We have a self-managed gitlab based on omnibus.
LDAP connections is setup.
gitlab-rake gitlab:ldap:check
returns entries from the ldap server.
Also the rails console
Gitlab::Auth::Ldap::Person::find_by_uid('custom_uid', adapter)
returns the data of the person.
But the website shows the common “invalid credentials for custom_uid” message.
gitlab-rake gitlab:env:info
System information
System: Debian 12
Current User: git
Using RVM: no
Ruby Version: 3.1.5p253
Gem Version: 3.5.11
Bundler Version:2.5.11
Rake Version: 13.0.6
Redis Version: 7.0.15
Sidekiq Version:7.1.6
Go Version: unknown
GitLab information
Version: 17.3.1
Revision: 20a3292b4e6
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: PostgreSQL
DB Version: 14.11
URL: <hidden>
HTTP Clone URL: <hidden>
SSH Clone URL: <hidden>
Using LDAP: yes
Using Omniauth: yes
Omniauth Providers:
GitLab Shell
Version: 14.38.0
Repository storages:
- default: unix:/var/opt/gitlab/gitaly/gitaly.socket
GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell
Gitaly
- default Address: unix:/var/opt/gitlab/gitaly/gitaly.socket
- default Version: 17.3.1
- default Git Version: 2.45.2
Trying with the corresponding mail address did not help.
Gitlab is in the free version.
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = {
'main' => {
'label' => 'LDAP',
'host' => '<hidden>',
'port' => 389,
'uid' => 'uid',
'bind_dn' => 'cn=<hidden>,dc=<hidden>,dc=<hidden>,dc=<hidden>,dc=<hidden>',
'password' => '<hidden>',
'encryption' => 'plain',
'verify_certificates' => false,
'timeout' => 10,
'active_directory' => true,
'base' => 'ou=<hidden>,dc=<hidden>,dc=<hidden>,dc=<hidden>,dc=<hidden>',
'lowercase_usernames' => 'false',
'retry_empty_result_with_codes' => [80],
'allow_username_or_email_login' => true,
'block_auto_created_users' => false
}
}
With wireshark I confirmed that the request reaches the ldap server und the response is received on the server where gitlab runs.
ldapsearch with the settings above also returns a correct result.
/var/log/gitlab/gitlab-rails/application_json.log
{"severity":"DEBUG","time":"2024-08-28T06:21:54.367Z","correlation_id":"01J6BTBP900QRE8DHJFXSP16Z3","message":"(<hidden>) Callback phase initiated."}
{"severity":"ERROR","time":"2024-08-28T06:21:54.408Z","correlation_id":"01J6BTBP900QRE8DHJFXSP16Z3","message":"(<hidden>) Authentication failure! invalid_credentials: OmniAuth::Strategies::LDAP::InvalidCredentialsError, Invalid credentials for <hidden>"}
{"severity":"INFO","time":"
After gitlab-rake gitlab::ldap::check for every person in ldap there is:
...
{"severity":"DEBUG","time":"2024-08-28T06:29:53.231Z","message":"Instantiating Gitlab::Auth::Ldap::Person with LDIF:<hidden>
...
The instance ran overnight. If I login over the standard login and look into the admin view, there are no users from ldap visible.
Any tips how to proceed debugging this?