diff --git a/doc/administration/auth/google_secure_ldap.md b/doc/administration/auth/google_secure_ldap.md new file mode 100644 index 0000000000000000000000000000000000000000..f10be712ed55a699741aebef74ad5e316126df42 --- /dev/null +++ b/doc/administration/auth/google_secure_ldap.md @@ -0,0 +1,48 @@ +# Google Secure LDAP **[CORE ONLY]** + +> Introduced in GitLab 11.9. + +[Google Cloud Identity](https://cloud.google.com/identity/) provides a Secure +LDAP service that can be configured with GitLab for authentication and group sync. + +Secure LDAP requires a slightly different configuration than standard LDAP servers. +The steps below cover configuring the Secure LDAP Client in the Google Admin console +as well as GitLab configuration. + +## Configuration + +### Google LDAP Client + +1. Navigate to https://admin.google.com and sign in as a GSuite domain administrator. +1. Go to Apps -> LDAP -> Add Client. +1. Provide an `LDAP client name` and an optional `Description`. Any descriptive + values are acceptable. For example, the name could be 'GitLab' and the + description could be 'GitLab LDAP Client'. Select 'Continue'. + + ![Add LDAP Client Step 1](img/google_secure_ldap_add_step_1.png) +1. Set 'Access Permissions' according to your needs. You must choose either + 'Entire domain' or 'Selected organizational units' for both 'Verify user + credentials' and 'Read user information'. Select 'Add LDAP Client' + + TIP: **Tip:** If you plan to use GitLab [LDAP Group Sync](https://docs.gitlab.com/ee/administration/auth/ldap-ee.html#group-sync) + be sure to turn on 'Read group information' + + ![Add LDAP Client Step 2](img/google_secure_ldap_add_step_2.png) +1. Download the generated certificate. This is required in order for GitLab to + communicate with the Google Secure LDAP service. Save the downloaded certificates + for later use. After downloading, select 'Continue to Client Details'. +1. Expand the 'Service Status' section and turn the LDAP client 'ON for everyone'. + After selecting 'Save', click on the 'Service Status' bar again to collapse + and return to the rest of the settings. +1. Expand the 'Authentication' section and choose 'Generate New Credentials'. + Copy/note these credentials for later use. After selecting 'Close', click + on the 'Authentication' bar again to collapse and return to the rest of the settings. + +Now the Google Secure LDAP Client configuration is finished. The screenshot below +shows an example of the final settings. Continue on to configure GitLab. + +![LDAP Client Settings](img/google_secure_ldap_client_settings.png) + +### GitLab + +1. diff --git a/doc/administration/auth/img/google_secure_ldap_add_step_2.png b/doc/administration/auth/img/google_secure_ldap_add_step_2.png new file mode 100644 index 0000000000000000000000000000000000000000..611a21ae03cc5819d3b76bfea7a279b56e14b76a Binary files /dev/null and b/doc/administration/auth/img/google_secure_ldap_add_step_2.png differ diff --git a/doc/administration/auth/img/google_secure_ldap_client_settings.png b/doc/administration/auth/img/google_secure_ldap_client_settings.png new file mode 100644 index 0000000000000000000000000000000000000000..3c0b3f3d4bdc7acb362b77c627f46d9bca248bbd Binary files /dev/null and b/doc/administration/auth/img/google_secure_ldap_client_settings.png differ diff --git a/doc/administration/auth/img/google_secure_ldap_step_1.png b/doc/administration/auth/img/google_secure_ldap_step_1.png new file mode 100644 index 0000000000000000000000000000000000000000..fd254443d75ad41a3119e1c571495476bda60a89 Binary files /dev/null and b/doc/administration/auth/img/google_secure_ldap_step_1.png differ diff --git a/doc/administration/auth/ldap.md b/doc/administration/auth/ldap.md index 440c2b1285afcbe041123eccf0af6fe154a34542..2d057dc75095ac9b48ef983032f6c56107a4f697 100644 --- a/doc/administration/auth/ldap.md +++ b/doc/administration/auth/ldap.md @@ -48,6 +48,14 @@ LDAP-enabled users can always authenticate with Git using their GitLab username or email and LDAP password, even if password authentication for Git is disabled in the application settings. +## Google Secure LDAP **[CORE ONLY]** + +> Introduced in GitLab 11.9. + +[Google Cloud Identity](https://cloud.google.com/identity/) provides a Secure +LDAP service that can be configured with GitLab for authentication and group sync. +See [Google Secure LDAP](google_secure_ldap.md) for detailed configuration instructions. + ## Configuration NOTE: **Note**: