How to translate working ldapsearch command into config

simon.koch · October 22, 2018, 8:58am

I have a working ldapsearch query

ldapsearch -x -h <ldapdomain> -D "uid=<username>,ou=people,dc=<domain>,dc=<tld>" -w "redacted"

that works against my ldap server. However when translating this into a ldap configuration I constantly get a invalid credentials answer to my login attempts even though username and password are identical to the ones used in the ldapsearch command.

My ldap config looks like this:

gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-EOS                                                                                                                                                                                                                                                                                                                                                                   
main:
  label: 'Name'                                                                                                                                                                                                                                                                                                                                                                                                            
  host: '<ldapdomain>'                                                                                                                                                                                                                                                                                                                                                                                                             
  port: 389 # usually 636 for SSL                                                                                                                                                                                  
  uid: 'uid'                                                                                                                                                                                                       
  bind_dn: 'ou=people,dc=<domain>,dc=<tld>'                                                                                                                                                                              
  encryption: 'plain'
  verify_certificates: true                                                                                                                                                                                        
  ssl_version: ''                                                                                                                                                                                                  
  timeout: 10                                                                                                                                                                                                      
  active_directory: true
  allow_username_or_email_login: false                                                                                                                                                                             
  block_auto_created_users: false                                                                                                                                                                                  
  base: ''
  user_filter: ''                                                                                                                                                                                                  
  attributes:                                                                                                                                                                                                      
    username: ['uid', 'userid', 'sAMAccountName']                                                                                                                                                                  
    email:    ['mail', 'email', 'userPrincipalName']
    name:       'cn'                                                                                                                                                                                               
    first_name: 'givenName'                                                                                                                                                                                        
    last_name:  'sn'                                                                                                                                                                                               
  lowercase_usernames: false                                                                                                                                                                                                                                                                                                                                                                                                      
  group_base: ''                                                                                                                                                                                                   
  admin_group: ''
  external_groups: []                                                                                                                                                                                              
  sync_ssh_keys: false                                                                                                                                                                                             
EOS

rsvargas · October 22, 2018, 11:20am

The bind_dn and password attributes are related to the user gitlab will use to connect to the LDAP database and then check for credentials. Depending on how your LDAP server works, this could be blank. They are blank in my configuration.

You should set the base attribute to 'ou=people,dc=<domain>,dc=<tld>' this is where the registers will be searched on.

These changes should be enough.