Hi! I’m having some real difficulties configuring /etc/gitlab/gitlab.rb.
Running GitLab CE 8.7.0 on CentOS 7
I first joined this server to my AD and can connect:
[root@git01 ~]# smbclient //auth.chrjsn.se/netlogon -UAdministrator -c ‘ls’
WARNING: The “idmap uid” option is deprecated
WARNING: The “idmap gid” option is deprecated
Enter Administrator’s password:
Domain=[AUTH] OS=[Windows 6.1] Server=[Samba 4.2.10-Debian]
. D 0 Sun Apr 24 19:01:41 2016
… D 0 Sun Apr 24 19:01:47 2016
9717280 blocks of size 1024. 7864136 blocks available
[root@git01 ~]#
Having tried multiple settings, I keep ending up with the same result:
Could not authenticate you from Ldapmain because “Invalid credentials”.
[root@git01 ~]# gitlab-rake gitlab:ldap:check
Checking LDAP …
LDAP users with access to your GitLab server (only showing the first 100 results)
Server: ldapmain
gitlab-ctl reconfigure compiles fine with both individual settings.
If I change host or port, I get this result, so it’s obviously connecting?:
[root@git01 ~]# gitlab-rake gitlab:ldap:check
Checking LDAP …
LDAP users with access to your GitLab server (only showing the first 100 results)
Server: ldapmain
Deprecation warning: Net::LDAP::ConnectionRefused will be deprecated. Use Errno::ECONNREFUSED instead.
Deprecation warning: Net::LDAP::ConnectionRefused will be deprecated. Use Errno::ECONNREFUSED instead.
rake aborted![…]
production.log returns:
LDAP search error: Operations Error
** [Raven] Raven 0.15.6 configured not to send errors.
LDAP search error: Operations Error
These are the settings:
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'chrjsn.se' # Label shown on the login page
host: 'auth.chrjsn.se' # AD server
port: 389
uid: 'sAMAccountName'
method: 'plain' # "tls" or "ssl" or "plain"
bind_dn: 'cn=Administrator,ou=Users,dc=auth,dc=chrjsn,dc=se' # AD user that has query access
password: 'myPassword' # Password of said user
active_directory: true
allow_username_or_email_login: false
base: 'CN=Users,DC=auth,DC=foretag,DC=se'
user_filter: '' # Leave blank if not used
EOS
[root@git01 ~]# gitlab-rake gitlab:ldap:check
Checking LDAP …
LDAP users with access to your GitLab server (only showing the first 100 results)
Server: ldapmain
Checking LDAP … Finished
gitlab-ctl restart
[root@git01 ~]# gitlab-rake gitlab:ldap:check
Checking LDAP …
LDAP users with access to your GitLab server (only showing the first 100 results)
Server: ldapmain
Checking LDAP … Finished
These settings:
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-EOS # remember to close this block with 'EOS' below
main: # 'main' is the GitLab 'provider ID' of this LDAP server
## label
#
# A human-friendly name for your LDAP server. It is OK to change the label later,
# for instance if you find out it is too large to fit on the web page.
#
# Example: 'Paris' or 'Acme, Ltd.'
label: 'LDAP'
host: 'auth.chrjsn.se'
port: 389
uid: 'sAMAccountName'
method: 'plain' # "tls" or "ssl" or "plain"
bind_dn: 'cn=Administrator,ou=Users,dc=auth,dc=chrjsn,dc=se'
password: 'myPassword'
# Set a timeout, in seconds, for LDAP queries. This helps avoid blocking
# a request if the LDAP server becomes unresponsive.
# A value of 0 means there is no timeout.
timeout: 10
# This setting specifies if LDAP server is Active Directory LDAP server.
# For non AD servers it skips the AD specific queries.
# If your LDAP server is not AD, set this to false.
active_directory: true
# If allow_username_or_email_login is enabled, GitLab will ignore everything
# after the first '@' in the LDAP username submitted by the user on login.
#
# Example:
# - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials;
# - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.
#
# If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
# disable this setting, because the userPrincipalName contains an '@'.
allow_username_or_email_login: false
# To maintain tight control over the number of active users on your GitLab installation,
# enable this setting to keep new users blocked until they have been cleared by the admin
# (default: false).
block_auto_created_users: false
# Base where we can search for users
#
# Ex. ou=People,dc=gitlab,dc=example
#
base: 'ou=Users,dc=auth,dc=chrjsn,dc=se'
# Filter LDAP users
#
# Format: RFC 4515 https://tools.ietf.org/search/rfc4515
# Ex. (employeeType=developer)
#
# Note: GitLab does not support omniauth-ldap's custom filter syntax.
#
user_filter: ''
# LDAP attributes that GitLab will use to create an account for the LDAP user.
# The specified attribute can either be the attribute name as a string (e.g. 'mail'),
# or an array of attribute names to try in order (e.g. ['mail', 'email']).
# Note that the user's LDAP login will always be the attribute specified as `uid` above.
attributes:
# The username will be used in paths for the user's own projects
# (like `gitlab.example.com/username/project`) and when mentioning
# them in issues, merge request and comments (like `@username`).
# If the attribute specified for `username` contains an email address,
# the GitLab username will be the part of the email address before the '@'.
username: ['uid', 'userid', 'sAMAccountName']
email: ['mail', 'email', 'userPrincipalName']
# If no full name could be found at the attribute specified for `name`,
# the full name is determined using the attributes specified for
# `first_name` and `last_name`.
name: 'cn'
first_name: 'givenName'
last_name: 'sn'
## EE only
# Base where we can search for groups
#
# Ex. ou=groups,dc=gitlab,dc=example
#
group_base: ''
# The CN of a group containing GitLab administrators
#
# Ex. administrators
#
# Note: Not `cn=administrators` or the full DN
#
admin_group: ''
# The LDAP attribute containing a user's public SSH key
#
# Ex. ssh_public_key
#
sync_ssh_keys: false
EOS
[root@git01 ~]# gitlab-rake gitlab:ldap:check
Checking LDAP …
LDAP users with access to your GitLab server (only showing the first 100 results)
Server: ldapmain
Checking LDAP … Finished
gitlab-ctl restart
[root@git01 ~]# gitlab-rake gitlab:ldap:check
Checking LDAP …
LDAP users with access to your GitLab server (only showing the first 100 results)
Server: ldapmain
Checking LDAP … Finished
Please tell me if there is any other info you might need!
Thanks!