Gitlab LDAP Authentication on Kubernetes (Microk8s) - Active Directory (LDAPS)

mariusw · November 30, 2021, 2:41pm

I am trying to install gitlab using the helm charts in a Microk8s kubernetes cluster, and I keep running into some problems with LDAP.

Here is how I installed gitlab:

microk8s helm3 install gitlab /var/snap/install/helm/gitlab/ -n gitlab-system \ 
--timeout 600s \ 
--set global.hosts.domain=my.domain.dev \
--set https=true \
--set global.ingress.enabled=true \ 
--set nginx-ingress.enabled=false \
--set certmanager.install=false \
--set global.ingress.configureCertmanager=false \
--set global.certificates.customCAs[0].secret=gitlab-dev-ca \
--set global.ingress.tls.secretName=gitlab-tls \
--set global.appConfig.ldap.enabled=true \
--set global.appConfig.ldap.servers.main.ca_file=/etc/ssl/certs/ca-cert-dev-ca.pem \
--set global.appConfig.ldap.servers.main.label='DEV' \
--set global.appConfig.ldap.servers.main.host='mydc01.my.domain.dev' \
--set global.appConfig.ldap.servers.main.port='636' \
--set global.appConfig.ldap.servers.main.uid='sAMAccountName' \
--set global.appConfig.ldap.servers.main.encryption='simple_tls' \
--set global.appConfig.ldap.servers.main.bind_dn='CN=svc_gitlab,OU=Users,OU=Common,DC=my,DC=domain,DC=dev' \
--set global.appConfig.ldap.servers.main.password.secret=gitlab-ldap \
--set global.appConfig.ldap.servers.main.password.key=ldap-pw \
--set global.appConfig.ldap.servers.main.active_directory=true \
--set global.appConfig.ldap.servers.main.base='dc=my,dc=domain,dc=dev' \
--set postgresql.install=false \
--set global.psql.host=postgresql.default \
--set global.psql.username=gitlab \
--set global.psql.database=gitlab_db \
--set global.psql.password.useSecret=true \
--set global.psql.password.secret=gitlab-passwords \
--set global.psql.password.key=postgres-pw \
-f gitlab-pvc.yaml

The pods spin up and I can log into the gitlab-instance at https://gitlab.my.domain.dev just fine, but I can’t get LDAP login to work.

I then go to the gitlab-task-runner pod to run some tests:

git@gitlab-task-runner-546d866685-g4lk4:/$ gitlab-rake gitlab:env:info

System information
System:
Proxy:          no
Current User:   git
Using RVM:      no
Ruby Version:   2.7.4p191
Gem Version:    3.2.19
Bundler Version:2.2.19
Rake Version:   13.0.6
Redis Version:  unknown
Git Version:    unknown
Sidekiq Version:6.2.2
Go Version:     unknown

GitLab information
Version:        14.4.2-ee
Revision:       84aa6daaffd
Directory:      /srv/gitlab
DB Adapter:     PostgreSQL
DB Version:     12.9
URL:            https://gitlab.my.domain.dev
HTTP Clone URL: https://gitlab.my.domain.dev/some-group/some-project.git
SSH Clone URL:  git@gitlab.my.domain.dev:some-group/some-project.git
Elasticsearch:  no
Geo:            no
Using LDAP:     yes
Using Omniauth: no

GitLab Shell
Version:        13.21.1
Repository storage paths:
- default:      /var/opt/gitlab/repo
GitLab Shell path:              /home/git/gitlab-shell
Git:            /usr/bin/git

git@gitlab-task-runner-546d866685-g4lk4:/$ gitlab-rake gitlab:ldap:check
Checking LDAP ...

LDAP: ... Server: ldapmain
LDAP authentication... Failed. Check `bind_dn` and `password` configuration values
LDAP users with access to your GitLab server (only showing the first 100 results)

Checking LDAP ... Finished

git@gitlab-task-runner-546d866685-g4lk4:/etc/gitlab/ldap/main$ ls -la
total 4
drwxr-sr-x 2 git git 60 Nov 30 13:59 .
drwxr-sr-x 3 git git 60 Nov 30 13:59 ..
-r--r----- 1 git git 34 Nov 30 13:59 password

Checking the password in the file confirms that it is the correct one - and running ldapsearch against the domain from the host using the bind_dn works fine

ldapsearch -LLL -H ldaps://mydc01.my.domain.dev:636 -b "DC=my,DC=domain,DC=dev" -D "CN=svc_gitlab,OU=Users,OU=Common,DC=my,DC=domain,DC=dev" -W

I’m quite new to both Kubernetes and Gitlab, so there is probably tons of stuff I have overlooked, but right now I’m a little stuck

Any help or pointers would be appreciated.

mariusw · November 30, 2021, 2:52pm

Actually…

Chainging the bind_dn to “svc_gitlab@my.domain.dev” might have done the trick… atleast now the authentication seems to work.

git@gitlab-task-runner-5788467dcb-kt5tg:/$ gitlab-rake gitlab:ldap:check
Checking LDAP ...

LDAP: ... Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)

Checking LDAP ... Finished

Still not able to use LDAP to login to the GUI though…

Could not authenticate you from Ldapmain because "Invalid credentials for username"

mariusw · December 8, 2021, 10:48am

Still no luck here - have tried to set the “verify_certificate” parameter to “false” yet that does not seem to be the issue.

Have tried setting “active_directory” to false and “uid” to uid instead of sAMAccountName - but makes no difference.

Also tried setting a user_filter to (&(objectclass=user)(samaccountname=adm*)) but nothing shows up in the gitlab-rake gitlab:ldap:check except it says Success on the LDAP Auth…

Have set up ldap auth on a number of other apps that we have been testing on kubernetes, but this one is proving to be a bit more annoying than most. Just finished the same thing on AWX, Nextcloud and Gogs, and have had no problems with either of them authenticating against the same domain.