From c0b3f585b7e9f7219f96969a6515f20f3d77abc5 Mon Sep 17 00:00:00 2001
From: saibotk <git@saibotk.de>
Date: Tue, 21 Sep 2021 04:49:53 +0200
Subject: [PATCH] gitlab: Add LDAP configuration variables

---
 roles/gitlab/defaults/main.yml            | 15 ++++++++++++
 roles/gitlab/templates/docker-compose.yml | 30 +++++++++++++++++++++++
 2 files changed, 45 insertions(+)

diff --git a/roles/gitlab/defaults/main.yml b/roles/gitlab/defaults/main.yml
index eb43f81..899afa9 100644
--- a/roles/gitlab/defaults/main.yml
+++ b/roles/gitlab/defaults/main.yml
@@ -99,6 +99,21 @@ gitlab_saml:
   name_identifier_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
   autologin: false
 
+# LDAP settings
+gitlab_ldap:
+  enabled: false
+  label: "LDAP"
+  host: "ldap.example.com"
+  port: 389
+  bind_dn: "_the_full_dn_of_the_user_you_will_bind_with"
+  password: "_the_password_of_the_bind_user"
+  encryption: "simple_tls"
+  verify_certificates: true
+  uid: "sAMAccountName"
+  active_directory: true
+  user_filter: ""
+  base: "dc=example,dc=com"
+
 # IMAP settings (for email replies to comments etc.)
 gitlab_imap:
   enabled: false
diff --git a/roles/gitlab/templates/docker-compose.yml b/roles/gitlab/templates/docker-compose.yml
index 94b40a2..e406301 100644
--- a/roles/gitlab/templates/docker-compose.yml
+++ b/roles/gitlab/templates/docker-compose.yml
@@ -121,6 +121,36 @@ services:
         registry_nginx['listen_https'] = false
 {% endif %}
 
+{% if gitlab_ldap.enabled %}
+        gitlab_rails['ldap_enabled'] = true
+        gitlab_rails['prevent_ldap_sign_in'] = false
+        gitlab_rails['ldap_servers'] = {
+        'main' => {
+          'label' => '{{ gitlab_ldap.label }}',
+          'host' =>  '{{ gitlab_ldap.host }}',
+          'port' => {{ gitlab_ldap.port }},
+          'uid' => '{{ gitlab_ldap.uid }}',
+          'encryption' => '{{ gitlab_ldap.encryption }}',
+          'verify_certificates' => {{ gitlab_ldap.verify_certificates | bool | lower }},
+          'bind_dn' => '{{ gitlab_ldap.bind_dn }}',
+          'password' => '{{ gitlab_ldap.password }}',
+          'timeout' => 10,
+          'active_directory' => {{ gitlab_ldap.active_directory | bool | lower }},
+          'allow_username_or_email_login' => false,
+          'block_auto_created_users' => false,
+          'base' => '{{ gitlab_ldap.base }}',
+          'attributes' => {
+            'username' => ['uid', 'userid', 'sAMAccountName'],
+            'email' => ['mail', 'email', 'userPrincipalName'],
+            'name' => 'cn',
+            'first_name' => 'givenName',
+            'last_name' => 'sn'
+          },
+          'lowercase_usernames' => false
+          }
+        }
+{% endif %}
+
 {% if gitlab_saml.enabled %}
         # SAML settings
         gitlab_rails['omniauth_enabled'] = true