Skip to content

GitLab Duo add-on seat management with LDAP

DETAILS: Tier: Premium, Ultimate Offering: GitLab Self-Managed, GitLab Dedicated

GitLab administrators can configure automatic GitLab Duo add-on seat assignment based on LDAP group membership. When enabled, GitLab will automatically assign or remove add-on seats for users when they sign in, depending on their LDAP group memberships.

Seat management workflow

  1. Configuration: Administrators specify LDAP groups in the duo_add_on_groups configuration settings.
  2. User sign-in: When a user signs in through LDAP, GitLab checks their group memberships. GitLab supports only one LDAP identity per user.
  3. Seat assignment:
    • If the user belongs to any group listed in duo_add_on_groups, they are assigned an add-on seat (if not already assigned).
    • If the user doesn't belong to any listed group, their add-on seat is removed (if previously assigned).
  4. Async processing: The seat assignment and removal is handled async to ensure the main sign-in flow is not interrupted.

The following diagram illustrates the workflow:

sequenceDiagram
    participant User
    participant GitLab
    participant LDAP
    participant Background Job

    User->>GitLab: Sign in with LDAP credentials
    GitLab->>LDAP: Authenticate user
    LDAP-->>GitLab: User authenticated
    GitLab->>Background Job: Enqueue 'LdapAddOnSeatSyncWorker' seat sync job
    GitLab-->>User: Sign-in complete
    Background Job->>Background Job: Start
    Background Job->>LDAP: Check user's groups against duo_add_on_groups
    LDAP-->>Background Job: Return membership of groups
    alt User member of any duo_add_on_groups?
        Background Job->>GitLab: Assign Duo Add-on seat
    else User not in duo_add_on_groups
        Background Job->>GitLab: Remove Duo Add-on seat (if assigned)
    end
    Background Job-->>Background Job: Complete

Configure Duo add-on seat management

To turn on add-on seat management with LDAP:

  1. Open the GitLab configuration file you have edited for the installation.
  2. Add the duo_add_on_groups setting to your LDAP server configuration.
  3. Specify an array of LDAP group names that should have Duo Add-on seats.

The following example is a gitlab.rb configuration for Linux package installations:

gitlab_rails['ldap_servers'] = {
  'main' => {
    # ... other LDAP settings ...
    'duo_add_on_groups' => ['duo_users', 'admins'],
  }
}

Troubleshooting

See LDAP troubleshooting.