GitLab LDAP integration with JumpCloud not working

1

votes

I am trying to configure GitLab server to use JumpCloud LDAP as a service, but couldn't make it work. GitLab rake command shows that connectivity to LDAP server is successful but when I try to login, an error Could not authenticate you from Ldapmain because "Invalid Credentials". is shown

ldapsearch command produces output correctly:

ldapsearch -H ldap://ldap.jumpcloud.com:389 -D "uid=username,ou=Users,o=org12345,dc=jumpcloud,dc=com" -w "password"  -b "ou=Users,o=org12345,dc=jumpcloud,dc=com" "(objectClass=inetOrgPerson)" sAMAccountName

# extended LDIF
#
# LDAPv3
# base <ou=Users,o=org12345,dc=jumpcloud,dc=com> with scope subtree
# filter: (objectClass=inetOrgPerson)
# requesting: sAMAccountName 
#

# username, Users, org12345, jumpcloud.com
dn: uid=username,ou=Users,o=org12345,dc=jumpcloud,dc=com

# user1, Users, org12345, jumpcloud.com
dn: uid=user1,ou=Users,o=org12345,dc=jumpcloud,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

Gitlab rake check

sudo gitlab-rake gitlab:ldap:check

Checking LDAP ...

Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)

Checking LDAP ... Finished

Error in unicorn_stdout.log

I, [2016-12-29T05:52:50.947393 #7067]  INFO -- omniauth: (ldapmain) Callback phase initiated.
E, [2016-12-29T05:52:51.834803 #7067] ERROR -- omniauth: (ldapmain) Authentication failure! invalid_credentials encountered.

Error shown to user

GitLab LDAP configuration

gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
 main:
  label: 'LDAP'
  host: 'ldap.jumpcloud.com'
  port: 389 #Change to 636 if using LDAPS
  method: 'plain' # Change to "tls" if using LDAPS
  uid: 'sAMAccountName' # Don't change this
  bind_dn: 'uid=username,ou=Users,o=org12345,dc=jumpcloud,dc=com'
  password: 'password'
  active_directory: true
  allow_username_or_email_login: false
  block_auto_created_users: false
  base: 'ou=Users,o=org12345,dc=jumpcloud,dc=com'
  user_filter: '(objectClass=inetOrgPerson)'
EOS

I am certain that provided username and password are correct. Can someone please check and let me know if I am making a mistake in the configuration or is there something else I could check to solve this problem?

Thank you very much for your help

Reponse I received from JumpCloud support on 29/Dec:

After reviewing your configuration in addition to gitlab’s it looks like it is necessitating that the uid field = sAMAccountName. This is a samba attribute, that we currently do not support. While in JumpCloud, the uid = uid . If you are able to change that field, it looks like it should connect but it appears that gitlab requires samba schema to authenticate via LDAP.

ldapcloudgitlab

Show your LDAP configuration (without the password) from gitlab.rb - Jonathon Reinhart

Added LDAP configuration details to the question - Sudhir

2 Answers

2

votes

The bind_dn should be the domain\username used to connect to the ldap server. The bind_dn and password are used to authenticate GitLab with the LDAP service.

Here is what mine looks like:

bind_dn: 'gintra\gitlab-registrar'

1

votes

Changing uid: 'sAMAccountName' to uid: 'uid' in your config should work:

gitlab_rails['ldap_enabled'] = true
gitlab_rails['prevent_ldap_sign_in'] = false

##! **remember to close this block with 'EOS' below**
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
 main: # 'main' is the GitLab 'provider ID' of this LDAP server
 label: 'Gitlab LDAP'
 host: 'ldap.jumpcloud.com'
 port: 636
 uid: 'uid'
 bind_dn: 'uid=xxx,ou=Users,o=xxx,dc=jumpcloud,dc=com'
 password: 'xxx'
 encryption: 'simple_tls' # "start_tls" or "simple_tls" or "plain"
 #     verify_certificates: true
 smartcard_auth: false
 active_directory: true
 allow_username_or_email_login: false
 lowercase_usernames: false
 block_auto_created_users: false
 base: 'ou=Users,o=xxx,dc=jumpcloud,dc=com'
 user_filter: '(objectClass=inetOrgPerson)'
 EOS