invalid credentials - LDAP access error in git community edition

Question

I want to setup git for version control and continous integration.

I installed git community edition using docker-compose file as described in step 2 of https://docs.gitlab.com/omnibus/docker/README.html#install-gitlab-using-docker-compose. My docker-compose.yml files looks like:

web:
  image: 'gitlab/gitlab-ce:latest'
  container_name: git
  restart: always
  hostname: 'gitserver'
  environment:
    GITLAB_OMNIBUS_CONFIG: |
      external_url 'https://gitserver.local'
      # Add any other gitlab.rb configuration here, each on its own line
  ports:
    - '80:80'
    - '443:443'
    - '22:22'
  volumes:
    - '/srv/gitlab/config:/etc/gitlab'
    - '/srv/gitlab/ssl:/etc/gitlab/ssl'
    - '/srv/gitlab/logs:/var/log/gitlab'
    - '/srv/gitlab/data:/var/opt/gitlab'

I modifed my /srv/gitlab/config/gitlab.rb to include LDAP:

gitlab_rails['ldap_enabled'] = true

###! **remember to close this block with 'EOS' below**

gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
   main: # 'main' is the GitLab 'provider ID' of this LDAP server
     label: 'LDAP'
     host: 'x.x.x.x'
     port: 636
     uid: 'sAMAccountName'
     method: 'ssl' # "tls" or "ssl" or "plain"
     bind_dn: 'CN=git ldap,OU=Utility Accounts,OU=San Diego,OU=MYDOMAIN,DC=MYCOMPANY,DC=local'
     password: 'MyPwd'
     active_directory: true
     allow_username_or_email_login: false
     block_auto_created_users: false
     base: 'CN=git ldap,OU=Utility Accounts,OU=San Diego,OU=MYDOMAIN,DC=MYCOMPANY,DC=local'
EOS

I get the following error on login:

Could not athenticate you from LDAPmain because invalid credentials

/srv/gitlab/logs/gitlab-rails/production.log shows:

Started POST "/users/auth/ldapmain/callback" for x.x.x.x at 2017-07-10 21:11:06 +0000
Processing by OmniauthCallbacksController#failure as HTML
  Parameters: {"utf8"=>"â", "authenticity_token"=>"BKIQtjz0mu0JlS5bDLGssJFeKGFOJ2cLPKSKAc5JqeyLPBQUkhuI0qcjOTZ9osQEqqlCzPn/PNDlreeENnN28A==", "username"=>"xxx", "password"=>"[FILTERED]"}
Redirected to https://gitserver.local/users/sign_in
Completed 302 Found in 5ms (ActiveRecord: 0.3ms)
Started GET "/users/sign_in" for x.x.x.x at 2017-07-10 21:11:06 +0000
Processing by SessionsController#new as HTML
Completed 200 OK in 143ms (Views: 92.4ms | ActiveRecord: 3.0ms)

I have tried several permutations and combinations of LDAP settings but nothing seems to work. There are several similar settings/error and suggestions by users on the net on how they solved their problem but none seem to work for me.

Some of the things that I tried are 1) commenting out bind dn and pwd 2) setting uid to uid instead of sAMAccountName 3) tried both plain and ssl methods 4) setting allow_username_or_email_login to false.

This same LDAP settings is used by other apps in the company.. so nothing wrong with it.

I have been hitting the wall for the last one week. Any help is appreciated.

Thanks!

UPDATE: I tried the followign but no luck 1) Gitlab: LDAP "Invalid credentials", but credentials are right 2) Gitlab LDAP Authentication

UPDATE2: Note that am only able to login as git ldap and not as myself. I would like everyone to login with their own credentials

Answer 1

Note that the bind dn and base dn are exactly the same. Having CN in base dn allows only that user to login. Changing it to 'OU=MYDOMAIN,DC=MYCOMPANY,DC=local' allows all users to login