin/bash +homeDirectory: /home/john.doe +mail: john.doe@example.com +telephoneNumber: +1-555-0001 +title: Senior Developer +departmentNumber: IT +description: Senior Software Developer + +# 创建测试用户2 +dn: uid=jane.smith,ou=people,dc=example,dc=com +objectClass: inetOrgPerson +objectClass: posixAccount +objectClass: shadowAccount +uid: jane.smith +sn: Smith +givenName: Jane +cn: Jane Smith +displayName: Jane Smith +uidNumber: 1002 +gidNumber: 1002 +userPassword: password123 +gecos: Jane Smith +loginShell: /bin/bash +homeDirectory: /home/jane.smith +mail: jane.smith@example.com +telephoneNumber: +1-555-0002 +title: Project Manager +departmentNumber: IT +description: IT Project Manager + +# 创建测试用户3 +dn: uid=bob.wilson,ou=people,dc=example,dc=com +objectClass: inetOrgPerson +objectClass: posixAccount +objectClass: shadowAccount +uid: bob.wilson +sn: Wilson +givenName: Bob +cn: Bob Wilson +displayName: Bob Wilson +uidNumber: 1003 +gidNumber: 1003 +userPassword: password123 +gecos: Bob Wilson +loginShell: /bin/bash +homeDirectory: /home/bob.wilson +mail: bob.wilson@example.com +telephoneNumber: +1-555-0003 +title: DevOps Engineer +departmentNumber: IT +description: DevOps and Infrastructure Engineer + +# 将用户添加到开发者组 +dn: cn=developers,ou=groups,dc=example,dc=com +changetype: modify +add: member +member: uid=john.doe,ou=people,dc=example,dc=com +- +add: member +member: uid=bob.wilson,ou=people,dc=example,dc=com + +# 将管理员用户添加到管理员组 +dn: cn=administrators,ou=groups,dc=example,dc=com +changetype: modify +add: member +member: uid=jane.smith,ou=people,dc=example,dc=com diff --git a/step.md b/step.md new file mode 100644 index 0000000..8667ff4 --- /dev/null +++ b/step.md @@ -0,0 +1,9 @@ +# 将LDIF文件复制到OpenLDAP容器 +docker cp ldap-init.ldif openldap:/tmp/ + +# 导入数据 +docker exec openldap ldapadd -x -D "cn=admin,dc=example,dc=com" -w admin -f /tmp/ldap-init.ldif + +ldap +用户DN: cn=admin,dc=example,dc=com +密码: admin \ No newline at end of file diff --git a/update-passwords.ldif b/update-passwords.ldif new file mode 100644 index 0000000..28ae9a6 --- /dev/null +++ b/update-passwords.ldif @@ -0,0 +1,15 @@ +# 更新用户密码 +dn: uid=john.doe,ou=people,dc=example,dc=com +changetype: modify +replace: userPassword +userPassword: password123 + +dn: uid=jane.smith,ou=people,dc=example,dc=com +changetype: modify +replace: userPassword +userPassword: password123 + +dn: uid=bob.wilson,ou=people,dc=example,dc=com +changetype: modify +replace: userPassword +userPassword: password123 diff --git a/users-only.ldif b/users-only.ldif new file mode 100644 index 0000000..5d3ee74 --- /dev/null +++ b/users-only.ldif @@ -0,0 +1,67 @@ +# 只创建用户,不包含已存在的组织单位 + +# 创建测试用户1 +dn: uid=john.doe,ou=people,dc=example,dc=com +objectClass: inetOrgPerson +objectClass: posixAccount +objectClass: shadowAccount +uid: john.doe +sn: Doe +givenName: John +cn: John Doe +displayName: John Doe +uidNumber: 1001 +gidNumber: 1001 +userPassword: password123 +gecos: John Doe +loginShell: /bin/bash +homeDirectory: /home/john.doe +mail: john.doe@example.com +telephoneNumber: +1-555-0001 +title: Senior Developer +departmentNumber: IT +description: Senior Software Developer + +# 创建测试用户2 +dn: uid=jane.smith,ou=people,dc=example,dc=com +objectClass: inetOrgPerson +objectClass: posixAccount +objectClass: shadowAccount +uid: jane.smith +sn: Smith +givenName: Jane +cn: Jane Smith +displayName: Jane Smith +uidNumber: 1002 +gidNumber: 1002 +userPassword: password123 +gecos: Jane Smith +loginShell: /bin/bash +homeDirectory: /home/jane.smith +mail: jane.smith@example.com +telephoneNumber: +1-555-0002 +title: Project Manager +departmentNumber: IT +description: IT Project Manager + +# 创建测试用户3 +dn: uid=bob.wilson,ou=people,dc=example,dc=com +objectClass: inetOrgPerson +objectClass: posixAccount +objectClass: shadowAccount +uid: bob.wilson +sn: Wilson +givenName: Bob +cn: Bob Wilson +displayName: Bob Wilson +uidNumber: 1003 +gidNumber: 1003 +userPassword: password123 +gecos: Bob Wilson +loginShell: /bin/bash +homeDirectory: /home/bob.wilson +mail: bob.wilson@example.com +telephoneNumber: +1-555-0003 +title: DevOps Engineer +departmentNumber: IT +description: DevOps and Infrastructure Engineer