2015-08-26 15:22:48 +00:00 · 2015-08-26 15:22:48 +00:00 · 40fc4a8687
parent 6a40008e20 6a741bb78a
commit 40fc4a8687
3 changed files with 39 additions and 0 deletions
--- a/files/gitlab-config-template/gitlab.rb.template
+++ b/files/gitlab-config-template/gitlab.rb.template
@ -76,6 +76,15 @@ external_url 'GENERATED_EXTERNAL_URL'
 #     sync_ssh_keys: false
 # EOS

+## Setting up Kerberos (EE only)
+## See http://doc.gitlab.com/ee/integration/kerberos.html#http-git-access
+# gitlab_rails['kerberos_enabled'] = true
+# gitlab_rails['kerberos_keytab'] = /etc/http.keytab
+# gitlab_rails['kerberos_service_principal_name'] = HTTP/gitlab.example.com@EXAMPLE.COM
+# gitlab_rails['kerberos_use_dedicated_port'] = true
+# gitlab_rails['kerberos_port'] = 8443
+# gitlab_rails['kerberos_https'] = true
+
 ## For setting up omniauth
 ## see https://gitlab.com/gitlab-org/omnibus-gitlab/blob/629def0a7a26e7c2326566f0758d4a27857b52a3/README.md#omniauth-google-twitter-github-login

--- a/files/gitlab-cookbooks/gitlab/attributes/default.rb
+++ b/files/gitlab-cookbooks/gitlab/attributes/default.rb
@ -108,6 +108,13 @@ default['gitlab']['gitlab-rails']['ldap_sync_time'] = nil
 default['gitlab']['gitlab-rails']['ldap_active_directory'] = nil
 ####

+default['gitlab']['gitlab-rails']['kerberos_enabled'] = nil
+default['gitlab']['gitlab-rails']['kerberos_keytab'] = nil
+default['gitlab']['gitlab-rails']['kerberos_service_principal_name'] = nil
+default['gitlab']['gitlab-rails']['kerberos_use_dedicated_port'] = nil
+default['gitlab']['gitlab-rails']['kerberos_port'] = nil
+default['gitlab']['gitlab-rails']['kerberos_https'] = nil
+
 default['gitlab']['gitlab-rails']['omniauth_enabled'] = false
 default['gitlab']['gitlab-rails']['omniauth_allow_single_sign_on'] = nil
 default['gitlab']['gitlab-rails']['omniauth_auto_sign_in_with_provider'] = nil
--- a/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
@ -118,6 +118,29 @@ production: &base
    sync_time: <%= @ldap_sync_time %>
  <% end %>

+  ## Kerberos settings
+  kerberos:
+    # Allow the HTTP Negotiate authentication method for Git clients
+    enabled: <%= @kerberos_enabled %>
+
+    # Kerberos 5 keytab file. The keytab file must be readable by the GitLab user,
+    # and should be different from other keytabs in the system.
+    # (default: use default keytab from Krb5 config)
+    keytab: <%= @kerberos_keytab %>
+
+    # The Kerberos service name to be used by GitLab.
+    # (default: accept any service name in keytab file)
+    service_principal_name: <%= @kerberos_service_principal_name %>
+
+    # Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails.
+    # To support both Basic and Negotiate methods with older versions of Git, configure
+    # nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines
+    # to dedicate this port to Kerberos authentication. (default: false)
+    use_dedicated_port: <%= @kerberos_use_dedicated_port %>
+    port: <%= @kerberos_port %>
+    https: <%= @kerberos_https %>
+
+
  ## OmniAuth settings
  omniauth:
    # Allow login via Twitter, Google, etc. using OmniAuth providers