Could not find member DNs for LDAP group

I can’t get group_base and admin_group to work. My LDAP setup is working as expected. The users from LDAP are visible in GitLab, so I’m assuming that the configuration is correct for the most part. The gitlab-rake gitlab:ldap:check command shows Success and a whole list of users.

BTW, we’re using FreeIPA which also does LDAP.

However, in the production.log I see this message:
Could not find member DNs for LDAP group #<Net::LDAP::Entry:0x00007f134b223200 @myhash={:dn=>[“cn=gitlab_admins,cn=groups,cn=accounts,dc=ghs,dc=nl”], :cn=>[“gitlab_admins”]}>

On this link [1] there are some hints how to debug this, but that didn’t help.

My configuration looks like this:

label: 'LDAP'
host: '****'
port: 636
uid: 'uid'
method: 'ssl'
bind_dn: 'uid=gitlab,cn=users,cn=accounts,dc=ghs,dc=nl'
password: '****'
verify_certificates: false
active_directory: false
allow_username_or_email_login: false
block_auto_created_users: true
base: 'cn=accounts,dc=ghs,dc=nl'
user_filter: 'objectClass=posixAccount'
attributes:
  username: ['uid', 'userid', 'sAMAccountName']
  email:    ['mail', 'email', 'userPrincipalName']
  name:       'cn'
  first_name: 'givenName'
  last_name:  'sn'
group_base: 'cn=groups,cn=accounts,dc=ghs,dc=nl'
admin_group: 'gitlab_admins'
sync_ssh_keys: false

Can anybody suggest how to debug this?

[1] https://docs.gitlab.com/ee/administration/auth/ldap-ee.html

To add to this, I’ve carefully simulated the parameters in an ldapsearch command. It shows the following output for my admin group

# gitlab_admins, groups, accounts, ghs.nl
dn: cn=gitlab_admins,cn=groups,cn=accounts,dc=ghs,dc=nl
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
cn: gitlab_admins
ipaUniqueID: *****
gidNumber: 60065
member: uid=keesb,cn=users,cn=accounts,dc=ghs,dc=nl

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Notice that it has a “member:” field for the members of the group. And the member has a “uid=” (which is suggested as the usual cause of problems for the error message of this topic).