debian-mirror-gitlab/doc/administration/raketasks/ldap.md

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

245 lines
6 KiB
Markdown
Raw Normal View History

2021-01-29 00:20:46 +05:30
---
stage: Manage
2022-04-04 11:22:00 +05:30
group: Authentication and Authorization
2022-11-25 23:54:43 +05:30
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
2021-01-29 00:20:46 +05:30
---
2021-03-11 19:13:27 +05:30
# LDAP Rake tasks **(FREE SELF)**
2020-05-24 23:13:21 +05:30
The following are LDAP-related Rake tasks.
2017-08-17 22:00:37 +05:30
## Check
2021-06-08 01:23:25 +05:30
The LDAP check Rake task tests the `bind_dn` and `password` credentials
(if configured) and lists a sample of LDAP users. This task is also
2017-08-17 22:00:37 +05:30
executed as part of the `gitlab:check` task, but can run independently
using the command below.
**Omnibus Installation**
2020-03-13 15:44:24 +05:30
```shell
2017-08-17 22:00:37 +05:30
sudo gitlab-rake gitlab:ldap:check
```
**Source Installation**
2020-03-13 15:44:24 +05:30
```shell
2017-08-17 22:00:37 +05:30
sudo -u git -H bundle exec rake gitlab:ldap:check RAILS_ENV=production
```
2021-06-08 01:23:25 +05:30
By default, the task returns a sample of 100 LDAP users. Change this
2017-08-17 22:00:37 +05:30
limit by passing a number to the check task:
2020-03-13 15:44:24 +05:30
```shell
2017-08-17 22:00:37 +05:30
rake gitlab:ldap:check[50]
```
2021-03-11 19:13:27 +05:30
## Run a group sync **(PREMIUM SELF)**
2019-10-12 21:52:04 +05:30
2021-06-08 01:23:25 +05:30
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/14735) in GitLab 12.2.
2019-10-12 21:52:04 +05:30
2021-12-11 22:18:48 +05:30
The following task runs a [group sync](../auth/ldap/ldap_synchronization.md#group-sync) immediately.
This is valuable when you'd like to update all configured group memberships against LDAP without
2019-10-12 21:52:04 +05:30
waiting for the next scheduled group sync to be run.
2021-02-22 17:27:13 +05:30
NOTE:
2019-10-12 21:52:04 +05:30
If you'd like to change the frequency at which a group sync is performed,
2021-12-11 22:18:48 +05:30
[adjust the cron schedule](../auth/ldap/ldap_synchronization.md#adjust-ldap-group-sync-schedule)
2019-10-12 21:52:04 +05:30
instead.
**Omnibus Installation**
2020-03-13 15:44:24 +05:30
```shell
2019-10-12 21:52:04 +05:30
sudo gitlab-rake gitlab:ldap:group_sync
```
**Source Installation**
2020-03-13 15:44:24 +05:30
```shell
2019-10-12 21:52:04 +05:30
bundle exec rake gitlab:ldap:group_sync
```
2017-08-17 22:00:37 +05:30
## Rename a provider
2021-06-08 01:23:25 +05:30
If you change the LDAP server ID in `gitlab.yml` or `gitlab.rb` you need
to update all user identities or users aren't able to sign in. Input the
old and new provider and this task updates all matching identities in the
2017-08-17 22:00:37 +05:30
database.
`old_provider` and `new_provider` are derived from the prefix `ldap` plus the
LDAP server ID from the configuration file. For example, in `gitlab.yml` or
`gitlab.rb` you may see LDAP configuration like this:
```yaml
main:
label: 'LDAP'
host: '_your_ldap_server'
port: 389
uid: 'sAMAccountName'
...
```
`main` is the LDAP server ID. Together, the unique provider is `ldapmain`.
2021-06-08 01:23:25 +05:30
WARNING:
If you input an incorrect new provider, users cannot sign in. If this happens,
run the task again with the incorrect provider as the `old_provider` and the
correct provider as the `new_provider`.
2017-08-17 22:00:37 +05:30
**Omnibus Installation**
2020-03-13 15:44:24 +05:30
```shell
2017-08-17 22:00:37 +05:30
sudo gitlab-rake gitlab:ldap:rename_provider[old_provider,new_provider]
```
**Source Installation**
2020-03-13 15:44:24 +05:30
```shell
2017-08-17 22:00:37 +05:30
bundle exec rake gitlab:ldap:rename_provider[old_provider,new_provider] RAILS_ENV=production
```
### Example
Consider beginning with the default server ID `main` (full provider `ldapmain`).
If we change `main` to `mycompany`, the `new_provider` is `ldapmycompany`.
To rename all user identities run the following command:
2020-03-13 15:44:24 +05:30
```shell
2017-08-17 22:00:37 +05:30
sudo gitlab-rake gitlab:ldap:rename_provider[ldapmain,ldapmycompany]
```
Example output:
2020-03-13 15:44:24 +05:30
```plaintext
2017-08-17 22:00:37 +05:30
100 users with provider 'ldapmain' will be updated to 'ldapmycompany'.
If the new provider is incorrect, users will be unable to sign in.
Do you want to continue (yes/no)? yes
User identities were successfully updated
```
### Other options
2021-06-08 01:23:25 +05:30
If you do not specify an `old_provider` and `new_provider` the task prompts you
2017-08-17 22:00:37 +05:30
for them:
**Omnibus Installation**
2020-03-13 15:44:24 +05:30
```shell
2017-08-17 22:00:37 +05:30
sudo gitlab-rake gitlab:ldap:rename_provider
```
**Source Installation**
2020-03-13 15:44:24 +05:30
```shell
2017-08-17 22:00:37 +05:30
bundle exec rake gitlab:ldap:rename_provider RAILS_ENV=production
```
**Example output:**
2020-03-13 15:44:24 +05:30
```plaintext
2017-08-17 22:00:37 +05:30
What is the old provider? Ex. 'ldapmain': ldapmain
What is the new provider? Ex. 'ldapcustom': ldapmycompany
```
2021-06-08 01:23:25 +05:30
This task also accepts the `force` environment variable, which skips the
2017-08-17 22:00:37 +05:30
confirmation dialog:
2020-03-13 15:44:24 +05:30
```shell
2017-08-17 22:00:37 +05:30
sudo gitlab-rake gitlab:ldap:rename_provider[old_provider,new_provider] force=yes
```
2021-02-22 17:27:13 +05:30
## Secrets
2021-11-11 11:23:49 +05:30
GitLab can use [LDAP configuration secrets](../auth/ldap/index.md#use-encrypted-credentials) to read from an encrypted file.
The following Rake tasks are provided for updating the contents of the encrypted file.
2021-02-22 17:27:13 +05:30
### Show secret
Show the contents of the current LDAP secrets.
**Omnibus Installation**
```shell
sudo gitlab-rake gitlab:ldap:secret:show
```
**Source Installation**
```shell
bundle exec rake gitlab:ldap:secret:show RAILS_ENV=production
```
**Example output:**
```plaintext
main:
password: '123'
2022-07-16 23:28:13 +05:30
bind_dn: 'gitlab-adm'
2021-02-22 17:27:13 +05:30
```
### Edit secret
Opens the secret contents in your editor, and writes the resulting content to the encrypted secret file when you exit.
**Omnibus Installation**
```shell
sudo gitlab-rake gitlab:ldap:secret:edit EDITOR=vim
```
**Source Installation**
```shell
bundle exec rake gitlab:ldap:secret:edit RAILS_ENV=production EDITOR=vim
```
### Write raw secret
Write new secret content by providing it on STDIN.
**Omnibus Installation**
```shell
echo -e "main:\n password: '123'" | sudo gitlab-rake gitlab:ldap:secret:write
```
**Source Installation**
```shell
echo -e "main:\n password: '123'" | bundle exec rake gitlab:ldap:secret:write RAILS_ENV=production
```
### Secrets examples
**Editor example**
The write task can be used in cases where the edit command does not work with your editor:
```shell
# Write the existing secret to a plaintext file
sudo gitlab-rake gitlab:ldap:secret:show > ldap.yaml
# Edit the ldap file in your editor
...
# Re-encrypt the file
cat ldap.yaml | sudo gitlab-rake gitlab:ldap:secret:write
# Remove the plaintext file
rm ldap.yaml
```
**KMS integration example**
It can also be used as a receiving application for content encrypted with a KMS:
```shell
gcloud kms decrypt --key my-key --keyring my-test-kms --plaintext-file=- --ciphertext-file=my-file --location=us-west1 | sudo gitlab-rake gitlab:ldap:secret:write
```
2021-03-11 19:13:27 +05:30
**Google Cloud secret integration example**
2021-02-22 17:27:13 +05:30
2021-03-11 19:13:27 +05:30
It can also be used as a receiving application for secrets out of Google Cloud:
2021-02-22 17:27:13 +05:30
```shell
gcloud secrets versions access latest --secret="my-test-secret" > $1 | sudo gitlab-rake gitlab:ldap:secret:write
```