Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

GitLab LDAP Authentication Issues (SSL_connect, user auth)

I've been having trouble with validating LDAP logins through my GitLab server. Both servers are on Ubuntu 16.04, pretty much freshly setup on Google Cloud.

This is what the ldap section of my gitlab.rb file looks like:

gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
  main:
   label: 'LDAP'
   host: '<internal IP of domain controller>'
   port: 389
   uid: 'uid'
   bind_dn: 'CN=admin,DC=<project_name>,DC=local'
   password: '<password>'
   encryption: 'simple_tls' # "start_tls" or "simple_tls" or "plain"
   verify_certificates: false
   active_directory: false
   allow_username_or_email_login: true
   lowercase_usernames: false
   block_auto_created_users: false
   base: 'CN=GitLab,DC=<project_name>,DC=local'
   user_filter: ''

Originally, I had encryption: 'plain' which kind of worked. When I used the command sudo gitlab-rake gitlab:ldap:check while encryption was set to plain, I actually got a list of users with access to the server:

Checking LDAP ...

Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
    DN: cn=<name1>,cn=gitlab,dc=<project_name>,dc=local  uid: <username1>
    DN: cn=<name2>,cn=gitlab,dc=<project_name>,dc=local  uid: <username2>
    DN: cn=<name3>,cn=gitlab,dc=<project_name>,dc=local  uid: <username3>

Checking LDAP ... Finished

Which made me think that everything was all set to go, yet when I try to login with one of those three users it fails to authenticate properly. The error that shows up on the gitlab page is something along the lines of "Falied to authenticate user: incorrect credentials for username" despite being correct. (Unless I'm incorrect here: I've been using uid for login)

This made me think it had something to do with the encryption since the users are clearly shown as above and the connection is being made. So I tried changing encryption: simple_tls since it seemed like most tutorials for GitLab with LDAP used that same setting. This gave me new errors when I tried sudo gitlab-rake gitlab:ldap:check

Checking LDAP ...
Server: ldapmain
rake aborted!
Net::LDAP::Error: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A
/opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/auth/ld/adapter.rb:8:in `open'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/check.rake:355:in `block in check_ldap'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/check.rake:351:in `each'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/check.rake:351:in `check_ldap'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/check.rake:340:in `block (3 levels) in <top (required)>'
/opt/gitlab/embedded/bin/bundle:23:in `load'
/opt/gitlab/embedded/bin/bundle:23:in `<main>'

I've read around and it seems like this error can be cause by some sort of version mismatch with OpenSSL, but all of the solutions suggested haven't worked yet.

So I'm curious if anyone can help me with either of these problems (whichever is easier): either changing my LDAP server to work with simple authentication, or fixing the gitlab/ldap server to work with simple_tls.

like image 574
ryan.kom Avatar asked Jul 08 '26 19:07

ryan.kom


2 Answers

Somehow fixed it. I switched encryption back to encryption:'plain' since I felt like I was getting closer with that (since at least gitlab-rake gitlab:ldap:check returned the proper usernames). All I did was make users in my LDAP store their password with "clear" rather than "md5," and ran update-ca-certificates on both servers. Any LDAP user with a password stored in md5 does not work.

I know this is an insecure solution so I'm still interested in hearing other ideas for using tls_simple for people who might come across this thread.

like image 99
ryan.kom Avatar answered Jul 11 '26 09:07

ryan.kom


I was stuck on the same encryption problem when I was using method:'tls' but got another error. I had no problem if I used method:'plain', but I need the encryption.

When I tried your configuration encryption: 'simple_tls', with port: 389, I got the same error as you did.

I then realised that state=SSLv2/v3 read server hello A actually means the client(gitlab) tried to connect, but its SSL-connection request (SSL-hello) did not succeed. I concluded that gitlab must immediately try to establish an SSL connection in stead of actually negociating the used encryption protocol.

I then tried using the LDAPS port 636 and sudo gitlab-rake gitlab:ldap:check immediately worked.

Furthermore, simple_tls corresponds to using a regular TLS-tunnel immediately, while tls corresponds to StartTLS.


TL;DR:

gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
  main:
   label: 'LDAP'
   host: '<internal IP of domain controller>'
   port: 636
   uid: 'uid'
   encryption: 'simple_tls'
   bind_dn: 'CN=admin,DC=<project_name>,DC=local'
   password: '<password>'
   active_directory: false
   allow_username_or_email_login: true
   lowercase_usernames: false
   block_auto_created_users: false
   base: 'CN=GitLab,DC=<project_name>,DC=local'

I didn't use the verify_certificates: false.

like image 20
Gilrain Avatar answered Jul 11 '26 08:07

Gilrain



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!