Could not authenticate you from Ldapmain because "Invalid credentials for username"

I’m trying to add the LDAP feature for our GitLab. We have a running ActiveDirectoy server running on windows. Gitlab itself is hosted on an ubuntu server machine.
For the authentication we created a serverice-user on the ad server. here is my gitlab.rb file (showing only the ldap config.)

gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
   main:
     label: 'LDAP'
     host: '1.2.3.4'
     port: 389
     uid: 'service.Acc'
     bind_dn: 'CN=service.ACC,OU=Org 1,DC=organisation,DC=com'
     password: 'supersecurePass'
     encryption: 'plain'
     base: 'DC=company,DC=com'
     active_directory: true
     allow_username_or_email_login: true
     user_filter: '(objectClass=user)'
EOS	

The options which are not listed, are commented-out (so the default values will be used).
Next I execute the both commands:

sudo gitlab-ctl reconfigure
sudo gitlab-rake gitlab:ldap:check

This is the result of the last command:

Checking LDAP ...

LDAP: ... Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)

Checking LDAP ... Finished

Why is my list empty? Shouldn’t there be listed all users of the ad? I also tried applying the base_dn option, where the users are stored.

If I do an lsdapsearch i get the results:

ldapsearch -H ldap://1.2.3.4 -x -W -D "service.Acc@organisation.com" -b "dc=organisation,dc=com" "(objectClass=user)" mail

.
.
.
# service.ACC, Org 1, organisation.com
dn: CN=service.ACC,OU=Org 1,DC=organisation,DC=com
.
.
.

So the AD server is reachable and response to my ldapsearch query.
Am I missing something in the gitlab.rb config?

I’m using the gitlab EE with the version 12.5.3

Here is an output of my application.log during an unsuccessful login attempt:
Started POST “/users/auth/ldapmain/callback” for 1.2.3.8 at 2019-12-11-07:48:59 +0000
Processing by OmniauthCallbacksController#failure as HTML
Parameters: {“utf8”=>“✓”, “authenticity_token”=>"[FILTERED]", “username”=>“user.Acc”, “password”=>"[FILTERED]"}
Redirected to https://git.company.com/users/sign_in

For security reasons I have to change the real values with dummy values. But please, trust me that the provided user details are similars to the real values. (usernames with “.”, Service User is in another OU than the users which will login to the gitlab)

The user will be displayed following error message:

Could not authenticate you from Ldapmain because “Invalid credentials for user.1”.

The credentials are right.

I also found some topics on this forum which have similar problems, but either the solutions do not work for me or they don’t have written any solutions at all.

I also created a topic at stackoverflow with a small bounty. If you are interested:
Stackoverflow topic

In your gitlab.rb, did you set the base attribute?
Example:

base: ‘DC=organisation,DC=com’

In the LDAP compare query you have the domain controllers listed.

1 Like

Hi sirmuttonchop

thank you for you response. In the meantime i did some changes on the config. I updated the post with the latest version of my gitlab.rb config. There is the base attribute given. Still not working and the same error messages. :cry:

Your latest settings look OK. And I’m presuming the lsdapsearch compare query you’re doing is also on the Ubuntu server itself (not a separate local workstation per se).

Since authentication is fine, I’d focus more on the search and user attribute. One other thing you may try is to append some of the Attributes under user_filter.

Example
https://docs.gitlab.com/ee/administration/auth/ldap.html

  attributes:
    ##
    ## The username will be used in paths for the user's own projects
    ## (like `gitlab.example.com/username/project`) and when mentioning
    ## them in issues, merge request and comments (like `@username`).
    ## If the attribute specified for `username` contains an email address,
    ## the GitLab username will be the part of the email address before the '@'.
    ##
    username: ['uid', 'userid', 'sAMAccountName']
    email:    ['mail', 'email', 'userPrincipalName']

    ##
    ## If no full name could be found at the attribute specified for `name`,
    ## the full name is determined using the attributes specified for
    ## `first_name` and `last_name`.
    ##
    name:       'cn'
    first_name: 'givenName'
    last_name:  'sn'

Example2; the attributes should correspond to what you have in your Active Directory’s User Object.

...
user_filter: '(objectclass=user)'
attributes:
  username: ['sAMAccountName', 'displayName', 'uid']
  email:    ['mail']
  name:       'displayName'
  first_name: 'givenName'
  last_name:  'sn'
## EE only
group_base: 'ou=AAA,ou=CCC,ou=BBB'
admin_group: ''
sync_ssh_keys: false