Gitlab Keep Locking LDAP Accounts

I’ve got some strange problems after enabling 2FA for my LDAP (AD synced) accounts.

I’ve syncing my accounts from my AD server and everything working fine (push/pull over https) until I will enable 2FA for account. As soon as I will enable 2FA for user and try to do some operation my LDAP account is getting blocked.

So scenario to re-produce is:

  1. Use existing GitLab account (synced from LDAP/AD)
  2. Enable 2FA
  3. Generate Access Token
  4. git push/pull over https with username of gitlab and access token as password
  5. git push/pull is sucesfull
  6. LDAP account is blocked
  7. Disable 2FA, push/pull with AD username and AD password = working fine, account not locked

I cannot see nothing (error/warning) in production.log and also on my AD controller nothing also clear in the logs. Can anyone point me in right direction where to look for a problem? Any way to enable extra debug for LDAP etc ?


I’ve got some develop on this - looks like GitLab sending wrong password to my LDAP.

As soon as I try git push/pull over HTTPS with 2FA account my badPwdCount increasing on LDAP. Is I’m correct assuming that from some reason Gitlab trying to sent AccessToken to LDAP as my password? Where LDAP is not aware of this (only normal password) so this causing account locks?

Any idea how to fix it?

Yeah confirmed:
Account from LDAP with 2FA enabled:

  • Trying to push with https and access token as password: push is succesfull badPWDCount on account is increasing (cause lock
  • Trying to push with https and AD password as password: push is not working but badPWDCount is 0 (restarted)

Any idea why Gitlab acting like that and passing Access Token to LDAP as user password? Is this bug? Should I report it somewhere else?

I have never tried 2FA + AD. Can you create a sample anonymized/scrubbed sample of your configuration with any secrets changed to junk? It would be highly useful. I’m collecting sample configurations.

I don’t know how 2FA works, and so I don’t know why you’re seeing what you see, or if what you are seeing is what you should be seeing. But I wonder if it’s doing exactly what it’s supposed to do, or secondly, if your configuration is wrong. Assuming you installed via Omnibus, it’s your gitlab.rb omnibus configuration that I wonder if you’ve got everything you need inside that, and if so, if that matches your AD environment.

If it was me, I’d buy EE, and get Gitlab Support to help me. This is advanced stuff! :slight_smile:

Yeah we still thinking about EE - was even thinking that this AD/2FA can be related to CE and tried on our DEV system free 30 days period … still was a problem. Currently getting our head around Gitlab and if we will do everything that we want with CE then we will migrate to EE.

So before my config files I will again summarize problem:

  • Problem:
    Gitlab locking AD accounts (linked via LDAP) while using 2FA and trying to interact with repositories using HTTPS and providing as password access token.
  • Scenario to re-produce
  1. Any gitlab account that got identify LDAP and enabled 2FA
    2, Try to push/pull using https protocol (username is ldap username, password is access token)
  2. Result is push/pull is sucessfull badPWDCount is increased on LDAP (assumption: Gitlab passing access token as user password to LDAP and LDAP is not aware of this data).
  • My troubleshooting:
  1. After I’ve spotted that badPWDCount is increased for LDAP user when using access token as password I’ve tried to provide to ldap username + ldap password for a user with 2FA enabled. Then my push/pull of course was unsuccessful (bad credentials) however there was nothing in AD logs about wrong password for user (badPWDCount not changed)
  2. Tried gave my ldap user (from gitlab.rb) domain admin rights - does not changed anything.
  3. Problem does not exist of course over ssh as then certificates are used to AUTH
  • My assumptions:
    As my user is in LDAP Gitlab does not storing password for account (first password when for example login to web interface with 2FA enabled). When I’m push/pull Gitlab using LDAP linked account gitlab for some reason need to go to LDAP (to check is account is valid, exists - not sure) but password that is passing is access token (as its not storing actual user password - I believe). LDAP logging it as wrong password and after 3 tries like that it’s locking account.
  • Trick that I’ve tried:
    Set AD user password to match HTTPS Access Token - then everything is fine , no bad password event

I believe this is code that you are interested from my Gitlab.rb

gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
   main: # 'main' is the GitLab 'provider ID' of this LDAP server
     label: 'LDAP'
     host: 'dc.mydomain'
     port: 389
     uid: 'sAMAccountName'
     method: 'plain' # "tls" or "ssl" or "plain"
     bind_dn: 'CN=gituser,OU=System Accounts,OU=Domain Users,DC=mydomain,DC=com'
     password: 'my_ad_password_'
     active_directory: true
     allow_username_or_email_login: false
     block_auto_created_users: true
     base: 'OU=Domain Users,DC=mydomain,DC=com'
#     user_filter: ''
#     attributes:
#       username: ['uid', 'userid', 'sAMAccountName']
#       email:    ['mail', 'email', 'userPrincipalName']
#       name:       'cn'
#       first_name: 'givenName'
#       last_name:  'sn'
#     ## EE only
#     group_base: ''
#     admin_group: ''
#     sync_ssh_keys: false
#   secondary: # 'secondary' is the GitLab 'provider ID' of second LDAP server
#     label: 'LDAP'
#     host: '_your_ldap_server'
#     port: 389
#     uid: 'sAMAccountName'
#     method: 'plain' # "tls" or "ssl" or "plain"
#     bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
#     password: '_the_password_of_the_bind_user'
#     active_directory: true
#     allow_username_or_email_login: false
#     block_auto_created_users: false
#     base: ''
#     user_filter: ''
#     attributes:
#       username: ['uid', 'userid', 'sAMAccountName']
#       email:    ['mail', 'email', 'userPrincipalName']
#       name:       'cn'
#       first_name: 'givenName'
#       last_name:  'sn'
#     ## EE only
#     group_base: ''
#     admin_group: ''
#     sync_ssh_keys: false

Other details:

  • Nothing in production.log of rails (regarding for example timed out LDAP query etc.)
  • New users can be created (first login) so LDAP access is working
  • Bad password event in AD logs everytime when push/pull via https with 2FA
  • Tried also on our DEV system (different AD, fresh installation of gitlab, same gitlab.rb config) - same problem

I believe if I did not screw up anything with my config this should be a bug that should be fixed in CE not only in EE