I am trying to configure LDAP authentication with gitlab. My configuration is someting like:
ldap:
enabled: true
host: 'ldap.example.com'
base: 'ou=People,o=example.com'
port: 636
uid: 'uid'
method: 'ssl' # "ssl" or "plain"
bind_dn: 'cn=gitlab,ou=Apps,o=example.com'
password: 'password'
allow_username_or_email_login: true
I tested it with the following :
ldapsearch -b "ou=People,o=example.com" -s sub -D "cn=gitlab,ou=Apps,o=example.com" -H ldaps://ldap.example.com:636 -w "password" -x "([email protected])"
The line above works, but when I try to log in using LDAP, I always got "invalid credentials".
How can I troubleshoot this and narrow down the root cause f this problem?
Edit 26/09:
Here are some things I found on production.log:
Started GET "/users/sign_in" for 127.0.0.1 at 2013-09-23 17:42:58 -0300
Processing by Devise::SessionsController#new as HTML
Rendered devise/sessions/_new_ldap.html.haml (1.7ms)
Rendered devise/sessions/_new_base.html.haml (1.8ms)
Rendered devise/sessions/_oauth_providers.html.haml (0.0ms)
Rendered devise/sessions/new.html.haml within layouts/devise (4.2ms)
Rendered layouts/_head.html.haml (1.6ms)
Rendered layouts/_flash.html.haml (0.1ms)
Completed 200 OK in 9ms (Views: 6.9ms | ActiveRecord: 0.0ms)
Started POST "/users/auth/ldap/callback" for 127.0.0.1 at 2013-09-23 17:43:00 -0300
Processing by OmniauthCallbacksController#failure as HTML
Parameters: {"utf8"=>"â", "authenticity_token"=>"AwqZsVHRqOeZr+GLWWeGM7MyOAdk7cFl8/rZgbVRU+8=", "username"=>"[email protected]", "password"=>"[FILTERED]"}
Redirected to http://example.com/users/sign_in
Completed 302 Found in 3ms (ActiveRecord: 0.0ms)
Started GET "/users/sign_in" for 127.0.0.1 at 2013-09-23 17:43:00 -0300
Processing by Devise::SessionsController#new as HTML
Rendered devise/sessions/_new_base.html.haml (2.8ms)
Rendered devise/sessions/_oauth_providers.html.haml (0.1ms)
Rendered devise/sessions/new.html.haml within layouts/devise (3.7ms)
Rendered layouts/_head.html.haml (1.7ms)
Rendered layouts/_flash.html.haml (0.1ms)
Completed 200 OK in 9ms (Views: 6.6ms | ActiveRecord: 0.0ms)
Started GET "/" for 127.0.0.1 at 2013-09-23 18:50:08 -0300
Processing by DashboardController#show as HTML
Completed 401 Unauthorized in 1ms
Edit: I finally got the answer: a configuration on devise was stripping everyting after the "@". I can't recall the exact name, but I can post as soon as I got access to the machine. I discovered this by adding logs to the ldap oauth login.
GitLab integrates with LDAP - Lightweight Directory Access Protocol to support user authentication. This integration works with most LDAP-compliant directory servers, including: Microsoft Active Directory. Microsoft Active Directory Trusts are not supported.
The OP kidbomb mentions:
A configuration on devise was stripping everything after the "
@
".
I discovered this by adding logs to the ldap oauth login.
Check if the LDAP server is also accessible through ldap
(not ldaps://
)
ldapsearch -b "ou=People,o=example.com" -s sub -D "cn=gitlab,ou=Apps,o=example.com" -H ldap://ldap.example.com:389 -w "password" -x "([email protected])"
If yes, try and modify the gitlab.yml
setting file ldap.method
from 'ssl' to "plain
".
The goal is to validate if the certificate used for contacting the ldap server is the issue here or not.
If you can contact the server through ldap:// (no certificate), that gives you at least a workaround.
If not (you have to go through ldaps://
), you need to study more in detail the certificate associated to the LDAP server.
openssl s_client -connect ldap.example.com:636 2>/dev/null < /dev/null
(I am not using -CAFile
or -CAPath
here, assuming the CA are at their default place mentioned in /etc/ssl/openssl.cnf
)
If you get at the end of the output of that command the message:
error:num=21:unable to verify the first certificate
That means you need to get the certificate from the issuer.
See "How To Verify SSL Certificate From A Shell Prompt".
We had gitlabs configured with LDAP credentials, but whenever someone logged in, we were getting "500 Internal Server Error" messages. The issue seemed to go away however when we formatted /etc/gitlab/gitlab.rb correctly. It seems there are different ways to format the ldap variables, depending on what version of gitlabs you use: 7.3.2.omnibus and master.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With