Gitlab: LDAP "Invalid credentials", but credentials are right

Question

The following ldapsearch command works, flawlessly.

ldapsearch -LLL -s sub -P 3 -D "CN=,OU=IT,OU=Non-Users,OU=Users,OU=UserAccount,DC=,DC=com" -H ldaps://.com: -w '' -v -b 'OU=Users,OU=UserAccount,DC=,DC=com' '(&(objectClass=person)(sAMAccountName=))'

But, regardless, of how much I double-check the values are typed correctly, this, configured in gitlab.yml, does not.

ldap:
enabled: true
host: '.com'
port:
uid: 'sAMAccountName'
method: 'ssl'
bind_dn: 'CN=,OU=IT,OU=Non-Users,OU=Users,OU=UserAccount,DC=,DC=com'
password: ''
allow_username_or_email_login: true
base: 'OU=Users,OU=UserAccount,DC=,DC=com'
user_filter: ''
group_base: ''

Yes, the BindDN is at a different location than the other users, but it is south of it, so the query base is valid.

All attempts throw this error on the screen:

Could not authorize you from LDAP because "Invalid credentials"

production.log indicates the following:

Started GET "/users/sign_in" for 127.0.0.1 at 2014-07-18 08:13:17 -0400
Processing by Devise::SessionsController#new as HTML
Completed 200 OK in 21ms (Views: 12.8ms | ActiveRecord: 0.0ms)
Started POST "/users/auth/ldap/callback" for 127.0.0.1 at 2014-07-18 08:13:25 -0400
Processing by OmniauthCallbacksController#failure as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"", "username"=>"", "password"=>"[FILTERED]"}
Redirected to http:///users/sign_in
Completed 302 Found in 3ms (ActiveRecord: 0.0ms)
Started GET "/users/sign_in" for 127.0.0.1 at 2014-07-18 08:13:56 -0400
Processing by Devise::SessionsController#new as HTML
Completed 200 OK in 10ms (Views: 5.9ms | ActiveRecord: 0.0ms)
Started POST "/users/auth/ldap/callback" for 127.0.0.1 at 2014-07-18 08:20:03 -0400

The LDAP in question is Active Directory, and while I don't have access to the server natively in order to query the logs, the "badPwdCount" is incremented for each attempt at a web login, and I don't understand how, or why.

I know the perils of end users and their insistence that they're typing their usernames and passwords in correctly, but I've checked, triple-checked, octuple-checked that there aren't any typos in my declarations, and I can't find any other incident with this same error combination. I know that the syntax here is correct.

What could possibly be the problem?

Answer 1

Here is my working AD settings for LDAP.

#########################################
ldap:  
    enabled: true  
    host: '16.184.18.88'  
    port: 636  
    uid: 'sAMAccountName'   #userPrincipalName  
    method: 'ssl' # "tls" or "ssl" or "plain"  
    bind_dn: 'CN=Gitlab Git,CN=Users,DC=mydomain,DC=net'  
    password: 'My_Password'  
    allow_username_or_email_login: false  
    base: 'CN=Users,DC=mydomain,DC=net'  
    user_filter: '(memberOf=CN=Developers,OU=GitLabHQ,DC=mydomain,DC=net)'  
    group_base: 'OU=GitLabHQ,DC=mydomain,DC=net'  
    admin_group: GitLabAdmins
########################################

Answer 2

We had the similar issue, though our settings were all correct as we were getting the user search results by setting up the similar LDAP configuration on different tools like Jenkins, SonarQube; etc.

We resolved the issue by setting the value of DefaultForceNoPage to true in the ldap.rb file located at (the path may vary for different versions of gitlab):

/opt/gitlab/embedded/lib/ruby/gems/2.3.0/gems/net-ldap-0.16.0/lib/net/ldap.rb
                                                                      ^^^^^^^

which is false by default. So, once you have set the value to true, restart the GitLab server using:

gitlab-ctl reconfigure

You can also check if you are getting the results of the users of your organization by:

gitlab-rake gitlab:ldap:check

Note: Most common issues users face while logging into the application using their mail id's, you should put:

uid: 'mail'