GitLab Duo add-on seat management with LDAP

Tier: Premium, Ultimate Offering: Self-managed, GitLab Dedicated
History

GitLab administrators can configure automatic GitLab Duo add-on seat assignment based on LDAP group membership. When enabled, GitLab will automatically assign or remove add-on seats for users when they sign in, depending on their LDAP group memberships.

Seat management workflow

  1. Configuration: Administrators specify LDAP groups in the duo_add_on_groups configuration settings.
  2. User sign-in: When a user signs in through LDAP, GitLab checks their group memberships. GitLab supports only one LDAP identity per user.
  3. Seat assignment:
    • If the user belongs to any group listed in duo_add_on_groups, they are assigned an add-on seat (if not already assigned).
    • If the user doesn’t belong to any listed group, their add-on seat is removed (if previously assigned).
  4. Async processing: The seat assignment and removal is handled async to ensure the main sign-in flow is not interrupted.

The following diagram illustrates the workflow:

sequenceDiagram participant User participant GitLab participant LDAP participant Background Job User->>GitLab: Sign in with LDAP credentials GitLab->>LDAP: Authenticate user LDAP-->>GitLab: User authenticated GitLab->>Background Job: Enqueue 'LdapAddOnSeatSyncWorker' seat sync job GitLab-->>User: Sign-in complete Background Job->>Background Job: Start Background Job->>LDAP: Check user's groups against duo_add_on_groups LDAP-->>Background Job: Return membership of groups alt User member of any duo_add_on_groups? Background Job->>GitLab: Assign Duo Add-on seat else User not in duo_add_on_groups Background Job->>GitLab: Remove Duo Add-on seat (if assigned) end Background Job-->>Background Job: Complete

Configure Duo add-on seat management

To turn on add-on seat management with LDAP:

  1. Open the GitLab configuration file you have edited for the installation.
  2. Add the duo_add_on_groups setting to your LDAP server configuration.
  3. Specify an array of LDAP group names that should have Duo Add-on seats.

The following example is a gitlab.rb configuration for Linux package installations:

gitlab_rails['ldap_servers'] = {
  'main' => {
    # ... other LDAP settings ...
    'duo_add_on_groups' => ['duo_users', 'admins'],
  }
}

Troubleshooting

See LDAP troubleshooting.