I've configured Gitlab CE 9.1.2 with OmniAuth and a CAS server (Single sign on) that authenticates against an Active Directory. The login process is working fine with the auto_create option to make the automatic signup, etc... but when the user is logged in is asked for set a password in order to use the https protocol to use the git repositories.
Is there any property or configuration to synchronize the Gitlab password with the Active Directory to avoid this extra step for the user?
Thank you in advance!
Solved! Here is the solution: https://gitlab.com/gitlab-org/gitlab-ce/issues/32199
Related
So far we have always checked out our Git repositories locally via SSH and on the webserver via HTTPS.
Since the GitLab update from August 3, 2021 to version "14.1.2-ee", we noticed that GIT no longer asks for the username and password of the GitLab user during "git push". The only way to push over HTTPS at this moment is to create and add a private token.
Is this a bug in the current version of GitLab or a feature? Is there a setting somewhere to define authentication via HTTPS like before the update?
PAT (Personal Access Token) are recommended with Git to authenticate over HTTP, and mandatory if 2FA has been activated.
That being said, It depends on
what was your previous version of GitLab before this upgrade
which authentication backend your on premise 14.1.2 GitLab server is using.
If it is LDAP, then this issue seems to be similar to gitlab-org/gitlab issue 337875:
LDAP integration generates masstiv amount of invalid logins
I have updated to Version 14.1.2 yesterday since then the are huge amounts of invalid logins via LDAP on the configured AD Controller.
This locks affected ad accounts.
We have registered over 5000 failed log in events in the last 12h.
So check the server logs, and see if the affected accounts (that no longer manage to authenticate) are locked. (you can unlock one from command line, for testing).
The OP eckonator clarifies in the comments:
The error was not due to the update, but was activated CAPTCHA at the same time.
After disabling the CAPTCHA function, everything does again as usual.
We are using LDAP accounts in our self-managed Gitlab. A GitLab account could be locked due to an excessive amount of unsuccessful sign in attempts. We have found that an excessive amount of unsuccessful https authentication attempts also makes the account locked.
It makes sense. But, what's troubling us is that it seems if a user doesn't sign in for several days, the account gets blocked too. Some of our Gitlab users don't sign in on the Gitlab page. They simply use git pull and git push with https. If the account gets blocked, the https authentication fails too. It annoys them if they have to sign in from time to time.
Is is possible to disable Gitlab from locking an account if the user does not sign in for days?
This might be related to the configuration of your LDAP server. Specifically the remember-me token config.
See also GitLab LDAP Auth docs.
If you have an idea for improving GitLab, you can always open an issue with your feature suggestion and use case.
With GitLab 14.7 (January 2022), you now have an UI-based alternative:
GitLab UI identifies to administrators that a user is locked
In previous versions of GitLab, administrators could not see in the UI that a user was locked.
Now, the GitLab UI identifies locked users to administrators, which helps confirm they are locked.
See Documentation and Issue.
I want to connect my own system to gitlab only for authentication.
After that i should be able to manage all the usernames and passwords of gitlab through my system.
Could you please help me to solve this scenario. Thank you.
That would be using the GitLab User API (as admin of your GitLab instance)
You can then add SSH keys for a user, or modify an existing user account (including their password)
You can do so through any number of GitLab API client.
TL;DR -- How do I override all internal passwords for GitLab (non-admin, non-external) users so that they cannot change their password and must use SAML to login?
We have an internal GitLab server that is set to authenticate via SAML to an AD which has MFA enabled (Azure reverse proxy).
Security has found out that users are setting a local password in GitLab and getting around MFA and logging locally into the server.
They're asking me to remove the login screen completely. I rather set an internal password for non-admin and non-external users, and somehow disable the password recovery (blocking email?). Is that possible?
This is the closest thing I found but no easy way to script that as far as I can see. https://docs.gitlab.com/ee/security/reset_root_password.html
I'm running Mercurial's hgwebdir.cgi on WinXP over IIS as a central repo for sharing code with my team. I'd like to use ActiveDirectory to authenticate to the server when pushing/pulling through TortoiseHg and/or the command-line hg client. Has anyone done this or seen instructions on how to do this?
I know this has already got an accepted answer, but I did a four part blog post for set up of Mercurial on IIS with Active Directory authentication and using hgwebdir.cgi for push authorization. It goes over the whole process of:
Setting up Mercurial's hg web interface on IIS.
Setting up the IIS authentication for Mercurial so that only users authorized by the active directory (i.e. security groups/users) can view/access the repositories either via the hg web interface or through the file system.
Configuring Active Directory authentication for Mercurial users, so only authorized users can see/access the repositories they have access to.
Configuring hgwebdir.cgi via hgweb.config to set push authorization for specified users to repositories.
Hiding hgwebdir.cgi using Helicon's ISAPI Rewrite in your repository's URL.
Customizing the style/feel of the hg web user interface to your own taste.
Setting up and configuring Mercurial in a Windows/IIS/Active Directory environment (web.archive.org mirror)
hgwebdir.cgi doesn't really authentication, although it can do authorization. You probably want to take care of authentication in the IIS config. (I don't have any experience with IIS, but that's how it works with Apache, at least.)
Authentication is performed by IIS. In IIS Manager, allow Basic Authentication on the directory containing hgwebdir.cgi script. Then edit the Basic Authentication settings and set default domain and realm to your domain name.
In hgweb.config add
allow_push = <username>
replacing <username> with your username(s) for people who will be able to perform push.
This worked for me.
Excuse my necroposting, but I've just released an alpha version of HgLab, which is a Mercurial Server for Windows and it supports Active Directory authentication out of the box.