ContextQMD
Back to Gitlabhq

GitLab Duo add-on seat management with LDAP

doc/administration/duo_add_on_seat_management_with_ldap.md

18.11.23.3 KB
Original Source

{{< details >}}

  • Tier: Premium, Ultimate
  • Offering: GitLab Self-Managed

{{< /details >}}

{{< history >}}

{{< /history >}}

GitLab administrators can configure automatic GitLab Duo add-on seat assignment based on LDAP group membership. When enabled, GitLab will automatically assign or remove add-on seats for users when they sign in, depending on their LDAP group memberships.

Seat management workflow

  1. Configuration: Administrators specify LDAP groups in the duo_add_on_groups configuration settings.
  2. Seat synchronization: GitLab checks LDAP group memberships in two ways:
    • On user sign-in: When a user signs in through LDAP, GitLab immediately checks their group memberships.
    • Scheduled sync: GitLab automatically syncs all LDAP users daily at 02:00 AM to ensure seat assignments are up to date even without user sign-ins.
  3. Seat assignment:
    • If the user belongs to any group listed in duo_add_on_groups, they are assigned an add-on seat (if not already assigned).
    • If the user doesn't belong to any listed group, their add-on seat is removed (if previously assigned).
  4. Async processing: The seat assignment and removal is handled async to ensure the main sign-in flow is not interrupted.

The following diagram illustrates the workflow:

mermaid
%%{init: { "fontFamily": "GitLab Sans" }}%%
sequenceDiagram
    accTitle: Workflow of GitLab Duo add-on seat management with LDAP
    accDescr: Sequence diagram showing automatic GitLab Duo add-on seat management based on LDAP group membership. Users sign in, GitLab authenticates them, then enqueues a background job to sync seat assignment based on their group membership.

    participant User
    participant GitLab
    participant LDAP
    participant Background Job

    User->>GitLab: Sign in with LDAP credentials
    GitLab->>LDAP: Authenticate user
    LDAP-->>GitLab: User authenticated
    GitLab->>Background Job: Enqueue 'LdapAddOnSeatSyncWorker' seat sync job
    GitLab-->>User: Sign-in complete
    Background Job->>Background Job: Start
    Background Job->>LDAP: Check user's groups against duo_add_on_groups
    LDAP-->>Background Job: Return membership of groups
    alt User member of any duo_add_on_groups?
        Background Job->>GitLab: Assign Duo Add-on seat
    else User not in duo_add_on_groups
        Background Job->>GitLab: Remove Duo Add-on seat (if assigned)
    end
    Background Job-->>Background Job: Complete

    Note over GitLab, Background Job: Additionally, LdapAllAddOnSeatSyncWorker runs daily at 2 AM to sync all LDAP users

Configure GitLab Duo add-on seat management

To turn on add-on seat management with LDAP:

  1. Open the GitLab configuration file you have edited for the installation.
  2. Add the duo_add_on_groups setting to your LDAP server configuration.
  3. Specify an array of LDAP group names that should have GitLab Duo add-on seats.

The following example is a gitlab.rb configuration for Linux package installations:

ruby
gitlab_rails['ldap_servers'] = {
  'main' => {
    # Additional LDAP settings removed for readability
    'duo_add_on_groups' => ['duo_users', 'admins'],
  }
}