search

Adambean / gitlab-ce-ldap-sync

Synchronise users and groups (including group members) from an LDAP instance with Gitlab CE (and EE in free tier) self-hosted instance(s).
Apache License 2.0
61 stars 23 forks source link

Possible to only sync specified LDAP groups? #34

Closed Macleykun closed 1 year ago

Macleykun commented 1 year ago

Hello! Thank you for writing this program, it’s a real life saver! I do have one feature request;question. Is it possible to specify which groups only can be synced? The structure I work with basically means I have to exclude every single group as we have lots in the same OU folder. Smth like: AllowedGroups: XYZ-GitLab-* Which will only sync all groups that start with XYZ-GitLab-

I do hope it’s possible to add this functionality, I also worked out the Dockerfile more and will create a PR soon, once I’m happy with the whole setup. I may want to include a update-ca-certificates so that SSL works between LDAP and GitLab.

Macleykun commented 1 year ago

A different question i have is, is it possible to use this script with nested groups? Like let's say i have ACCESS-GITLAB-1 group which the GITLAB-TEAM-A is member of. In the GITLAB-TEAM-A there are users, could these users be then added in GitLab?

Adambean commented 1 year ago

If you just need to filter groups based on their name you could do this already by updating the LDIF query in the groupFilter setting.

This should satisfy the example you provided: (&(objectClass=groupOfUniqueNames)(cn=XYZ-GitLab-*)) It should also be possible to so multiple filters: (&(objectClass=groupOfUniqueNames)(|(cn=XYZ-GitLab-*)(cn=123-GitLab-*)))

Your directory back end would do the filtering. If your directory is quite large you may want to enable indexing to speed this up if it isn't on already.)

For your nested group query you probably want this: https://github.com/Adambean/gitlab-ce-ldap-sync/issues/17 (Not implemented in this project yet though one of the forks may have it.)

Macleykun commented 1 year ago

If you just need to filter groups based on their name you could do this already by updating the LDIF query in the groupFilter setting.

This should satisfy the example you provided: (&(objectClass=groupOfUniqueNames)(cn=XYZ-GitLab-*)) It should also be possible to so multiple filters: (&(objectClass=groupOfUniqueNames)(|(cn=XYZ-GitLab-*)(cn=123-GitLab-*)))

Your directory back end would do the filtering. If your directory is quite large you may want to enable indexing to speed this up if it isn't on already.)

For your nested group query you probably want this: #17 (Not implemented in this project yet though one of the forks may have it.)

thank you first of all! The groupfilter is going way better and filtering only on the groups i need cleaned the config file up alot!

It seems that @hvanscherpenzeel has implemented nested groups. I will try to fork his and make a docker container to test it out on my end. https://github.com/Adambean/gitlab-ce-ldap-sync/commit/98752540a77163ae1bbfac9d0b4f094c2d36735f

I assume the following groupFilter would work for nesting? (&(objectClass=groupOfUniqueNames)(memberof:1.2.840.113556.1.4.1941:=cn=XYZ-GitLab-*)) (assuming XYZ-GitLab has only a group member, which contains the users)

Macleykun commented 1 year ago

(mentioned the wrong person) @hvanscherpenzeel could you confirm if nested groups work on your end (and if the groupfilter i propose, would work with your fork?)

(and if i may be so rude to ask, would you consider sending a PR whenever to Adambean's repo?)

Macleykun commented 1 year ago

i'll close this issue as adjusting the search function to only search for specific groups works!