Difficulties with LDAP group syncing

Hi guys!

I am exploring gitlab usage for our small organization.
Everything is fine except LDAP groups which we have.
All developers have LDAP users with respective LDAP groups memberships.
Also we store ssh public keys inside user object.

As far as i understood gitlab should be able to sync existing LDAP groups and create respective objects?
And also it should populate memberships accordingly?
If its true this is not happening in my case.

My gitlab.rb:


gitlab_rails[‘ldap_enabled’] = true
gitlab_rails[‘prevent_ldap_sign_in’] = false
gitlab_rails[‘ldap_servers’] = YAML.load <<-‘EOS’
label: LDAP
host: ‘ldap-master.example.com
port: 636
uid: ‘uid’
bind_dn: ‘cn=gitlab,container=Infrastructure,container=System,dc=example,dc=com’
password: ‘’
encryption: ‘simple_tls’
verify_certificates: true
smartcard_auth: false
active_directory: false
allow_username_or_email_login: false
lowercase_usernames: true
block_auto_created_users: false
base: ‘container=Users,dc=example,dc=com’
user_filter: ‘(|(employeeType=admin)(employeeType=developer))’
## EE only
group_base: ‘container=Groups,dc=example,dc=com’
admin_group: ‘superuser’
sync_ssh_keys: true
username: [‘uid’]
email: [‘mail’]
name: ‘cn’
first_name: ‘cn’
last_name: ‘cn’
ca_file: ‘/etc/pki/ca-trust/source/anchors/internal-ca.pem’
ssl_version: ‘TLSv1_2’
ciphers: ‘<long_cipher_list>’
cert: |

key: |

gitlab_rails[‘ldap_sync_worker_cron’] = “0 * * * "
gitlab_rails[‘ldap_group_sync_worker_cron’] = "
/10 * * * *”

LDAP group object example:

LDAP group object

dn: cn=superuser,container=Groups,dc=example,dc=com
objectClass: group
cn: superuser
gidNumber: 10000
memberUid: testuser
structuralObjectClass: group

LDAP user object example:

LDAP user object

dn: uid=testuser,container=Users,dc=example,dc=com
uid: testuser
cn: testuser
objectClass: user
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sshKey
shadowLastChange: 15140
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/testuser
mail: testuser@example.com
structuralObjectClass: user

Gitlab rails features information:

features summary

irb(main):096:0> License.feature_available?(:ldap_group_sync_filter)
License Load (0.9ms) SELECT “licenses”.* FROM “licenses” ORDER BY “licenses”.“id” DESC LIMIT 1
=> true
irb(main):097:0> License.feature_available?(:ldap_group_sync,)
License Load (1.0ms) SELECT “licenses”.* FROM “licenses” ORDER BY “licenses”.“id” DESC LIMIT 1
(0.5ms) SELECT “features”.“key” FROM “features”
=> true

So at this point users are able to login.
But gitlab dont sync the groups and fails to recognize memberships.

When i run this:


irb(main):100:0> ldap_group = EE::Gitlab::Auth::Ldap::Group.find_by_cn(‘group_cn_here’, adapter)
irb(main):101:0> ldap_group = EE::Gitlab::Auth::Ldap::Group.find_by_cn(‘superuser’, adapter)
irb(main):102:0> ldap_group.member_uids
=> [“testuser”, “testuser1”]

As you can see it actually can see correct memberships.

But at the same time this one returns empty result:


irb(main):103:0> ldap_group.member_dns
=> [""]

Because this one requires memberOf?
But because i switched off active_directory it should not be a problem?

When i run sync groups manually:


irb(main):104:0> EE::Gitlab::Auth::Ldap::Sync::Groups.execute
Performing LDAP group sync for ‘ldapmain’ provider
Group Load (44.2ms) SELECT DISTINCT “namespaces”.* FROM “namespaces” INNER JOIN “ldap_group_links” ON “ldap_group_links”.“group_id” = “namespaces”.“id” WHERE “namespaces”.“type” = ‘Group’ AND “ldap_group_links”.“provider” = ‘ldapmain’ ORDER BY ldap_sync_last_successful_update_at ASC, namespaces.id ASC
Finished LDAP group sync for ‘ldapmain’ provider
Syncing admin users for ‘ldapmain’ provider
Instantiating EE::Gitlab::Auth::Ldap::Group with LDIF:
dn: cn=superuser,container=Groups,dc=example,dc=com
cn: superuser
memberuid: testuser
memberuid: testuser1
Members in ‘superuser’ LDAP group: [""]
Identity Load (6.6ms) SELECT “identities”.* FROM “identities” WHERE (LOWER(“identities”.“extern_uid”) = LOWER(‘uid=testuser,container=users,dc=example,dc=com’)) AND “identities”.“provider” = ‘ldapmain’ LIMIT 1
User Load (11.9ms) SELECT “users”.* FROM “users” WHERE “users”.“id” = 2 LIMIT 1
(0.4ms) BEGIN
Namespace Load (1.3ms) SELECT “namespaces”.* FROM “namespaces” WHERE “namespaces”.“owner_id” = 2 AND “namespaces”.“type” IS NULL LIMIT 1
(0.5ms) COMMIT
User Load (5.2ms) SELECT “users”.* FROM “users” INNER JOIN “identities” ON “identities”.“user_id” = “users”.“id” WHERE “identities”.“provider” = ‘ldapmain’ AND “users”.“admin” = TRUE
Finished syncing admin users for ‘ldapmain’ provider
No external_groups configured for ‘ldapmain’ provider. Skipping
=> true

As i mentioned previously it can see memberuid attribute.
But why it does not process it and create a respective gitlab group?
Am i missing something here?

I can also provide additional details if required.

Please note that LDAP Group Sync requires a Starter license or higher.

I mentioned in a post that these 2 features are enabled(i am using trial license)

My bad, should have clicked & read all sections :man_facepalming:

I think i found a bug in code.
Will submit a PR.
This is the correct repo: https://github.com/gitlabhq/gitlabhq?

The repository and issue tracker can be found at https://gitlab.com/gitlab-org/gitlab