LDAP Configuration Ldapmain because "Invalid credentials for ..."

I am trying to get my brand new install of Gitlab to integrate with Active Directory. I had this working but had to rebuild the box and didn’t grab the config off of it…

When I try to log in I get the Invalid credentials for … message.

I’ve tried start_tls and plain for the encryption and I get the same results. Here is the LDAP section of my gitlab.rb:

###! **remember to close this block with 'EOS' below**
 gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
   main: # 'main' is the GitLab 'provider ID' of this LDAP server
     label: 'LDAP'
     host: 'dc1-2008r2'
     port: 389
     uid: 'RODomain'
     bind_dn: 'CN=Read-Only Domain,OU=Service Accounts,DC=whidbeytel,DC=com'
     password: '***********'
     encryption: 'start_tls' # "start_tls" or "simple_tls" or "plain"
     verify_certificates: true
     smartcard_auth: false
     active_directory: true
     allow_username_or_email_login: true
     lowercase_usernames: false
     block_auto_created_users: false
     base: 'OU=Employees,DC=whidbeytel,DC=com'
     user_filter: ''
     ## EE only
#     group_base: 'OU=Employees,DC=whidbeytel,DC=com'
#     admin_group: ''
#     sync_ssh_keys: false
 EOS

According to the LDAP Troubleshooting Guide - Query LDAP I can query my user with the following or all users by changing my name to ‘*’ in the gitlab-rails console:

adapter = Gitlab::Auth::Ldap::Adapter.new('ldapmain')
options = {
    # :base is required
    # use .base or .group_base
    base: adapter.config.base,

    # :filter is optional
    # 'cn' looks for all "cn"s under :base
    # '*' is the search string - here, it's a wildcard
    filter: Net::LDAP::Filter.eq('cn', 'Tony Annese'),

    # :attributes is optional
    # the attributes we want to get returnedk
    attributes: %w(dn cn memberuid member submember uniquemember memberof)
}
adapter.ldap_search(options) 

I get the following response:

[#<Net::LDAP::Entry:0x00007fcb767a3598 @myhash={:dn=>["CN=Tony Annese,OU=Employees,DC=whidbeytel,DC=com"], :cn=>["Tony Annese"],...}>]

Further down in the guide Query a user in LDAP it says I can also query a user in the gitlab-rails console like this:

adapter = Gitlab::Auth::Ldap::Adapter.new('ldapmain') # If `main` is the LDAP provider
Gitlab::Auth::Ldap::Person.find_by_uid('Tony Annese', adapter)

I get the following response no matter if I use ‘Tony Annese’, ‘tony.annese’, or ‘tony.annese@whidbey…’:

irb(main):041:0> Gitlab::Auth::Ldap::Person.find_by_uid('Tony Annese', adapter)
=> nil

According to the LDAP Rake tasks Check docs page it says I can run a rake check to see if Gitlab can communicate with my LDAP server and when I run the check it doesn’t return any users.

root@git1:~# gitlab-rake gitlab:ldap:check
Checking LDAP ...

LDAP: ... Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)

Checking LDAP ... Finished

I was also able to run ldapsearch from the command line of the box:

root@git1:~# ldapsearch -D "CN=Read-Only Domain,OU=Service Accounts,DC=whidbeytel,DC=com" -w *************** -p 389 -h dc1-2008r2 -b 'OU=Employees,DC=whidbeytel,DC=com'
# extended LDIF
#
# LDAPv3
# base <OU=Employees,DC=whidbeytel,DC=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Employees, whidbeytel.com
dn: OU=Employees,DC=whidbeytel,DC=com
objectClass: top
objectClass: organizationalUnit
cn: Employees
ou: Employees
distinguishedName: OU=Employees,DC=whidbeytel,DC=com
[..]
# Tony Annese, Employees, whidbeytel.com
dn: CN=Tony Annese,OU=Employees,DC=whidbeytel,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Tony Annese
[..]

How come the first Rails Console query works, and the second and Rake Task fail as well as logins?

Hi @tannese
you can check in gitlab-rails/production.log to see what is the error when you try to log in.

Hi @tannese

without Certificates

You set

verify_certificates: true

See gitlab-rails/production.log, good idea.

Ok, tried changing verify_certificates to false and same output and looks the same in the production.log…

with verify_certificate: true

Processing by MetricsController#index as HTML
Completed 200 OK in 6ms (Views: 0.4ms | ActiveRecord: 0.0ms | Elasticsearch: 0.0ms | Allocations: 898)
Started POST "/users/auth/ldapmain/callback" for 192.168.172.88 at 2021-04-01 12:05:43 -0700
Processing by OmniauthCallbacksController#failure as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "username"=>"tony.annese", "password"=>"[FILTERED]"}
Redirected to http://192.168.103.160/users/sign_in
Completed 302 Found in 47ms (ActiveRecord: 7.0ms | Elasticsearch: 0.0ms | Allocations: 8781)
Started GET "/users/sign_in" for 192.168.172.88 at 2021-04-01 12:05:49 -0700

With verify_certificates: false

Started GET "/-/metrics" for 127.0.0.1 at 2021-04-01 12:12:22 -0700
Processing by MetricsController#index as HTML
Completed 200 OK in 6ms (Views: 0.5ms | ActiveRecord: 0.0ms | Elasticsearch: 0.0ms | Allocations: 843)
Processing by OmniauthCallbacksController#failure as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "username"=>"tony.annese", "password"=>"[FILTERED]"}
Redirected to http://192.168.103.160/users/sign_in
Completed 302 Found in 38ms (ActiveRecord: 5.9ms | Elasticsearch: 0.0ms | Allocations: 7943)
Started GET "/users/sign_in" for 192.168.172.88 at 2021-04-01 12:12:23 -0700

@l-la0c @balonik Production.log snippit above…

Ok, worked w/ my AD admin and some TCPDumps and got it worked out… My issue was the UID. I was setting it to an account name and not the attribute name for Account Name… I also updated the group_base and went back to plain encryption. Here is my corrected LDAP config:

###! **remember to close this block with 'EOS' below**
 gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
   main: # 'main' is the GitLab 'provider ID' of this LDAP server
     label: 'LDAP'
     host: 'dc1-2008r2'
     port: 389
     uid: 'sAMAccountName'
     bind_dn: 'CN=Read-Only Domain,OU=Service Accounts,DC=whidbeytel,DC=com'
     password: '***********'
     encryption: 'start_tls' # "start_tls" or "simple_tls" or "plain"
     verify_certificates: true
     smartcard_auth: false
     active_directory: true
     allow_username_or_email_login: true
     lowercase_usernames: false
     block_auto_created_users: false
     base: 'OU=Employees,DC=whidbeytel,DC=com'
     user_filter: ''
     ## EE only
     group_base: 'CN=Domain Users,OU=Groups,DC=whidbeytel,DC=com'
#     admin_group: ''
#     sync_ssh_keys: false
 EOS