How to Centralize User Management with OpenLDAP Across GitLab, Confluence, JumpServer, and OpenVPN
This guide explains what LDAP is, why it simplifies account management for internal services such as GitLab, Confluence, JumpServer and OpenVPN, and provides step‑by‑step Docker‑based installation and configuration instructions, plus common troubleshooting tips.
Many companies run internal services like GitLab, OpenVPN, JumpServer, Jira, Jenkins, etc., and manually creating and disabling accounts for each system is time‑consuming; using LDAP provides a single source of truth for user authentication.
LDAP (Lightweight Directory Access Protocol) is a TCP/IP‑based directory service optimized for read‑heavy operations. Data is stored as entries in a Directory Information Tree, each uniquely identified by a distinguished name (DN) similar to a primary key in a relational database.
Installation of OpenLDAP
# Environment description:
# OpenLdap server address: 100.111.21.68
# Create directories
shell> mkdir -p /data/openldap/{config,database}
# Pull OpenLDAP image
shell> docker pull osixia/openldap:1.2.2
# Run OpenLDAP container
shell> docker run -d --name ldap-service --hostname ldap-service -p 389:389 -p 689:689 \
-v /data/openldap/database:/var/lib/ldap \
-v /data/openldap/config:/etc/ldap/slapd.d \
--env LDAP_ORGANISATION="magedu.com" \
--env LDAP_DOMAIN="magedu.com" \
--env LDAP_ADMIN_PASSWORD="magedupassword" \
--env LDAP_TLS=false \
--detach osixia/openldap:1.2.2
# Pull and run phpLDAPadmin (web UI)
shell> docker pull osixia/phpldapadmin:0.7.2
shell> docker run --name phpldapadmin-service -p 6443:443 -p 6680:80 \
--hostname phpldapadmin-service --link ldap-service:magedu.com \
--env PHPLDAPADMIN_LDAP_HOSTS=magedu.com \
--env PHPLDAPADMIN_HTTPS=false \
--detach osixia/phpldapadmin:0.7.2OpenLDAP + GitLab Configuration
shell> vim /home/git/gitlab/config/gitlab.yml
ldap:
enabled: true
servers:
label: 'LDAP'
host: '100.111.21.68'
port: 389
uid: 'cn'
encryption: 'plain' # start_tls / simple_tls / plain
verify_certificates: false
bind_dn: 'cn=admin,dc=magedu,dc=com'
password: 'magedupassword'
timeout: 10
active_directory: false
allow_username_or_email_login: true
block_auto_created_users: false
base: 'dc=magedu,dc=com'
user_filter: ''
attributes:
username: ['cn','uid','userid','sAMAccountName']
email: ['mail','email','userPrincipalName']
name: 'cn'
first_name: 'givenName'
last_name: 'sn'After editing, restart GitLab; the login page will show an LDAP authentication option.
OpenLDAP + Confluence (Wiki) Configuration
Name: LDAP Server
Directory Type: OpenLDAP
Host: 100.111.21.68
Port: 389
Bind DN: cn=admin,dc=magedu,dc=com
Password: magedupassword
Base DN: dc=magedu,dc=com
User Object Class: inetOrgPerson
User DN Attribute: cn
User RDN Attribute: cn
First Name Attribute: givenName
Last Name Attribute: sn
Display Name Attribute: displayName
Email Attribute: mail
Password Attribute: userPassword
Password Encryption: MD5Click “Test Connection” to verify the settings; if successful, Confluence will import LDAP users and automatically add them to the default group confluence-users.
OpenLDAP + JumpServer Configuration
# LDAP settings in JumpServer UI
LDAP address: ldap://100.111.21.68:389
Bind DN: cn=admin,dc=magedu,dc=com
Password: magedupassword
User OU: dc=magedu,dc=com
User filter: (cn=%(user)s)
Attribute mapping: {"username":"cn", "name":"sn", "email":"mail"}
Enable LDAP authentication: ✔After saving, restart the JumpServer container; LDAP users can now log in directly.
OpenLDAP + OpenVPN Configuration
# /etc/openvpn/auth/ldap.conf
<LDAP>
URL ldap://100.111.21.68:389
BindDN cn=admin,dc=magedu,dc=com
Password magedupassword
Timeout 15
TLSEnable no
FollowReferrals no
</LDAP>
<Authorization>
BaseDN "dc=magedu,dc=com"
SearchFilter "cn=%u"
RequireGroup false
<Group>
BaseDN "cn=users,dc=magedu,dc=com"
SearchFilter "cn=vpn"
MemberAttribute memberUid
</Group>
</Authorization>
# /etc/openvpn/server.conf (excerpt)
port 1194
proto tcp
device tun
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
client-cert-not-required
auth-user-pass
remote-cert-tls server
verb 4Enable auth-user-pass to allow username/password authentication via LDAP.
Troubleshooting
# Common error: Undefined method `provider' for nil:NilClass
# Cause: GitLab requires an email attribute for each LDAP user.
# Fix: In phpLDAPadmin, edit the user entry and add a valid email attribute.
# Another error: Could not authorize you from LDAP because "(ldap) account must provide a dn, uid and email address"
# Fix: Ensure the LDAP schema includes the email attribute and that the GitLab configuration maps it correctly.By following the steps above, you can centralize authentication for multiple services using a single OpenLDAP instance, reducing administrative overhead and improving security.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.