Uberleet

Linux Systems Articles for better insights

Creating Readonly LDAP Service Accounts for FreeIPA


Often times I need to create a read-only service account for performing searches and authentication. You could delegate the permissions to a regular user account, but there are limitations:

  • User accounts are too powerful for auth.
  • User accounts password are subject to expiration.

It's a better idea to create a specialized system account for the application access. By default system accounts give read-only access. To do this create a file (eg gitlab_service_account.ldiff)

dn: uid=gitlab_svc_acc_bind,cn=sysaccounts,cn=etc,dc=domain,dc=tld
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: gitlab_svc
userPassword: ohaimakethissimethingtoughtobreak
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0

You can the ldiff by importing:

kinit admin
ldapmodify -Y GSSAPI -f gitlab_service_account.ldiff

Keep this ldiff handy in your /root folder or someplace in case you have to reverse, alter, or audit the changes you've made to the ldap database.

Configuring Gitlab for FreeIPA auth

Gitlab can utilize LDAP to authenticate against a variety of directory services like Microsoft Active Directory and FreeIPA. Here's how to configure FreeIPA.

Inside of freeIPA click Identity > User Groups > Add and create two groups named gitlab-users and gitlab-admins. Afterwards, users in your organization can be added to these groups.

Edit your gitlab.rb file and add some LDAP configuration to it:

main:
  label: 'LDAP'
  host: 'ns4.uberleet.org'
  port: 636
  uid: 'uid'
  method: 'ssl'
  bind_dn: 'uid=gitlab_svc,cn=users,cn=accounts,dc=localdomain,dc=loc'
  password: '...'

  timeout: 10
  active_directory: false
  allow_username_or_email_login: false
  block_auto_created_users: false

  base: 'cn=users,cn=accounts,dc=localdomain,dc=loc'
  user_filter: '(memberOf=cn=gitlab-users,cn=groups,cn=accounts,dc=localdomain,dc=loc)'

  attributes:
    username: ['uid', 'userid', 'sAMAccountName']
    email:    ['mail', 'email', 'userPrincipalName']
    name:       'cn'
    first_name: 'givenName'
    last_name:  'sn'