Gitlab update to version 10.4.3 broken ldap login


I was running gitlab-ce 10.3.7 with LDAP config and it was working very well. Once I upgrade to the latest 10.4.3
the ldap broken with the same setting.

In gitlab-ce 10.3.7 when going the command gitlab-rake gitlab:ldap:check, the command send back 100 users from LDAP

Now on gitlab 10.4.3, the same command show en empty list. Is there something in the gitlab.rb changed ?


We are using LDAP as well, but have had no issues moving to 10.4.3


when you doing the command gitlab-rake gitlab:ldap:check[10]
do it return the list of 10 users ?

In my case I got no user
Checking LDAP …

Server: ldapmain
not verifying SSL hostname of LDAPS server ‘xxxxxxx:10636’
LDAP authentication… Success
LDAP users with access to your GitLab server (only showing the first 10 results)

Checking LDAP … Finished

if I compare to the old version 9 I was getting the list of users LDAP found.

Once I log to the Gitlab web, I getting user block. This is due to the ldap don’t get the username/password and block the user, it think the user don’t exist anymore.

Yes, I get a list of 10 users.

Are you using OpenLDAP ?

here is my config
gitlab_rails[‘ldap_servers’] = YAML.load <<-‘EOS’
main: # ‘main’ is the GitLab ‘provider ID’ of this LDAP server
label: ‘LDAP’
host: ‘xxxxx’
port: xxxxx
uid: ‘uid’
bind_dn: ‘cn=Directory Manager’
password: ‘xxxxxx’
encryption: ‘simple_tls’ # “start_tls” or “simple_tls” or “plain”
verify_certificates: false
active_directory: false
allow_username_or_email_login: true
block_auto_created_users: false
base: ‘OU=xxxx,DC=xxxx,DC=xxxx,DC=xxxx’
username: [‘uid’, ‘userid’, ‘sAMAccountName’]
email: [‘mail’, ‘email’, ‘userPrincipalName’]
first_name: ‘givenName’
last_name: ‘sn’


Also the command ldapsearch works with parameters setup in the gitlab.rb


apocasan, did you figure this out? It looks like I have a similar issue as you, however, I’m running: 10.5.6

I also don’t see the users list when it runs the check. And my ldapsearch works, and packet capture shows that gitlab is successfully running ldap queries too.

I’m running OpenDJ for my ldap server, maybe something about the response is making it sad.

oh, I think I just figured it out.

I think the optional attributes are the problem:

  username: [‘uid’, ‘userid’, ‘sAMAccountName’]
  email: [‘mail’, ‘email’, ‘userPrincipalName’]

Try changing it to:

  username: ‘uid’
  email: ‘mail’

Maybe all those attributes have to exist for it not to fail?

I can login now.

1 Like