You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+16-16Lines changed: 16 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -71,7 +71,7 @@ IP or hostname of the LDAP server. You should use "localhost" if the you're runn
71
71
72
72
##### port *(int\null)*
73
73
74
-
Port used to access the LDAP server. Typically 389 for unencrypted connections or STARTTLS encrypted connections, but 636 for implicit SSL/TLS connections.
74
+
TCP port used to access the LDAP server. Typically 389 for unencrypted connections or STARTTLS encrypted connections, but 636 for implicit SSL/TLS connections.
75
75
76
76
Leaving this null will use the default port based on the **encryption** setting.
77
77
@@ -85,12 +85,14 @@ Leaving this null will assume version 3.
85
85
86
86
The encryption protocol.
87
87
88
-
* "none" for unencrypted connections, usually port 389. (Generally only safe to use with "localhost" or a very tightly controlled link between this tool and the LDAP server.)
89
-
* "tls" for **explicit** SSL/TLS connections, usually on port 389. (Often called "STARTTLS".)
90
-
* "ssl" for **implicit** SSL/TLS connections, usually on port 636. (Often called "LDAPS".)
88
+
* "none" for unencrypted connections, usually via TCP port 389. (Generally only safe to use with "localhost" or a very tightly controlled tunnel between this tool and the LDAP server.)
89
+
* "tls" for **explicit** SSL/TLS connections, usually via TCP port 389. (Often called "STARTTLS".)
90
+
* "ssl" for **implicit** SSL/TLS connections, usually via TCP port 636. (Often called "LDAPS".)
91
91
92
92
Leaving this null will assume an unencrypted connection.
93
93
94
+
If the server isn't "localhost" and STARTTLS or LDAPS is unavailable due to whatever certificate issues you have highly consider using an SSH tunnel with port forwarding to make a secure link instead. *(How to do that is beyond the scope of this tool.)*
95
+
94
96
##### bindDn *(string|null)*
95
97
96
98
If your LDAP server does not allow anonymous access (which is a sensible restriction) specify a **full distinguished name**. (You cannot just specify the user name on its own.)
@@ -118,7 +120,7 @@ Example to work with a specific organisational unit tree: "ou=Internal,dc=exampl
118
120
119
121
Specify the distinguished name containing user objects to be searched for.
120
122
121
-
* For Microsoft Active Directory this is typically "CN=Users".
123
+
* For Microsoft Active Directory this is typically "cn=Users".
122
124
* For OpenLDAP and 389-DS this is typically "ou=People".
123
125
124
126
Leaving this null will search the entire base DN.
@@ -156,7 +158,7 @@ Default: "mail"
156
158
157
159
Specify the distinguished name containing group objects to be searched for.
158
160
159
-
* For Microsoft Active Directory this is typically "CN=Users".
161
+
* For Microsoft Active Directory this is typically "cn=Users".*(Yes, that really is "Users", not "Groups".)*
160
162
* For OpenLDAP this is typically "ou=Group".
161
163
* For 389-DS this is typically "ou=Groups".
162
164
@@ -207,13 +209,12 @@ This must be defined as an array even if you have only 1 user. Be sure to quote
207
209
208
210
```
209
211
userNamesToIgnore:
210
-
- "root"
211
212
- "nobody"
212
213
- "Administrator"
213
214
- "Guest"
214
215
```
215
216
216
-
User name "root" must always be ignored because this is the built-in Gitlab root user. Do not attempt to create/sync this user name.
217
+
User name "root" will always be ignored because this is the built-in Gitlab root user. This tool will not attempt to create/delete/sync this user name.
217
218
218
219
Default: *null*
219
220
@@ -224,45 +225,44 @@ Specify a list of group names of which this tool should ignore. (Case-insensitiv
224
225
This varies not only according to which directory software you're using, but also how your directory has been structured. You do not have to specify every group if you've left the "createEmptyGroups" setting (further down) switched off, as this will prevent groups containing no users to be ignored anyway.
225
226
226
227
* For Microsoft Active Directory this is could be "Domain Computers", "Domain Controllers", "DnsAdmins", "DnsUpdateProxy", and any other group you don't expect to contain human users.
227
-
* OpenLDAP and 389-DS do not ship with any groups out of the box.
228
+
* OpenLDAP does ship with any groups out of the box.
229
+
* For 389-DS this could be the four out of the box groups: "Accounting Managers", "HR Managers", "PD Managers", and "QA Managers".
228
230
229
231
This must be defined as an array even if you have only 1 group. Be sure to quote group names that have spaces. For example:
230
232
231
233
```
232
234
groupNamesToIgnore:
233
-
- "Root"
234
-
- "Users"
235
235
- "Managed Service Accounts"
236
236
- "Marketing Staff"
237
237
```
238
238
239
-
Group names "Root" and "Users" must always be ignored because they are reserved keywords. Do not attempt to create/sync these group names.
239
+
Group names "Root" and "Users" will always be ignored because they are built-in Gitlab groups. This will will not attempt to create/delete/sync these group names.
240
240
241
241
Default: *null*
242
242
243
243
##### createEmptyGroups *(bool|null)*
244
244
245
245
Specify whether groups containing no LDAP users should still be created in Gitlab.
246
246
247
-
You should enable this if you want to specify permissions for groups in advance, so they'll be ready when the first user is added to that group. If your directory has a lot of empty groups enabling this would only replicate the clutter to Gitlab.
247
+
You should enable this if you want to specify permissions for groups in advance so they'll be ready when the first user is added to that group. If your directory has a lot of empty groups enabling this would only replicate the clutter to Gitlab, so should be used with care for large directories.
248
248
249
249
Default: *false*
250
250
251
251
##### deleteExtraGroups *(bool|null)*
252
252
253
253
Specify whether Gitlab groups not found in LDAP should be deleted.
254
254
255
-
You should only enable this if you don't like empty groups being left over in Gitlab after doing a purge in your directory.
255
+
You should only enable this if you don't like empty groups being left over in Gitlab after doing a purge in your directory. Consider if such groups still contain projects you need to keep. (This scenario remains untested!)
256
256
257
-
**Only empty Gitlab groups will ever be deleted. If there are extra groups with members still in them they will not be deleted.**
257
+
Only empty Gitlab groups will ever be deleted. If there are extra groups with members still in them they will not be deleted.
258
258
259
259
Default: *false*
260
260
261
261
##### groupNamesOfAdministrators *(array|null)*
262
262
263
263
Specify a list of group names of which members should be granted administrator access.
264
264
265
-
This varies not only according to which directory software you're using, but also how your directory has been structured. Users that have directory administrator access should not necessarily have Gitlab administrator access too, so this one is up to you.
265
+
This varies not only according to which directory software you're using, but also how your directory has been structured. Users that have directory administrator access may not necessarily have Gitlab administrator access too, so this one is up to you.
266
266
267
267
* For Microsoft Active Directory this is could be "Domain Admins" and "Enterprise Admins".
268
268
* OpenLDAP and 389-DS do not ship with such a group out of the box as they typically offer a "Directory Administrator" non-user object or similar for administrative purposes via bind DN.
0 commit comments