GitLab Duo add-on seat management with LDAP

Tier: Premium, Ultimate
Offering: GitLab Self-Managed, GitLab Dedicated

History

GitLab administrators can configure automatic GitLab Duo add-on seat assignment based on LDAP group membership. When enabled, GitLab will automatically assign or remove add-on seats for users when they sign in, depending on their LDAP group memberships.

Seat management workflow

Configuration: Administrators specify LDAP groups in the duo_add_on_groups configuration settings.
User sign-in: When a user signs in through LDAP, GitLab checks their group memberships. GitLab supports only one LDAP identity per user.
Seat assignment:
- If the user belongs to any group listed in duo_add_on_groups, they are assigned an add-on seat (if not already assigned).
- If the user doesn’t belong to any listed group, their add-on seat is removed (if previously assigned).
Async processing: The seat assignment and removal is handled async to ensure the main sign-in flow is not interrupted.

The following diagram illustrates the workflow:

sequenceDiagram
    participant User
    participant GitLab
    participant LDAP
    participant Background Job

    User->>GitLab: Sign in with LDAP credentials
    GitLab->>LDAP: Authenticate user
    LDAP-->>GitLab: User authenticated
    GitLab->>Background Job: Enqueue 'LdapAddOnSeatSyncWorker' seat sync job
    GitLab-->>User: Sign-in complete
    Background Job->>Background Job: Start
    Background Job->>LDAP: Check user's groups against duo_add_on_groups
    LDAP-->>Background Job: Return membership of groups
    alt User member of any duo_add_on_groups?
        Background Job->>GitLab: Assign Duo Add-on seat
    else User not in duo_add_on_groups
        Background Job->>GitLab: Remove Duo Add-on seat (if assigned)
    end
    Background Job-->>Background Job: Complete

Configure Duo add-on seat management

To turn on add-on seat management with LDAP:

Open the GitLab configuration file you have edited for the installation.
Add the duo_add_on_groups setting to your LDAP server configuration.
Specify an array of LDAP group names that should have Duo Add-on seats.

The following example is a gitlab.rb configuration for Linux package installations:

gitlab_rails['ldap_servers'] = {
  'main' => {
    # ... other LDAP settings ...
    'duo_add_on_groups' => ['duo_users', 'admins'],
  }
}

Troubleshooting

See LDAP troubleshooting.

Docs

Edit this page to fix an error or add an improvement in a merge request.

Create an issue to suggest an improvement to this page.

Product

Create an issue if there's something you don't like about this feature.

Propose functionality by submitting a feature request.

Feature availability and product trials

View pricing to see all GitLab tiers and features, or to upgrade.

Try GitLab for free with access to all features for 30 days.

Get help

If you didn't find what you were looking for, search the docs.

If you want help with something specific and could use community support, post on the GitLab forum.

For problems setting up or using this feature (depending on your GitLab subscription).

Request support