Misleading? Allow Username Or Email Login

So, I assumed if I have this turned on that my users would be able to login with either their usernames or email addresses, but this does not seem to be the case. In my configuration, uid is set to the sAMAccountName attribute, which is something like first 6 letters of your last name followed by first and middle initial. I am not sure what Gitlab uses for the email, but I assume it is the mail attribute which is something like firstname.lastname@company.com for us. I do not have the “attributes” section in my configuration file (mentioned here: https://docs.gitlab.com/ce/administration/auth/ldap.html) as I have never needed it. Now, my users can login with their usernames without a problem, but logging in with their email address does not work at all. Is this a bug, issue with my configuration, or by design?

gitlab_rails['ldap_enabled'] = true
 gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
 main: # 'main' is the GitLab 'provider ID' of this LDAP server
   label: 'LDAP'
   host: '<OUR_HOST>'
   port: 389
   uid: 'sAMAccountName'
   method: 'plain' # "tls" or "ssl" or "plain"
   bind_dn: '<OUR_BIND_DN>'
   password: '<PASSWORD>'
   active_directory: true
   allow_username_or_email_login: true
   block_auto_created_users: false
   base: '<OUR_BASE>'
   timeout: 15
#     user_filter: ''
#     ## EE only
#     group_base: ''
#     admin_group: ''
#     sync_ssh_keys: false
 EOS

Assume we login with mail: 123456789@test.com( and the corresponding uid of the entry is 20160123),then,
If you check the AD log(I use openldap) ,you might get something similiar with blelow:
2018/10/10 下午3:19:215bbda7f9 conn=3970 op=2 SRCH base=“ou=staff,dc=test,dc=example,dc=com” scope=2 deref=0 filter="(&(uid=123456789)(employeeType=developer))"

Which means that gitlab will search entry under ou=staff,dc=test,dc=example,dc=com with filter="(&(uid=123456789)(employeeType=developer))",while in this case we don’t have a uid which is equal to 123456789(you have only the uid 20160123 as I assume in the first line ),of course you can login in with uid=20160123 but you cat’t login with uid=123456789.

So,if you have uid=123456789 and email=123456789@test.com you can login in with email=123456789@test.com.
But this is not what we thought login in with email in common, in this case you are still login with uid while the uid is equal to so suffix of the email! In most of time, uid is not equal to the suffix(character before ‘@’) of email.I think this is the core problem.

So this can explain why you can’t login with your email in your example,it’s the problem of gitlab login mechanism in ldap!

Reference:https://docs.gitlab.com/omnibus/settings/ldap.html

You can also disable allow_username_or_email_login and add email to uid,then you can login with the common uid your users thought or the email .

In grafana ,you can login with the email or the uid(within ldap) in the way we think in common without so much frustrating,so gitlab have to change the mechanism in ldap.

1 Like