[SOLVED] Gitlab-rake gitlab:ldap:check ok, Invalid Credentials on GUI

shaerdi · August 23, 2018, 2:23pm

Hi everyone

I’m trying to get the LDAP Login to work for a self hosted gitlab ee. If I run the gitlab-rake gitlab:ldap:check, I get the list of allowed users, so the bind to the AD-Domain seems to work. However, if I try to login on the web page, I get the error 'Could not authenticate you from Ldapmain because “Invalid credentials for xx” ’

My gitlab-rake:env:info :

[root@gitlab ~]# gitlab-rake gitlab:env:info
    System information
    System:		
    Proxy:		no
    Current User:	git
    Using RVM:	no
    Ruby Version:	2.4.4p296
    Gem Version:	2.7.6
    Bundler Version:1.16.2
    Rake Version:	12.3.1
    Redis Version:	3.2.11
    Git Version:	2.17.1
    Sidekiq Version:5.1.3
    Go Version:	unknown

    GitLab information
    Version:	11.1.4-ee
    Revision:	d17962f
    Directory:	/opt/gitlab/embedded/service/gitlab-rails
    DB Adapter:	postgresql
    DB Version:	9.6.8
    URL:		http://gitlab001
    HTTP Clone URL:	http://gitlab001/some-group/some-project.git
    SSH Clone URL:	git@gitlab001:some-group/some-project.git
    Elasticsearch:	no
    Geo:		no
    Using LDAP:	yes
    Using Omniauth:	no

    GitLab Shell
    Version:	7.1.4
    Repository storage paths:
    - default: 	/var/opt/gitlab/git-data/repositories
    Hooks:		/opt/gitlab/embedded/service/gitlab-shell/hooks
    Git:		/opt/gitlab/embedded/bin/git

My gitlab.rb ldap config:

  gitlab_rails['ldap_enabled'] = true
    #! **remember to close this block with 'EOS' below**
    gitlab_rails['ldap_servers'] = YAML.load <<-EOS
     main: # 'main' is the GitLab 'provider ID' of this LDAP server
      label: 'LDAP'
      host: '*******'
      port: 636
      uid: 'sAMAccountName'
      bind_dn: '*****'
      password: '******'
      encryption: 'simple_tls' # "start_tls" or "simple_tls" or "plain"
      active_directory: true
      allow_username_or_email_login: true
      lowercase_usernames: false
      block_auto_created_users: false
      base: 'CN=Users,DC=***,DC=***'
      verify_certificates: false
    EOS

The output of gitlab:ldap:check

[root@gitlab ~]# gitlab-rake gitlab:ldap:check
Checking LDAP ...

Server: ldapmain
not verifying SSL hostname of LDAPS server '****:636'
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
	DN: cn=*****,cn=users,dc=***,dc=***	 sAMAccountName: ***
        etc... (100 entries)

Checking LDAP ... Finished

What am I doing wrong?

Kind regards,
Simon

shaerdi · August 23, 2018, 2:58pm

Sorry for bothering you all, I solved it.

If someone has a similar problem: Check if base is correct. In my case, not all users were member of the cn ‘Users’.

Method to check if really is in the LDAP base:

gitlab-rake gitlab:ldap:check[10000] > users
cat users | grep <username>

If the user does not show up, he doesn’t have access.
In my case, deleting the CN=Users part solved the problem.

Kind regards,
Simon