Using nested AD groups to filter access to Gitlab

I struggled while trying to limit access to our internal omnibus Gitlab instance using the LDAP-setting user_filter:. We use nested groups in Microsoft AD to handle users and access rights, which works with Gitlab, when you know about the secret sauce.

Licensing - you need an enterprise license

First I tried getting it to work with our Gitlab instance which is running the free community edition. I read through the docs about LDAP, added user_filter: to our settings file and it didn’t work. Users that were added directly to the AD group that was used as a filter got access, but not users in groups in the “main” group, e.g. the group Gitlab-access contains User1 and User2 and Engineering-group, and Enginerring-group contains User3. Using the following filter:

user_filter: '(&(objectClass=person)(memberOf=cn=Gitlab-access,dc=domain,dc=com)'

will only grant access to User1 and User2, not User3.

This was’t a trivial discovery, since the Gitlab CE documentation seems to indicate that nested AD groups work. It’s only once you see that the LDAP Additions to Gitlab EE documentation also mention nested AD groups that you realise this might be an EE feature.

I went along and asked for an EE trial license to see if I could get it to work.

Edit 2017-07-18: It turns out that it is possible to use nested AD groups with user_filter: in Gitlab CE. After I contacted Gitlab about the confusion the documentation has been updated.

Special AD LDAP query rules

The second hurdle was to realise that the plain LDAP query I show higher up wont work because of Microsoft AD. You need to add a special rule object identifier (OID) to get a recursive version of memberOf called LDAP_MATCHING_RULE_IN_CHAIN. More information over at MDSN:

This rule is limited to filters that apply to the DN. This is a special “extended” match operator that walks the chain of ancestry in objects all the way to the root until it finds a match.

The resources that helped me understand this were mainly the Stackoverflow questions ldap nested group membership and Can LDAP_MATCHING_RULE_IN_CHAIN return ‘subtree search results’ with attributes (specifically “memberOf”)?. I also found some information over at Atlassians help page Active Directory user filter does not search nested groups

The user_filter: setting that finally worked was the following:

user_filter: '(&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=cn=Gitlab-access,dc=domain,dc=com)'

Cover photo Simple Circles by Tyler Lastovich from Unsplash