Status: Done — 2026-04-30 / 2026-05-01. GitLab CE 18.11.2 on
VM-SL-04 now authenticates against Authentik via two paths: OmniAuth OIDC
(provider='openid_connect', uid_field=sub) and LDAP (provider='ldapmain')
through the Authentik LDAP outpost on 10.200.0.200:389. Both paths land
known users on their existing GitLab account (id=2 for Alex, id=4 for
Jonas) via pre-created Identity rows; auto-link by LDAP DN handles new
Authentik users.
| Field | Value |
|---|---|
| Host | VM-SL-04 |
| GitLab | CE 18.11.2 (omnibus, native install — not Docker) |
| Login URL | https://git.blackreset.com/users/sign_in shows the Sign in with Authentik button |
| Authentik OIDC provider | svc-gitlab-oidc (pk=15, sub_mode=user_uuid) |
| Authentik OIDC app | svc-gitlab |
| Authentik LDAP outpost | 10.200.0.200:389 (see /migration/authentik-ldap-outpost-2026) |
| Authentik groups | grp-gitlab-user, grp-gitlab-admin |
OIDC uid_field |
sub (Authentik UUID) — was preferred_username |
| Auto-link strategy | omniauth_auto_link_ldap_user = true, omniauth_auto_link_user = ['openid_connect'] |
| Auto-create | allowed (omniauth_block_auto_created_users = false) for users with Identity row or LDAP match |
| LDAP backend | Authentik LDAP outpost (was: empty / no ldap_servers block) |
| LDAP bind DN | cn=svc-ldap-bind,ou=users,dc=ldap,dc=blackreset,dc=com |
| LDAP bind password | from .secrets/.ldap-bind-password |
gitlab.rb backup |
/etc/gitlab/gitlab.rb.bak.<ts> (one per reconfigure) |
| OIDC snippet source | inventory/vm-sl-04/gitlab-omniauth-authentik.rb |
| LDAP snippet source | inventory/vm-sl-04/gitlab-ldap-authentik.rb |
The Authentik integration was added by appending an idempotent block to
/etc/gitlab/gitlab.rb. The block is regenerable from
inventory/vm-sl-04/gitlab-omniauth-authentik.rb:
# === BEGIN Authentik OIDC integration (added 2026-04-30) ===
gitlab_rails['omniauth_enabled'] = true
# Append 'openid_connect' to allow_single_sign_on without losing existing entries
_existing_sso = (gitlab_rails['omniauth_allow_single_sign_on'] rescue nil) || []
_existing_sso = ['saml','openid_connect'] if _existing_sso == true || _existing_sso == 'true'
_existing_sso = [] unless _existing_sso.is_a?(Array)
gitlab_rails['omniauth_allow_single_sign_on'] = (_existing_sso + ['openid_connect']).uniq
# auto_link_user: match by email so existing GitLab users are linked, not duplicated
_existing_link = (gitlab_rails['omniauth_auto_link_user'] rescue nil) || []
_existing_link = [] unless _existing_link.is_a?(Array)
gitlab_rails['omniauth_auto_link_user'] = (_existing_link + ['openid_connect']).uniq
# Block auto-creation of users that aren't already in GitLab — safe default.
gitlab_rails['omniauth_block_auto_created_users'] = true
# Profile sync from Authentik
gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
gitlab_rails['omniauth_sync_profile_attributes'] = ['email','name']
_authentik_provider = {
name: 'openid_connect',
label: 'Authentik',
icon: 'https://auth.blackreset.com/static/dist/assets/icons/icon.png',
args: {
name: 'openid_connect',
scope: ['openid','profile','email'],
response_type: 'code',
issuer: 'https://auth.blackreset.com/application/o/svc-gitlab/',
discovery: true,
client_auth_method: 'basic',
uid_field: 'sub', # Authentik UUID — see /access/identity-policy
send_scope_to_token_endpoint: true,
pkce: true,
client_options: {
identifier: 'TG6ShFnGwCSHHBLFZtQEb6omt5UDAvWE0kijhc0T',
secret: '<from .secrets/credentials.env>',
redirect_uri: 'https://git.blackreset.com/users/auth/openid_connect/callback'
}
}
}
_existing_providers = (gitlab_rails['omniauth_providers'] rescue nil) || []
_existing_providers = [] unless _existing_providers.is_a?(Array)
_existing_providers = _existing_providers.reject { |p|
(p.is_a?(Hash) && (p[:label] == 'Authentik' || p['label'] == 'Authentik'))
}
gitlab_rails['omniauth_providers'] = _existing_providers + [_authentik_provider]
# === END Authentik OIDC integration ===
Apply / re-apply:
sudo cp /etc/gitlab/gitlab.rb /etc/gitlab/gitlab.rb.bak.$(date +%Y%m%d-%H%M%S)
sudo cp inventory/vm-sl-04/gitlab-omniauth-authentik.rb /tmp/
sudo bash -c 'cat /tmp/gitlab-omniauth-authentik.rb >> /etc/gitlab/gitlab.rb'
sudo gitlab-ctl reconfigure
The reconfigure on 2026-04-30 updated 7 of 943 resources and the login
page started rendering the Authentik button immediately after.
The GitLab LDAP backend was previously empty — no ldap_servers
block existed in gitlab.rb, so LDAP login was effectively dead and the
old Identity rows with provider='ldapmain' had no live counterpart.
The new block (snippet at inventory/vm-sl-04/gitlab-ldap-authentik.rb)
points at the Authentik LDAP outpost:
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = {
'main' => {
'label' => 'LDAP',
'host' => '10.200.0.200',
'port' => 389,
'uid' => 'cn',
'encryption' => 'plain',
'verify_certificates' => false,
'bind_dn' => 'cn=svc-ldap-bind,ou=users,dc=ldap,dc=blackreset,dc=com',
'password' => '<from .secrets/.ldap-bind-password>',
'base' => 'ou=users,dc=ldap,dc=blackreset,dc=com',
'user_filter' => '(objectClass=user)',
'attributes' => {
'username' => ['cn'],
'email' => ['mail'],
'name' => 'displayName',
'first_name'=> 'givenName',
'last_name' => 'sn'
},
'lowercase_usernames' => false,
'block_auto_created_users' => false
}
}
gitlab-rake gitlab:ldap:check returns 16 Authentik users including
A.Korff, J.Placzek, akadmin, all Korff family members, and the
ak-outpost-* service accounts.
uid_field changeThe OIDC uid_field was changed from preferred_username to sub
(Authentik UUID) to align with the
Identity policy that mandates Authentik UUID
as the canonical identifier across all apps. This required pre-creating
Identity rows for known users so existing GitLab accounts do not get
duplicated on first OIDC login.
A new gitlab.rb backup is taken on every reconfigure:
/etc/gitlab/gitlab.rb.bak.<ts>.
Done via gitlab-rails runner:
| GitLab user.id | username | OIDC extern_uid (Authentik UUID) |
LDAP extern_uid (DN) |
|---|---|---|---|
| 2 | AlexanderKorff | 5d9caf1d-4826-44d1-acaf-a5221abc03b4 |
cn=a.korff,ou=users,dc=ldap,dc=blackreset,dc=com |
| 4 | Mini-Placzek | da48e8da-bfc5-4fa4-a1fc-e66afcf0d2ce |
cn=j.placzek,ou=users,dc=ldap,dc=blackreset,dc=com |
This means Alex (id=2) and Jonas (id=4) land on their existing GitLab
accounts via either OIDC or LDAP login, with all repos / groups /
admin status preserved.
A.Korff@xio.bio to match Authentik.alex@korff.wtf kept as secondary (verified) email so legacyUser.find(2).update!(admin: true)).Final gitlab.rb settings:
| Setting | Value | Why |
|---|---|---|
omniauth_block_auto_created_users |
false (was true) |
Auto-create allowed; gated by Authentik group grp-gitlab-user membership at the application-binding level |
omniauth_auto_link_ldap_user |
true |
New Authentik users without an Identity row get linked via their LDAP DN on first OIDC login |
omniauth_auto_link_user |
['openid_connect'] |
OIDC email / sub matches the existing user record |
Done via gitlab-rails runner against ApplicationSetting:
| Setting | Value | Why |
|---|---|---|
signup_enabled |
false |
Public sign-up is closed; new users come in only via Authentik |
vscode_extension_marketplace_single_origin_fallback_enabled |
false |
Disables a 3rd-party fallback CDN — outbound traffic stays inside our control |
GitLab had accumulated 43 humans + 14 humans + 4 bots = 61 user records,
mostly from the era when signup_enabled = true. Hard-deleted: 43
spam/abandoned humans. Kept: 14 humans + 4 system bots.
Kept (14 humans + 4 bots): AlexanderKorff (id=2, admin),
Mini-Placzek (id=4), and 12 other legitimate users; bots: ghost,
alert-bot, support-bot, GitLabDuo. Full keep-list and
deletion-list preserved on VM-SL-04 for audit trail.
User.id=2 with admin: PASSUser.id=2User.id=4: PASSUser.id=4: PASSgrp-gitlab-user membership is requiredIdentity by (provider, extern_uid):
('openid_connect', <Authentik UUID from sub claim>)('ldapmain', <DN>)User. No DB churn.Identity row.omniauth_block_auto_created_users = false), gated by the| Scope | Action |
|---|---|
| Kill the Authentik button only | Remove the appended block from gitlab.rb (or restore gitlab.rb.bak.20260430-190209) and gitlab-ctl reconfigure. LDAP login keeps working untouched. |
| Drop linked identities | gitlab-rails runner "Identity.where(provider: 'openid_connect').delete_all". The linked GitLab users themselves are NOT deleted. |
| Purpose | Path |
|---|---|
| OIDC snippet source | inventory/vm-sl-04/gitlab-omniauth-authentik.rb |
| LDAP snippet source | inventory/vm-sl-04/gitlab-ldap-authentik.rb |
/etc/gitlab/gitlab.rb backups |
/etc/gitlab/gitlab.rb.bak.<ts> on VM-SL-04 (one per gitlab-ctl reconfigure) |
| Earlier upgrade record | inventory/vm-sl-04/gitlab-upgrade-2026-04-30.sh |
GitLab CE 18.11.2 läuft seit 2026-05-01 als Container auf vm-rz-svc-prod-01 (DB auf vm-rz-db-01:5432/gitlabhq_production). Native vm-sl-04 Installation ist decom-pending.
LDAP-Outpost-Move 2026-05-02: 10.200.0.200:389 → 10.200.0.101:389 (gleiche Outpost-UUID + Token). GitLab ldap_servers.host 2026-05-02 entsprechend aktualisiert.
Group-Filter 2026-05-02 hinzugefügt: grp-gitlab-user (Login-Berechtigung) und grp-gitlab-admin (Owner-Rolle), gemappt via Authentik LDAP memberOf.