Gitlab (AWS) authentication using on-premise LDAP (Win 2008 R2)

Garbageyard · October 19, 2015, 12:02pm

I have installed GitLab Omnibus Community Edition 8.0.2 for evaluation purpose. I am trying to connect Gitlab (Linux AMI on AWS) with our on-premise LDAP server running on Win 2008 R2. However, i am unable to do so. I am getting following error (Could not authorize you from Ldapmain because “Invalid credentials”):

Here’s the config i’m using for LDAP in gitlab.rb:

 gitlab_rails['ldap_enabled'] = true
 gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
 main: # 'main' is the GitLab 'provider ID' of this LDAP server
     label: 'LDAP'
     host: 'XX.YYY.Z.XX'
     port: 389
     uid: 'sAMAccountName'
     method: 'plain' # "tls" or "ssl" or "plain"
     bind_dn: 'CN=git lab,OU=users,OU=Service Accounts,OU=corp,OU=India,OU=Users,OU=UserId&Rooms,DC=india,DC=local'
     password: 'pwd1234'
     active_directory: true
     allow_username_or_email_login: true
     base: 'CN=git lab,OU=users,OU=Service Accounts,OU=corp,OU=India,OU=Users,OU=UserId&Rooms,DC=india,DC=local'
     user_filter: ''
 EOS

There are two users: gitlab (newly created AD user) and john.doe (old AD user)

Both users are able to query all AD users using ldapsearch command but when i use their respective details (one at a time) in gitlab.rb and run gitlab-rake gitlab:ldap:check command, it displays info about that particular user only and not all users.

Earlier, gitlab-rake gitlab:ldap:check was displaying first 100 results from AD when my credential (john.doe) was configured in gitlab.rb file. Since this was my personal credential, i asked my IT team to create a new AD user (gitlab) for GitLab. After i configured new user (gitlab) in gitlab.rb file and ran gitlab-rake gitlab:ldap:check, it only displayed that particular user’s record. I thought this might be due to some permission issue for the newly-created user so i restored my personal credentials in gitlab.rb. Surprisingly, now when i run gitlab-rake gitlab:ldap:check, i get only one record for my user instead of 100 records that i was getting earlier. This is really weird! I think, somehow, GitLab is “forgetting” previous details.

Any help will really be appreciated.

namlessone · October 22, 2015, 10:34am

Your base should probably not include CN=git lab.

Garbageyard · October 22, 2015, 12:40pm

I removed the CN=git lab portion from base. Now i am getting the following:

==> /var/log/gitlab/unicorn/unicorn_stdout.log <==
E, [2015-10-22T17:50:04.274323 #13706] ERROR -- omniauth: (ldapmain) Authentication failure! ldap_error: NoMethodError, undefined method `provider' for nil:NilClass

Seems there are many people having same/similar issue and all are trying out workarounds.

Garbageyard · November 14, 2015, 7:30pm

The issue is resolved now. Seems like it was a bug in the version (8.0.2) i was using. Upgrading it to 8.0.5 fixed my issue.

Also, values of bind_dn and base that worked for me are:

bind_dn: 'CN=git lab,OU=users,OU=Service Accounts,OU=corp,OU=India,OU=Users,OU=UserId&Rooms,DC=india,DC=local'

base: 'OU=users,OU=Service Accounts,OU=corp,OU=India,OU=Users,OU=UserId&Rooms,DC=india,DC=local'