LDAP integration does not allow authorization by email

Problem to solve

I configured LDP integration as follows:

gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = {
  'main' => {
    'label' => 'LDAP',
    'host' =>  'pdc.domain.local',
    'port' => 389,
    'uid' => 'sAMAccountName',
    'bind_dn' => 'CN=gitlabuser,OU=Users,DC=domain,DC=local',
    'password' => 'some_password',
    'encryption' => 'plain',
    'verify_certificates' => true,
    'timeout' => 10,
    'active_directory' => true,
    'user_filter' => '(&(objectCategory=user)(memberOf=CN=Users,DC=domain,DC=local))',
    'base' => 'DC=domain,DC=local',
    'lowercase_usernames' => 'false',
    'retry_empty_result_with_codes' => [80],
    'allow_username_or_email_login' => true,
    'block_auto_created_users' => false,
    'attributes' => {
      'username' => [ 'userPrincipalName' ],
      'email' => ['mail'],
      'name' => 'cn',
      'first_name' => 'givenName',
      'last_name' => 'sn'

Users can log in using sAMAccountName and the information in the Users panel is displayed correctly. But it doesn’t allow me to log in by email.

Error: Could not authenticate you from Ldapmain because "Invalid credentials for testuser@mail.org".

It is important to note that in Active Directory the mail and sAMAccountName fields have different names and even different names with the domain name.

For example:
Domian = domain.local
Name = John Doe
Mail = johndo@mail.org

How to allow authorization by email specified in the Active Directory ‘mail’ field?



According to the docs here: Integrate LDAP with GitLab | GitLab

I would suggest setting that back to false, and then see if you are able to login correctly with usernames and emails. That option to me looks a little bit confusing at least in the explanation.

1 Like