How to debug Gitlab LDAP authentication?

Question

I am trying to configure LDAP authentication with gitlab. My configuration is someting like:

ldap:
    enabled: true
    host: 'ldap.example.com'
    base: 'ou=People,o=example.com'
    port: 636
    uid: 'uid'
    method: 'ssl' # "ssl" or "plain"
    bind_dn: 'cn=gitlab,ou=Apps,o=example.com'
    password: 'password'
    allow_username_or_email_login: true

I tested it with the following :

ldapsearch  -b "ou=People,o=example.com" -s sub -D "cn=gitlab,ou=Apps,o=example.com" -H ldaps://ldap.example.com:636 -w "password" -x "([email protected])"

The line above works, but when I try to log in using LDAP, I always got "invalid credentials".

How can I troubleshoot this and narrow down the root cause f this problem?

Edit 26/09:

Here are some things I found on production.log:

Started GET "/users/sign_in" for 127.0.0.1 at 2013-09-23 17:42:58 -0300
Processing by Devise::SessionsController#new as HTML
  Rendered devise/sessions/_new_ldap.html.haml (1.7ms)
  Rendered devise/sessions/_new_base.html.haml (1.8ms)
  Rendered devise/sessions/_oauth_providers.html.haml (0.0ms)
  Rendered devise/sessions/new.html.haml within layouts/devise (4.2ms)
  Rendered layouts/_head.html.haml (1.6ms)
  Rendered layouts/_flash.html.haml (0.1ms)
Completed 200 OK in 9ms (Views: 6.9ms | ActiveRecord: 0.0ms)
Started POST "/users/auth/ldap/callback" for 127.0.0.1 at 2013-09-23 17:43:00 -0300
Processing by OmniauthCallbacksController#failure as HTML
  Parameters: {"utf8"=>"â", "authenticity_token"=>"AwqZsVHRqOeZr+GLWWeGM7MyOAdk7cFl8/rZgbVRU+8=", "username"=>"[email protected]", "password"=>"[FILTERED]"}
Redirected to http://example.com/users/sign_in
Completed 302 Found in 3ms (ActiveRecord: 0.0ms)
Started GET "/users/sign_in" for 127.0.0.1 at 2013-09-23 17:43:00 -0300
Processing by Devise::SessionsController#new as HTML
  Rendered devise/sessions/_new_base.html.haml (2.8ms)
  Rendered devise/sessions/_oauth_providers.html.haml (0.1ms)
  Rendered devise/sessions/new.html.haml within layouts/devise (3.7ms)
  Rendered layouts/_head.html.haml (1.7ms)
  Rendered layouts/_flash.html.haml (0.1ms)
Completed 200 OK in 9ms (Views: 6.6ms | ActiveRecord: 0.0ms)
Started GET "/" for 127.0.0.1 at 2013-09-23 18:50:08 -0300
Processing by DashboardController#show as HTML
Completed 401 Unauthorized in 1ms

Edit: I finally got the answer: a configuration on devise was stripping everyting after the "@". I can't recall the exact name, but I can post as soon as I got access to the machine. I discovered this by adding logs to the ldap oauth login.

Answer 1

The OP kidbomb mentions:

A configuration on devise was stripping everything after the "@".
I discovered this by adding logs to the ldap oauth login.

---

Check if the LDAP server is also accessible through ldap (not ldaps://)

ldapsearch  -b "ou=People,o=example.com" -s sub -D "cn=gitlab,ou=Apps,o=example.com" -H ldap://ldap.example.com:389 -w "password" -x "([email protected])"

If yes, try and modify the gitlab.yml setting file ldap.method from 'ssl' to "plain".

The goal is to validate if the certificate used for contacting the ldap server is the issue here or not.

If you can contact the server through ldap:// (no certificate), that gives you at least a workaround.

If not (you have to go through ldaps://), you need to study more in detail the certificate associated to the LDAP server.

openssl s_client -connect ldap.example.com:636  2>/dev/null < /dev/null

(I am not using -CAFile or -CAPath here, assuming the CA are at their default place mentioned in /etc/ssl/openssl.cnf)

If you get at the end of the output of that command the message:

error:num=21:unable to verify the first certificate 

That means you need to get the certificate from the issuer.
See "How To Verify SSL Certificate From A Shell Prompt".

Answer 2

We had gitlabs configured with LDAP credentials, but whenever someone logged in, we were getting "500 Internal Server Error" messages. The issue seemed to go away however when we formatted /etc/gitlab/gitlab.rb correctly. It seems there are different ways to format the ldap variables, depending on what version of gitlabs you use: 7.3.2.omnibus and master.