Hello,

I am trying to connect to the AD from my Gitlab but I’m getting the below error:

LDAP: … Server: ldapmain
Exception: Connection reset by peer - SSL_connect

Below is my /etc/gitlab/gitlab.rb file:

===============================================================
external_url ‘https://abc.com’
nginx[‘redirect_http_to_https’] = true
nginx[‘redirect_http_to_https_port’] = 80
nginx[‘proxy_set_headers’] = {
‘X-Forwarded-Proto’ => ‘http’,
‘CUSTOM_HEADER’ => ‘VALUE’
}
letsencrypt[‘enable’] = false

gitlab_rails[‘ldap_enabled’] = true

###! remember to close this block with ‘EOS’ below
gitlab_rails[‘ldap_servers’] = YAML.load <<-‘EOS’
main: # ‘main’ is the GitLab ‘provider ID’ of this LDAP server
label: ‘LDAP’
host: ‘ad.example.com’
port: 636
uid: ‘sAMAccountName’
bind_dn: ‘CN=readonly,OU=Users,OU=xxx,DC=abc,DC=local’
password: ‘password’
encryption: ‘simple_tls’ # start_tls or simple_tls or plain
verify_certificates: true
smartcard_auth: false
active_directory: true
allow_username_or_email_login: false
lowercase_usernames: false
block_auto_created_users: false
base: ‘OU=Users,OU=xxx,DC=xxx,DC=local’
user_filter: ‘(memberof:1.2.840.113556.1.4.1941:=CN=GitlabAccessGroup,OU=Users,OU=xxx,DC=xxx,DC=local)’
EOS

gitlab_rails[‘backup_keep_time’] = 604800
gitlab_rails[‘backup_upload_connection’] = {
‘provider’ => ‘AWS’,
‘region’ => ‘us-east-1’,
‘use_iam_profile’ => true }

It is working after making the below changes:

port: 389
encryption: 'plain' # start_tls or simple_tls or plain

verify_certificates: true (comment out this line)

But we cannot turn off the encryption and TLS Server authentication.

I have tried below solutions as well, but unfortunately it didn’t worked:

Can someone please guide me how can I solve this issue.

Thank you

Hi, I would try port 636 with plain and see how that goes for you.

There are a few differences when using port 389 and 636. The first being, that with port 389 the initial connection is unencrypted, so therefore it should be utilised with start_tls or simple_tls to then encrypt before continuing the connection. If you are using port 636, then the connection is encrypted already from the start. Therefore, using plain with 636 isn’t going to be a major issue since it’s already encrypted. And TLS won’t work with port 636 anyway, as it’s for use with port 389.

Hello,

@vikas.kadam07 Did you solve this problem?
I have the same error since we updated our domain controllers. I updated gitlab to 15.8.1-ee and still not working. I tried also setting the port to 636 and encryption to the three possibilities as @iwalker suggested.

I have only been able to get it to work setting port to 389 and encryption to plain.

Thank you.

In case of self-signed, untrusted certs, use:

verify_certificates: false

just in case that is an issue.

Hi,

I have used the solution posted by @iwalker.

Thanks