Self-hosted trying to enable 2FA, getting " You must provide a valid current password"

We run a self-hosted Gitlab 14.3.2 instance using LDAP to login. I am trying to enable 2FA. Every time I am getting this “You must provide a valid current password”. I’m using the same password that I use to login so I’m not sure what the issue is. Does anyone have any ideas?

If anyone has any logs they can think of that I might be able to poke through that would be much appreciated as well. Thank you.

Seeing the same thing with 2fa and ldap on 14.2.5. We also have some provisioning issues with new users coming from ldap.

Could not authenticate you from Ldapmain because "Undefined method `pronunciation` for #<userdetail:0x00007fcbd8d07720> did you mean? pronouns change".

Not sure if these are related.

By chance, did you happen to initialize the LDAP users in advance using one of the suggestions in Add a way for LDAP users to be created before first login (#699) · Issues · GitLab.org / GitLab · GitLab? That was the root cause of this issue for us. Those accounts initialized via the API were not created with password_automatically_set? on the user record, so the web UI was prompting for a password (the generated one) that the user couldn’t provide.

1 Like

This looks like an old issue. We haven’t had any of these issues before upgrading to version 14 last weekend. I guess this could still be the issue tho.

I tried setting a password in gitlab for an ldap user with these problems now and that seems to let me set up 2fa without problems. Has something changed in how users are provisioned from v13 to v14 gitlab?

This is a known issue, introduced in version 14.3.1 and fixed in the latest patch release 14.3.3:

We were also affected after upgrading to 14.3.2., now after installing 14.3.3 it works again.

Arto

1 Like

I’m using gitlab 14.4.1 and it seems that this issue is back. 2FA can’t doesn’t want to work with LDAP passwords…

Our new Gitlab server is in standby, waiting for the patch.

1 Like

Gitlab 14.4.1 the same situation!
“You must provide a valid current password” but password is correct.

We were affected in 14.3.2, but versions 14.3.3 and 14.4.1 both work for us. Apparently the issue didn’t reappear in 14.4.1 but is also not yet fixed for all cases. It depends on whether the LDAP users have additionally local passwords on the instance or not (in our case they don’t). See the following issue and merge request for a more detailed description and workarounds:

Arto

We are effected on 14.3.4-ee. One user that possibly had an local account before we connected the installation to AD. Worked around by putting (overwriting?) a (local) password on the account in GitLab, and then using that to register the MFA device.