Gitlab:ldap:check keeps returning an empty result

How to Use GitLab Self-managed
1

Hi! I’m having some real difficulties configuring /etc/gitlab/gitlab.rb.
Running GitLab CE 8.7.0 on CentOS 7
I first joined this server to my AD and can connect:

[root@git01 ~]# smbclient //auth.chrjsn.se/netlogon -UAdministrator -c ‘ls’
WARNING: The “idmap uid” option is deprecated
WARNING: The “idmap gid” option is deprecated
Enter Administrator’s password:
Domain=[AUTH] OS=[Windows 6.1] Server=[Samba 4.2.10-Debian]
. D 0 Sun Apr 24 19:01:41 2016
… D 0 Sun Apr 24 19:01:47 2016

            9717280 blocks of size 1024. 7864136 blocks available

[root@git01 ~]#

Having tried multiple settings, I keep ending up with the same result:

Could not authenticate you from Ldapmain because “Invalid credentials”.

[root@git01 ~]# gitlab-rake gitlab:ldap:check
Checking LDAP …

LDAP users with access to your GitLab server (only showing the first 100 results)
Server: ldapmain

gitlab-ctl reconfigure compiles fine with both individual settings.

If I change host or port, I get this result, so it’s obviously connecting?:

[root@git01 ~]# gitlab-rake gitlab:ldap:check
Checking LDAP …

LDAP users with access to your GitLab server (only showing the first 100 results)
Server: ldapmain
Deprecation warning: Net::LDAP::ConnectionRefused will be deprecated. Use Errno::ECONNREFUSED instead.
Deprecation warning: Net::LDAP::ConnectionRefused will be deprecated. Use Errno::ECONNREFUSED instead.
rake aborted![…]

production.log returns:

LDAP search error: Operations Error
** [Raven] Raven 0.15.6 configured not to send errors.
LDAP search error: Operations Error

These are the settings:

 gitlab_rails['ldap_enabled'] = true
 gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
   main: # 'main' is the GitLab 'provider ID' of this LDAP server
     label: 'chrjsn.se' # Label shown on the login page
     host: 'auth.chrjsn.se' # AD server
     port: 389
     uid: 'sAMAccountName'
     method: 'plain' # "tls" or "ssl" or "plain"
     bind_dn: 'cn=Administrator,ou=Users,dc=auth,dc=chrjsn,dc=se' # AD user that has query access
     password: 'myPassword' # Password of said user
     active_directory: true
     allow_username_or_email_login: false
     base: 'CN=Users,DC=auth,DC=foretag,DC=se'
     user_filter: '' # Leave blank if not used
 EOS

[root@git01 ~]# gitlab-rake gitlab:ldap:check
Checking LDAP …

LDAP users with access to your GitLab server (only showing the first 100 results)
Server: ldapmain

Checking LDAP … Finished

gitlab-ctl restart

[root@git01 ~]# gitlab-rake gitlab:ldap:check
Checking LDAP …

LDAP users with access to your GitLab server (only showing the first 100 results)
Server: ldapmain

Checking LDAP … Finished

These settings:

 gitlab_rails['ldap_enabled'] = true
 gitlab_rails['ldap_servers'] = YAML.load <<-EOS # remember to close this block with 'EOS' below
 main: # 'main' is the GitLab 'provider ID' of this LDAP server
   ## label
   #
   # A human-friendly name for your LDAP server. It is OK to change the label later,
   # for instance if you find out it is too large to fit on the web page.
   #
   # Example: 'Paris' or 'Acme, Ltd.'
   label: 'LDAP'
   host: 'auth.chrjsn.se'
   port: 389
   uid: 'sAMAccountName'
   method: 'plain' # "tls" or "ssl" or "plain"
   bind_dn: 'cn=Administrator,ou=Users,dc=auth,dc=chrjsn,dc=se'
   password: 'myPassword'

   # Set a timeout, in seconds, for LDAP queries. This helps avoid blocking
   # a request if the LDAP server becomes unresponsive.
   # A value of 0 means there is no timeout.
   timeout: 10

   # This setting specifies if LDAP server is Active Directory LDAP server.
   # For non AD servers it skips the AD specific queries.
   # If your LDAP server is not AD, set this to false.
   active_directory: true

   # If allow_username_or_email_login is enabled, GitLab will ignore everything
   # after the first '@' in the LDAP username submitted by the user on login.
   #
   # Example:
   # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials;
   # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.
   #
   # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
   # disable this setting, because the userPrincipalName contains an '@'.
   allow_username_or_email_login: false

   # To maintain tight control over the number of active users on your GitLab installation,
   # enable this setting to keep new users blocked until they have been cleared by the admin
   # (default: false).
   block_auto_created_users: false

   # Base where we can search for users
   #
   #   Ex. ou=People,dc=gitlab,dc=example
   #
   base: 'ou=Users,dc=auth,dc=chrjsn,dc=se'

   # Filter LDAP users
   #
   #   Format: RFC 4515 https://tools.ietf.org/search/rfc4515
   #   Ex. (employeeType=developer)
   #
   #   Note: GitLab does not support omniauth-ldap's custom filter syntax.
   #
   user_filter: ''

   # LDAP attributes that GitLab will use to create an account for the LDAP user.
   # The specified attribute can either be the attribute name as a string (e.g. 'mail'),
   # or an array of attribute names to try in order (e.g. ['mail', 'email']).
   # Note that the user's LDAP login will always be the attribute specified as `uid` above.
   attributes:
     # The username will be used in paths for the user's own projects
     # (like `gitlab.example.com/username/project`) and when mentioning
     # them in issues, merge request and comments (like `@username`).
     # If the attribute specified for `username` contains an email address,
     # the GitLab username will be the part of the email address before the '@'.
     username: ['uid', 'userid', 'sAMAccountName']
     email:    ['mail', 'email', 'userPrincipalName']

     # If no full name could be found at the attribute specified for `name`,
     # the full name is determined using the attributes specified for
     # `first_name` and `last_name`.
     name:       'cn'
     first_name: 'givenName'
     last_name:  'sn'

     ## EE only

     # Base where we can search for groups
     #
     #   Ex. ou=groups,dc=gitlab,dc=example
     #
     group_base: ''

     # The CN of a group containing GitLab administrators
     #
     #   Ex. administrators
     #
     #   Note: Not `cn=administrators` or the full DN
     #
     admin_group: ''

     # The LDAP attribute containing a user's public SSH key
     #
     #   Ex. ssh_public_key
     #
     sync_ssh_keys: false
 EOS

[root@git01 ~]# gitlab-rake gitlab:ldap:check
Checking LDAP …

LDAP users with access to your GitLab server (only showing the first 100 results)
Server: ldapmain

Checking LDAP … Finished

gitlab-ctl restart

[root@git01 ~]# gitlab-rake gitlab:ldap:check
Checking LDAP …

LDAP users with access to your GitLab server (only showing the first 100 results)
Server: ldapmain

Checking LDAP … Finished

Please tell me if there is any other info you might need!
Thanks!

2

Since I have setup UNIX Attributes for my domain and users, I tried changing uid: ‘sAMAccountName’ to uid: ‘uid’, which seems to solve others peoples problems, but not mine unfortunately.

I really have no idea how to get this working.

3

I think you typo’d the DN of your OU. Should that be:
OU=Users,DC=auth,DC=foretag,DC=se

4

Thanks for the reply!

I also noticed that foretag should be chrjsn, so I changed that too.
But I still get the same empty output and error in production.log

LDAP search error: Operations Error
5

The same thing happened to me too until I changed the method from ‘plain’ to ‘ssl’ and probably changed the port.

Good luck!

6

Hi @denriktiga!

Can you share with me the output of the following command:

**ldapsearch -LLL -x -b "dc=ldap,dc=com"**

Replace ‘ldap’ and ‘com’ with your domain name and run it on your LDAP server. It should give the list of users on your LDAP server, which might help in debugging the problem