Gitlab Authentication returns invalid username or password (LDAP pane missing)

0
votes

I have users in active directory LDAP (each have a username and email set). I configured LDAP authentication in gitlab.rb and ran "gitlab-ctl reconfigure". I user Gitlab Community Edition. The following command returns the users so configuration seems ok "sudo gitlab-rake gitlab:ldap:check". Returns :

LDAP: ... Server: ldapmain LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results)

DN: cn=Mike Gordon,cn=users,dc=ad,dc=mydomain,dc=com sAMAccountName: mike.gordon

... here other users

I'm trying to login with LDAP username mike.gordon and corresponding password on "Sign in" gitlab pane but i get "invalid username or password". Some screenshots show that there is an LDAP pane but it's not displayed even with : gitlab_rails['prevent_ldap_sign_in'] = false

this is my configuration :

main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'LDAP'
host: 'myAdUrl'
port: 3268
uid: 'sAMAccountName'
bind_dn: 'CN=serveur-ovh,CN=Users,dc=ad,dc=mydomain,dc=com'
password: 'adpassword'
encryption: 'plain' # "start_tls" or "simple_tls" or "plain"
active_directory: true
allow_username_or_email_login: false
base: 'dc=ad,dc=mydomain,dc=com'
user_filter: ''
#lowercase_usernames: false
#block_auto_created_users: false
#verify_certificates: true
#smartcard_auth: false
### EE only

Thank you very much in advance for you help.

1
active-directorygitlabldapgitlab-cigitlab-omnibus
if there is no error log, try changing allow_username_or_email_login: false to true, and try again with mike.gordon or his emailHamza Tahiri
Thank you for you answer. Setting to true and reconfiguring + restarting gitlab doesn't work. You're talking about logs : I checked application;json, and production.json logs and didn't find anything. Are you aware of other logs to check please ?batmaniac
you can find usefull logs in active directory, you will see the incomming request and the reason of failureHamza Tahiri

1 Answers

0
votes

Comparing your configuration to mine, I have a user_filter value

###! **remember to close this block with 'EOS' below**
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'LDAP'
host: 'ADHostname.example.com'
port: 636
uid: 'sAMAccountName'
method: 'ssl' # "tls" or "ssl" or "plain"
bind_dn: 'cn=UserID,ou=SystemAccounts,dc=example,dc=com'
password: 'AccountPasswordGoesHere'
active_directory: true
allow_username_or_email_login: false
block_auto_created_users: false
base: 'ou=ResourceUsers,dc=example,dc=com'
user_filter: '(&(sAMAccountName=*))' # Can add attribute value to restrict authorized users to GitLab access, we leave open to all valid user accounts in the OU. Should be able to authorize based on group membership using linked attribute value like (&(memberOf=cn=group,ou=groupOU,dc=example,dc=com))
attributes:
username: ['uid', 'userid', 'sAMAccountName']
email: ['mail', 'email', 'userPrincipalName']
name: 'cn'
first_name: 'givenName'
last_name: 'sn'

EOS