Ldapmain Invalid credentials with Firefox and Chrome but not Edge

Hi,

For some obscure reason, I can no longer login to one of our self-hosted GitLab CE instances when using Firefox and Chrome however I can log in without any issue using Edge.

Running gitlab-rake gitlab:ldap:check doesn’t return any errors and properly lists user accounts.
The issue is present with v13.x and 14.x and the logs don’t give me any relevant information.

This seems to be a client side issue and I haven’t been able to solve it by clearing all browser data.

Would anyone have any tips on how to troobleshoot this ?

Thanks.

This is what I get in gitlab-rails/production.log when using Edge to login:

Started POST “/users/auth/ldapmain/callback” for 172.16.68.69 at 2021-08-23 08:25:55 +0000
Processing by Ldap::OmniauthCallbacksController#ldapmain as HTML
Parameters: {“authenticity_token”=>"[FILTERED]", “username”=>“xxx@xxxxxx.xxxx”, “password”=>"[FILTERED]"}
Redirected to https://xxxxxxxxx/
Completed 302 Found in 117ms (ActiveRecord: 52.1ms | Elasticsearch: 0.0ms | Allocations: 19197)
Started GET “/” for xxx.xxx.xxx.xxx at 2021-08-23 08:25:55 +0000
Processing by RootController#index as HTML
Started GET “/-/metrics” for 127.0.0.1 at 2021-08-23 08:25:55 +0000
Processing by MetricsController#index as HTML
Completed 200 OK in 1ms (Views: 0.5ms | ActiveRecord: 0.0ms | Elasticsearch: 0.0ms | Allocations: 272)
Rendered layout layouts/dashboard.html.haml (Duration: 282.6ms | Allocations: 208592)
Completed 200 OK in 549ms (Views: 251.5ms | ActiveRecord: 135.2ms | Elasticsearch: 0.0ms | Allocations: 273275)

This is what I get in gitlab-rails/production.log when using Firefox to login:

Started POST “/users/auth/ldapmain/callback” for 172.16.68.69 at 2021-08-23 08:29:07 +0000
Processing by OmniauthCallbacksController#failure as HTML
Parameters: {“authenticity_token”=>"[FILTERED]", “username”=>“xxx@xxxxxx.xxxx”, “password”=>"[FILTERED]"}
Redirected to https://xxxxxxxxx/users/sign_in
Completed 302 Found in 12ms (ActiveRecord: 1.1ms | Elasticsearch: 0.0ms | Allocations: 4520)
Started GET “/users/sign_in” for xxx.xxx.xxx.xxx at 2021-08-23 08:29:07 +0000
Processing by SessionsController#new as HTML
Rendered layout layouts/devise.html.haml (Duration: 14.6ms | Allocations: 6664)
Completed 200 OK in 30ms (Views: 14.9ms | ActiveRecord: 1.0ms | Elasticsearch: 0.0ms | Allocations: 11764)
Started GET “/-/metrics” for 127.0.0.1 at 2021-08-23 08:29:10 +0000
Processing by MetricsController#index as HTML
Completed 200 OK in 1ms (Views: 0.4ms | ActiveRecord: 0.0ms | Elasticsearch: 0.0ms | Allocations: 271)
Started GET “/help” for 127.0.0.1 at 2021-08-23 08:29:15 +0000
Processing by HelpController#index as /
Rendered layout layouts/help.html.haml (Duration: 85.7ms | Allocations: 78042)
Completed 200 OK in 90ms (Views: 84.7ms | ActiveRecord: 1.6ms | Elasticsearch: 0.0ms | Allocations: 79701)

All I can see is a difference in how the HTTP redirection is handled post login.