Gitlab EE - LDAP Authentication gives empty list

2
votes

I'm trying to add the LDAP feature for our GitLab. We have a running ActiveDirectoy server running on windows. Gitlab itself is hosted on an ubuntu server machine. For the authentication we created a serverice-user on the ad server. here is my gitlab.rb file (showing only the ldap config.)

gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
   main:
     label: 'LDAP'
     host: '1.2.3.4'
     port: 389
     uid: 'serviceAcc'
     bind_dn: 'CN=serviceACC,OU=Org 1,DC=organisation,DC=com'
     password: 'supersecurePass'
     encryption: 'plain'
     active_directory: true
EOS

The options which are not listed, are commented-out (so the default values will be used). Next I execute the both commands:

sudo gitlab-ctl reconfigure
sudo gitlab-rake gitlab:ldap:check

This is the result of the last command:

Checking LDAP ...

LDAP: ... Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)

Checking LDAP ... Finished

Why is my list empty? Shouldn't there be listed all users of the ad? I also tried applying the base_dn option, where the users are stored.

If I do an lsdapsearch i get the results:

ldapsearch -H ldap://1.2.3.4 -x -W -D "[email protected]" -b "dc=organisation,dc=com" "(objectClass=user)" mail

.
.
.
# serviceACC, Org 1, organisation.com
dn: CN=serviceACC,OU=Org 1,DC=organisation,DC=com
.
.
.

So the AD server is reachable and response to my ldapsearch query. Am I missing something in the gitlab.rb config?

I'm using the gitlab EE with the version 12.5.3

UPDATE Here are the requested details for @EricLavault:

  1. username:user.1 ; dn:CN=User 1,OU=Company Workers,DC=company,DC=com
  2. The user submits it's AD credentials: Username:user.1 PW:#his AD-PW#
  3. For the error logs i can proivde you the production.log. If you need some more logs, let me know:
Started POST "/users/auth/ldapmain/callback" for 1.2.3.8 at 2019-12-11-07:48:59 +0000
Processing by OmniauthCallbacksController#failure as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "username"=>"user.1", "password"=>"[FILTERED]"}
Redirected to https://git.company.com/users/sign_in

For security reasons I have to change the real values with dummy values. But please, trust me that the provided user details are similars to the real values. (usernames with ".", Service User is in another OU than the users which will login to the gitlab)

The user will be displayed following error message:

Could not authenticate you from Ldapmain because "Invalid credentials for user.1".

The credentials are right.

1
ubuntuldapgitlabgitlab-ee
Thanks for the edit, in 1) does this entry has attribute values for sAMAccountName and/or userPrincipalName ? Can you add it ?EricLavault
yes. the sAMAccountName would be user.1 and the userPrincipalName would be [email protected]Virtual
Ok, that part of the configuration seems ok to me. Given the message "Invalid credentials for user.1", it looks like user.1 matches the corresponding ldap entry but not the password. If the provided credentials are correct, it's likely that the password encoding scheme used is wrong and thus the password doesn't match even if the user submits the correct one. You can refer to this post to dig further in that direction.EricLavault

1 Answers

1
votes

First, you need to fix the uid setting. It should hold the username attribute, not the value that maps to a username. Since you are targeting AD, this should be either sAMAccountName or userPrincipalName (eg. matching respectively username or [email protected]).

If using sAMAccountName as uid and in case users submit [email protected] format on login (instead of just username) you need to set allow_username_or_email_login: true (default is false).

Otheriwse if using userPrincipalName as uid, you must set it to false.

Then, you can set the base to narrow the search to users only, if you are not sure where users are located in the directory, just set the domain components as you did with ldapsearch: base: 'dc=organisation,dc=com'.

You can also set a filter as you did with ldapsearch : user_filter: '(objectClass=user)'.

Recap :

gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
   main:
     label: 'LDAP'
     host: '1.2.3.4'
     port: 389
     uid: 'sAMAccountName'
     bind_dn: 'CN=serviceACC,OU=Org 1,DC=organisation,DC=com'
     password: 'supersecurePass'
     encryption: 'plain'
     active_directory: true
     allow_username_or_email_login: true
     base: 'dc=organisation,dc=com'
     user_filter: '(objectClass=user)'
EOS