Hi.
Have a new server setup since a couple of days, using AD Authentication for the Users.
We have the users in one OU, which i have configured in the ldap main settings in the gitlab.rb file.
We have two mail domains for our users, most users have xxx@xxx.com for their primary smtp, the others have xxx@xxx.de for their primary smtp.
Now when they try to logon, it’s working for users with @xxx.com as their mail address.
All the other users with @xxx.de as their primary mail address get the above error message.
The server is running on gitlab version 8.2.4 CE.
The ldap section of our gitlab.rb looks like this:
main: # ‘main’ is the GitLab ‘provider ID’ of this LDAP server
label: ‘xxxx Login’
host: ‘xxx.xxxx.com’
port: 389
uid: ‘sAMAccountName’
method: ‘plain’ # “tls” or “ssl” or “plain”
bind_dn: ‘CN=xxxxx,OU=xxxxx,OU=xxxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=com’
password: ‘xxxxxx’
active_directory: true
allow_username_or_email_login: false
block_auto_created_users: false
base: ‘OU=xxxx,OU=xxxx,OU=xxxx,DC=xxxx,DC=com’
user_filter: ‘’
EOS
Why does it only work for users with the xxx.com address?
When i switch a user’s primary mail address to xxx.com from xxx.de, they can logon without issue.
When i switch back to xxx.de, we get the error again.
I’m confused. What has the sAMAccountName to do with the mail address?
Additional comment:
when i switch the users mail-address to the one which is working, and logon so that the user is created. >> then switching back to the other mail address >> user can logon succesfully.
then deleting that user, logon again, same error…
so it looks like, the error comes up only when the user needs to be created.
Is there a detailed Docu how the LDAP / Ad authentication works in gitlab?
I’m really confused why this is not working.
Solved myself:
Log in as admin, goto Admin Area >> Settings >> Restricted domains for sign-ups.
Here is a list of domains which reflects the dns suffixes from the server.
Hi
facing similar issue, could you eloborate more about what to update in Restricted domains for sign-ups.
I have all users with same domain name still users are facing this issue.
Only users matching the mail domains listed there are allowed to login. in our case it was automatically filled out with a dns suffix from our server, but some users had different mail addresses.
then i have added the mail domain and it worked.
for example: in the allowed list you have test.com as allowed.
User A has A@test.com as mail address, User B has B@test.de as mail address.
Only User A could logon.
When you add test.de to the allowed list, then both User A and B can logon.
2 Likes
I got that problem when I inadvertently left a space character at the end of the LDAP identity field in GitLab.
our problem turned out that there was NONE listed in the ldap email address field. We had no restricted domains set up in gitlab admin area but but the gitlab server authentication still requires a valid email address to be set up in the ldap account. Once we added a valid email address to our ldap email address field, everything worked. Thanks for the email clue as this error message was not very helpful.
I also had this issue, when there were 2 mail attributes in ldap.