Not able to authenticate GitLab over AD using OpenLadp

**

> This is my gitlab.rb file

**
gitlab_rails[‘ldap_enabled’] = true
gitlab_rails[‘ldap_servers’] = {
‘main’ => {
‘label’ => ‘GitLab AD’,
‘host’ => ‘rpipro.rsquare.com’,
‘port’ => 389,
‘uid’ => ‘sAMAccountName’,
‘encryption’ => ‘plain’,
‘verify_certificates’ => false,
‘bind_dn’ => ‘CN=admin,DC=rsquare,DC=com’,
‘password’ => ‘test’,
‘active_directory’ => true,
‘block_auto_created_users’ => false,
‘base’ => ‘OU=People,DC=rsquare,DC=com’,

‘group_base’ => ‘OU=Groups, INT,DC=rsquare,DC=com’,

‘admin_group’ => ‘Global Admins’

}
}
ldap search works fine
ldapsearch -h 192.168.1.71 -p 389 -x -b “dc=rsquare,dc=com”

extended LDIF

LDAPv3

base <dc=rsquare,dc=com> with scope subtree

filter: (objectclass=*)

requesting: ALL

rsquare.com

dn: dc=rsquare,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: rsquare.com
dc: rsquare

admin, rsquare.com

dn: cn=admin,dc=rsquare,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

People, rsquare.com

dn: ou=People,dc=rsquare,dc=com
objectClass: organizationalUnit
ou: People

Groups, rsquare.com

dn: ou=Groups,dc=rsquare,dc=com
objectClass: organizationalUnit
ou: Groups

miners, Groups, rsquare.com

dn: cn=miners,ou=Groups,dc=rsquare,dc=com
objectClass: posixGroup
cn: john
cn: miners
gidNumber: 10000

john, People, rsquare.com

dn: uid=john,ou=People,dc=rsquare,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 10000
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/ldap/john

search result

search: 2
result: 0 Success

numResponses: 7

numEntries: 6

This is My openladp trace file
5afade5d daemon: activity on 1 descriptor
5afade5d daemon: activity on:
5afade5d slap_listener_activate(7):
5afade5d daemon: epoll: listen=7 busy
5afade5d daemon: epoll: listen=8 active_threads=0 tvp=zero
5afade5d >>> slap_listener(ldap:///)
5afade5d daemon: listen=7, new connection on 12
5afade5d daemon: activity on 1 descriptor
5afade5d daemon: activity on:
5afade5d daemon: epoll: listen=7 active_threads=0 tvp=zero
5afade5d daemon: epoll: listen=8 active_threads=0 tvp=zero
5afade5d daemon: added 12r (active) listener=(nil)
5afade5d conn=1010 fd=12 ACCEPT from IP=192.168.1.207:46588 (IP=0.0.0.0:389)
5afade5d daemon: activity on 1 descriptor
5afade5d daemon: activity on:
5afade5d daemon: epoll: listen=7 active_threads=0 tvp=zero
5afade5d daemon: epoll: listen=8 active_threads=0 tvp=zero
5afade5d daemon: activity on 1 descriptor
5afade5d daemon: activity on: 12r
5afade5d daemon: read active on 12
5afade5d daemon: epoll: listen=7 active_threads=0 tvp=zero
5afade5d daemon: epoll: listen=8 active_threads=0 tvp=zero
5afade5d connection_get(12)
5afade5d connection_get(12): got connid=1010
5afade5d connection_read(12): checking for input on id=1010
ber_get_next
ldap_read: want=8, got=8
0000: 30 2a 02 01 01 60 25 02 0*…%. ldap_read: want=36, got=36 0000: 01 03 04 1a 43 4e 3d 61 64 6d 69 6e 2c 44 43 3d ....CN=admin,DC= 0010: 72 73 71 75 61 72 65 2c 44 43 3d 63 6f 6d 80 04 rsquare,DC=com.. 0020: 74 65 73 74 test ber_get_next: tag 0x30 len 42 contents: ber_dump: buf=0x35501d98 ptr=0x35501d98 end=0x35501dc2 len=42 0000: 02 01 01 60 25 02 01 03 04 1a 43 4e 3d 61 64 6d ...%…CN=adm
0010: 69 6e 2c 44 43 3d 72 73 71 75 61 72 65 2c 44 43 in,DC=rsquare,DC
0020: 3d 63 6f 6d 80 04 74 65 73 74 =com…test
5afade5d op tag 0x60, time 1526390365
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
5afade5d daemon: activity on 1 descriptor
5afade5d daemon: activity on:
5afade5d daemon: epoll: listen=7 active_threads=0 tvp=zero
5afade5d daemon: epoll: listen=8 active_threads=0 tvp=zero
5afade5d conn=1010 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x35501d98 ptr=0x35501d9b end=0x35501dc2 len=39
0000: 60 25 02 01 03 04 1a 43 4e 3d 61 64 6d 69 6e 2c `%…CN=admin,
0010: 44 43 3d 72 73 71 75 61 72 65 2c 44 43 3d 63 6f DC=rsquare,DC=co
0020: 6d 80 04 74 65 73 74 m…test
ber_scanf fmt (m}) ber:
ber_dump: buf=0x35501d98 ptr=0x35501dbc end=0x35501dc2 len=6
0000: 00 04 74 65 73 74 …test
5afade5d >>> dnPrettyNormal: <CN=admin,DC=rsquare,DC=com>
=> ldap_bv2dn(CN=admin,DC=rsquare,DC=com,0)
<= ldap_bv2dn(CN=admin,DC=rsquare,DC=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=admin,dc=rsquare,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=admin,dc=rsquare,dc=com)=0
5afade5d <<< dnPrettyNormal: <cn=admin,dc=rsquare,dc=com>, <cn=admin,dc=rsquare,dc=com>
5afade5d conn=1010 op=0 BIND dn=“cn=admin,dc=rsquare,dc=com” method=128
5afade5d do_bind: version=3 dn=“cn=admin,dc=rsquare,dc=com” method=128
5afade5d ==> mdb_bind: dn: cn=admin,dc=rsquare,dc=com
5afade5d conn=1010 op=0 BIND dn=“cn=admin,dc=rsquare,dc=com” mech=SIMPLE ssf=0
5afade5d do_bind: v3 bind: “cn=admin,dc=rsquare,dc=com” to “cn=admin,dc=rsquare,dc=com”
5afade5d send_ldap_result: conn=1010 op=0 p=3
5afade5d send_ldap_result: err=0 matched="" text=""
5afade5d send_ldap_response: msgid=1 tag=97 err=0
ber_flush2: 14 bytes to sd 12
0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0…a…
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0…a…
5afade5d conn=1010 op=0 RESULT tag=97 err=0 text=
5afade5d daemon: activity on 1 descriptor
5afade5d daemon: activity on: 12r
5afade5d daemon: read active on 12
5afade5d daemon: epoll: listen=7 active_threads=0 tvp=zero
5afade5d connection_get(12)
5afade5d connection_get(12): got connid=1010
5afade5d daemon: epoll: listen=8 active_threads=0 tvp=zero
5afade5d connection_read(12): checking for input on id=1010
ber_get_next
ldap_read: want=8, got=8
0000: 30 81 c1 02 01 02 63 81 0…c.
ldap_read: want=188, got=188
0000: bb 04 00 0a 01 00 0a 01 00 02 01 00 02 01 00 01 …
0010: 01 00 87 0b 6f 62 6a 65 63 74 43 6c 61 73 73 30 …objectClass0
0020: 81 9a 04 09 61 6c 74 53 65 72 76 65 72 04 0e 6e …altServer…n
0030: 61 6d 69 6e 67 43 6f 6e 74 65 78 74 73 04 15 73 amingContexts…s
0040: 75 70 70 6f 72 74 65 64 43 61 70 61 62 69 6c 69 upportedCapabili
0050: 74 69 65 73 04 10 73 75 70 70 6f 72 74 65 64 43 ties…supportedC
0060: 6f 6e 74 72 6f 6c 04 12 73 75 70 70 6f 72 74 65 ontrol…supporte
0070: 64 45 78 74 65 6e 73 69 6f 6e 04 11 73 75 70 70 dExtension…supp
0080: 6f 72 74 65 64 46 65 61 74 75 72 65 73 04 14 73 ortedFeatures…s
0090: 75 70 70 6f 72 74 65 64 4c 64 61 70 56 65 72 73 upportedLdapVers
00a0: 69 6f 6e 04 17 73 75 70 70 6f 72 74 65 64 53 41 ion…supportedSA
00b0: 53 4c 4d 65 63 68 61 6e 69 73 6d 73 SLMechanisms
ber_get_next: tag 0x30 len 193 contents:
ber_dump: buf=0x356030f8 ptr=0x356030f8 end=0x356031b9 len=193
0000: 02 01 02 63 81 bb 04 00 0a 01 00 0a 01 00 02 01 …c…
0010: 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 43 …objectC
0020: 6c 61 73 73 30 81 9a 04 09 61 6c 74 53 65 72 76 lass0…altServ
0030: 65 72 04 0e 6e 61 6d 69 6e 67 43 6f 6e 74 65 78 er…namingContex
0040: 74 73 04 15 73 75 70 70 6f 72 74 65 64 43 61 70 ts…supportedCap
0050: 61 62 69 6c 69 74 69 65 73 04 10 73 75 70 70 6f abilities…suppo
0060: 72 74 65 64 43 6f 6e 74 72 6f 6c 04 12 73 75 70 rtedControl…sup
0070: 70 6f 72 74 65 64 45 78 74 65 6e 73 69 6f 6e 04 portedExtension.
0080: 11 73 75 70 70 6f 72 74 65 64 46 65 61 74 75 72 .supportedFeatur
0090: 65 73 04 14 73 75 70 70 6f 72 74 65 64 4c 64 61 es…supportedLda
00a0: 70 56 65 72 73 69 6f 6e 04 17 73 75 70 70 6f 72 pVersion…suppor
00b0: 74 65 64 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d tedSASLMechanism
00c0: 73 s
5afade5d op tag 0x63, time 1526390365
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
5afade5d daemon: activity on 1 descriptor
5afade5d daemon: activity on:
5afade5d conn=1010 op=1 do_search
5afade5d daemon: epoll: listen=7 active_threads=0 tvp=zero
5afade5d daemon: epoll: listen=8 active_threads=0 tvp=zero
ber_scanf fmt ({miiiib) ber:
ber_dump: buf=0x356030f8 ptr=0x356030fb end=0x356031b9 len=190
0000: 63 81 bb 04 00 0a 01 00 0a 01 00 02 01 00 02 01 c…
0010: 00 01 01 00 87 0b 6f 62 6a 65 63 74 43 6c 61 73 …objectClas
0020: 73 30 81 9a 04 09 61 6c 74 53 65 72 76 65 72 04 s0…altServer.
0030: 0e 6e 61 6d 69 6e 67 43 6f 6e 74 65 78 74 73 04 .namingContexts.
0040: 15 73 75 70 70 6f 72 74 65 64 43 61 70 61 62 69 .supportedCapabi
0050: 6c 69 74 69 65 73 04 10 73 75 70 70 6f 72 74 65 lities…supporte
0060: 64 43 6f 6e 74 72 6f 6c 04 12 73 75 70 70 6f 72 dControl…suppor
0070: 74 65 64 45 78 74 65 6e 73 69 6f 6e 04 11 73 75 tedExtension…su
0080: 70 70 6f 72 74 65 64 46 65 61 74 75 72 65 73 04 pportedFeatures.
0090: 14 73 75 70 70 6f 72 74 65 64 4c 64 61 70 56 65 .supportedLdapVe
00a0: 72 73 69 6f 6e 04 17 73 75 70 70 6f 72 74 65 64 rsion…supported
00b0: 53 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 SASLMechanisms
5afade5d >>> dnPrettyNormal: <>
5afade5d <<< dnPrettyNormal: <>, <>
5afade5d SRCH “” 0 0 0 0 0
5afade5d begin get_filter
5afade5d PRESENT
ber_scanf fmt (m) ber:
ber_dump: buf=0x356030f8 ptr=0x3560310f end=0x356031b9 len=170
0000: 87 0b 6f 62 6a 65 63 74 43 6c 61 73 73 30 81 9a …objectClass0…
0010: 04 09 61 6c 74 53 65 72 76 65 72 04 0e 6e 61 6d …altServer…nam
0020: 69 6e 67 43 6f 6e 74 65 78 74 73 04 15 73 75 70 ingContexts…sup
0030: 70 6f 72 74 65 64 43 61 70 61 62 69 6c 69 74 69 portedCapabiliti
0040: 65 73 04 10 73 75 70 70 6f 72 74 65 64 43 6f 6e es…supportedCon
0050: 74 72 6f 6c 04 12 73 75 70 70 6f 72 74 65 64 45 trol…supportedE
0060: 78 74 65 6e 73 69 6f 6e 04 11 73 75 70 70 6f 72 xtension…suppor
0070: 74 65 64 46 65 61 74 75 72 65 73 04 14 73 75 70 tedFeatures…sup
0080: 70 6f 72 74 65 64 4c 64 61 70 56 65 72 73 69 6f portedLdapVersio
0090: 6e 04 17 73 75 70 70 6f 72 74 65 64 53 41 53 4c n…supportedSASL
00a0: 4d 65 63 68 61 6e 69 73 6d 73 Mechanisms
5afade5d end get_filter 0
5afade5d filter: (objectClass=)
ber_scanf fmt ({M}}) ber:
ber_dump: buf=0x356030f8 ptr=0x3560311c end=0x356031b9 len=157
0000: 00 81 9a 04 09 61 6c 74 53 65 72 76 65 72 04 0e …altServer…
0010: 6e 61 6d 69 6e 67 43 6f 6e 74 65 78 74 73 04 15 namingContexts…
0020: 73 75 70 70 6f 72 74 65 64 43 61 70 61 62 69 6c supportedCapabil
0030: 69 74 69 65 73 04 10 73 75 70 70 6f 72 74 65 64 ities…supported
0040: 43 6f 6e 74 72 6f 6c 04 12 73 75 70 70 6f 72 74 Control…support
0050: 65 64 45 78 74 65 6e 73 69 6f 6e 04 11 73 75 70 edExtension…sup
0060: 70 6f 72 74 65 64 46 65 61 74 75 72 65 73 04 14 portedFeatures…
0070: 73 75 70 70 6f 72 74 65 64 4c 64 61 70 56 65 72 supportedLdapVer
0080: 73 69 6f 6e 04 17 73 75 70 70 6f 72 74 65 64 53 sion…supportedS
0090: 41 53 4c 4d 65 63 68 61 6e 69 73 6d 73 ASLMechanisms
5afade5d attrs: altServer namingContexts supportedCapabilities supportedControl supportedExtension supportedFeatures supportedLdapVersion supportedSASLMechanisms
5afade5d conn=1010 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=
)"
5afade5d conn=1010 op=1 SRCH attr=altServer namingContexts supportedCapabilities supportedControl supportedExtension supportedFeatures supportedLdapVersion supportedSASLMechanisms
5afade5d => test_filter
5afade5d PRESENT
5afade5d => access_allowed: search access to “” “objectClass” requested
5afade5d => acl_get: [1] attr objectClass
5afade5d => acl_mask: access to entry “”, attr “objectClass” requested
5afade5d => acl_mask: to all values by “cn=admin,dc=rsquare,dc=com”, (=0)
5afade5d <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
5afade5d <= check a_dn_pat: *
5afade5d <= acl_mask: [2] applying +0 (break)
5afade5d <= acl_mask: [2] mask: =0
5afade5d => dn: [2]
5afade5d => acl_get: [2] matched
5afade5d => acl_get: [2] attr objectClass
5afade5d => acl_mask: access to entry “”, attr “objectClass” requested
5afade5d => acl_mask: to all values by “cn=admin,dc=rsquare,dc=com”, (=0)
5afade5d <= check a_dn_pat: *
5afade5d <= acl_mask: [1] applying read(=rscxd) (stop)
5afade5d <= acl_mask: [1] mask: read(=rscxd)
5afade5d => slap_access_allowed: search access granted by read(=rscxd)
5afade5d => access_allowed: search access granted by read(=rscxd)
5afade5d <= test_filter 6
5afade5d => send_search_entry: conn 1010 dn=""
5afade5d => access_allowed: read access to “” “entry” requested
5afade5d => acl_get: [1] attr entry
5afade5d => acl_mask: access to entry “”, attr “entry” requested
5afade5d => acl_mask: to all values by “cn=admin,dc=rsquare,dc=com”, (=0)
5afade5d <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
5afade5d <= check a_dn_pat: *
5afade5d <= acl_mask: [2] applying +0 (break)
5afade5d <= acl_mask: [2] mask: =0
5afade5d => dn: [2]
5afade5d => acl_get: [2] matched
5afade5d => acl_get: [2] attr entry
5afade5d => acl_mask: access to entry “”, attr “entry” requested
5afade5d => acl_mask: to all values by “cn=admin,dc=rsquare,dc=com”, (=0)
5afade5d <= check a_dn_pat: *
5afade5d <= acl_mask: [1] applying read(=rscxd) (stop)
5afade5d <= acl_mask: [1] mask: read(=rscxd)
5afade5d => slap_access_allowed: read access granted by read(=rscxd)
5afade5d => access_allowed: read access granted by read(=rscxd)
5afade5d => access_allowed: re…

I am having the same issue that I am unable to authenticate gitlab over ad, I did not know how to fix it, thats why I decide to go Antivirus Support Number they told me how to sort out this.