I am trying to get my brand new install of Gitlab to integrate with Active Directory. I had this working but had to rebuild the box and didn’t grab the config off of it…
When I try to log in I get the Invalid credentials for … message.
I’ve tried start_tls and plain for the encryption and I get the same results. Here is the LDAP section of my gitlab.rb:
###! **remember to close this block with 'EOS' below**
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'LDAP'
host: 'dc1-2008r2'
port: 389
uid: 'RODomain'
bind_dn: 'CN=Read-Only Domain,OU=Service Accounts,DC=whidbeytel,DC=com'
password: '***********'
encryption: 'start_tls' # "start_tls" or "simple_tls" or "plain"
verify_certificates: true
smartcard_auth: false
active_directory: true
allow_username_or_email_login: true
lowercase_usernames: false
block_auto_created_users: false
base: 'OU=Employees,DC=whidbeytel,DC=com'
user_filter: ''
## EE only
# group_base: 'OU=Employees,DC=whidbeytel,DC=com'
# admin_group: ''
# sync_ssh_keys: false
EOSAccording to the LDAP Troubleshooting Guide - Query LDAP I can query my user with the following or all users by changing my name to ‘*’ in the gitlab-rails console:
adapter = Gitlab::Auth::Ldap::Adapter.new('ldapmain')
options = {
# :base is required
# use .base or .group_base
base: adapter.config.base,
# :filter is optional
# 'cn' looks for all "cn"s under :base
# '*' is the search string - here, it's a wildcard
filter: Net::LDAP::Filter.eq('cn', 'Tony Annese'),
# :attributes is optional
# the attributes we want to get returnedk
attributes: %w(dn cn memberuid member submember uniquemember memberof)
}
adapter.ldap_search(options) I get the following response:
[#<Net::LDAP::Entry:0x00007fcb767a3598 @myhash={:dn=>["CN=Tony Annese,OU=Employees,DC=whidbeytel,DC=com"], :cn=>["Tony Annese"],...}>]Further down in the guide Query a user in LDAP it says I can also query a user in the gitlab-rails console like this:
adapter = Gitlab::Auth::Ldap::Adapter.new('ldapmain') # If `main` is the LDAP provider
Gitlab::Auth::Ldap::Person.find_by_uid('Tony Annese', adapter)I get the following response no matter if I use ‘Tony Annese’, ‘tony.annese’, or ‘tony.annese@whidbey…’:
irb(main):041:0> Gitlab::Auth::Ldap::Person.find_by_uid('Tony Annese', adapter)
=> nilAccording to the LDAP Rake tasks Check docs page it says I can run a rake check to see if Gitlab can communicate with my LDAP server and when I run the check it doesn’t return any users.
root@git1:~# gitlab-rake gitlab:ldap:check
Checking LDAP ...
LDAP: ... Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
Checking LDAP ... FinishedI was also able to run ldapsearch from the command line of the box:
root@git1:~# ldapsearch -D "CN=Read-Only Domain,OU=Service Accounts,DC=whidbeytel,DC=com" -w *************** -p 389 -h dc1-2008r2 -b 'OU=Employees,DC=whidbeytel,DC=com'
# extended LDIF
#
# LDAPv3
# base <OU=Employees,DC=whidbeytel,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# Employees, whidbeytel.com
dn: OU=Employees,DC=whidbeytel,DC=com
objectClass: top
objectClass: organizationalUnit
cn: Employees
ou: Employees
distinguishedName: OU=Employees,DC=whidbeytel,DC=com
[..]
# Tony Annese, Employees, whidbeytel.com
dn: CN=Tony Annese,OU=Employees,DC=whidbeytel,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Tony Annese
[..]How come the first Rails Console query works, and the second and Rake Task fail as well as logins?