Net LDAP Error: Connection reset by peer trying to use LDAP against AD

Stayen · October 7, 2018, 4:02pm

Hello,

Trying to use LDAP authentication against Active Directory (AD). According to known howtos, the below is in /etc/gitlab/gitlab.rb:

gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
 main: # 'main' is the GitLab 'provider ID' of this LDAP server
  label: 'EXAMPLE'
  host: 'EXAMPLE.COM'
  port: 636
  uid: 'sAMAccountName' # 'sAMAccountName'
  method: 'tls' # "tls" or "ssl" or "plain"
  bind_dn: 'cn=binduser,cn=Users,dc=example,dc=com'
  password: 'superpassword'
  timeout: 10
  active_directory: true
  allow_username_or_email_login: false
  block_auto_created_users: false
  base: 'cn=Users,dc=example,dc=com'
  user_filter: ''

But
gitlab-rake gitlab:ldap:check

returns
Net::LDAP::Error: Connection reset by peer @ io_fillbuf - fd:14

Note: when I use

ldapsearch -D "cn=binduser,cn=Users,dc=example,dc=com" -b "cn=Users,dc=example,dc=com" -H ldaps://example.com:636 -w superpassword

I get all the users list, as expected (so credentials are good, certificate is good etc)

How do I handle this problem?

Thanks/

nightman68 · October 15, 2018, 8:19pm

Hi Stayen,

I guess that “method” is obsolete!? Try this, it works for me in my company:

gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = {
'main' => {
  'bind_dn'                       => 'cn=binduser,cn=Users,dc=example,dc=com',
  'password'                      => 'password',
  'user_filter'                   => '',
  'label'                         => 'example',
  'host'                          => 'ad.example.com',
  'port'                          => '636',
  'encryption'                    => 'simple_tls',
  'base'                          => 'dc=example,dc=com',
  'uid'                           => 'sAMAccountName',
  'active_directory'              => 'true',
  'allow_username_or_email_login' => 'false',
  'lowercase_usernames'           => 'false',
  'block_auto_created_users'      => 'true',
  ['attributes']  => {
     'username'   => 'sAMAccountName',
     'email'      => 'mail',
     'name'       => 'cn',
     'first_name' => 'givenName',
     'last_name'  => 'sn'
    }
  }
}

Stayen · October 16, 2018, 4:38pm

@nightman68 , thanks a lot!

Replacing

'method' => 'tls',

with

'encryption' => 'simple_tls',

did the trick. So the mentioned doc is out-of-date.

nightman68 · October 16, 2018, 5:14pm

You’re welcome. probably you checked the wrong doc, use this one.