I’m attempting to enable LDAP on Omnibus 7.10.4. After uploading the .rb file change and reconfiguring the server, I get a 500 error when attempting a login with my AD account.
Here is the LDAP section, is there something incorrectly formatted? Where are the logs for LDAP located?
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main:
label: 'LDAP'
host: 'query.subdomain.subdomain.com'
port: 389
uid: 'sAMAccountName'
method: 'plain' # "tls" or "ssl" or "plain"
bind_dn: ''
password: ''
active_directory: true
allow_username_or_email_login: true
EOS
Most probably, you need to provide a bind DN and a user that is allowed to read sAMAccountName.
Also. I do not have single quotes around EOS.
This works for me:
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-EOS # remember to close this block with 'EOS' below
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'LDAP'
host: '10.0.87.27'
port: 636
uid: 'sAMAccountName'
method: 'ssl' # "tls" or "ssl" or "plain"
bind_dn: 'your_bind_dn_here'
password: 'your_password_for_the_binding_user_here'
active_directory: true
allow_username_or_email_login: false
base: 'DC=example,DC=com'
user_filter: ''
EOS
Thanks @kampfflunder, I no longer receive a 500 error but Could not authorize you from Ldapmain because “Invalid credentials”. I assume I have a setting that is incorrect in my bind_dn or password.
I do have a bind_dn and password but left them as ‘’ in my post.
Since you use plain LDAP, you could tcpdump/wireshark the connection to the LDAP Server to see what happens. Or use ldapsearch with the bind dn and the password (ldapsearch is a PITA) for testing.
I discovered that the settings under “main” were indented too far, they had 4 spaces instead of 2. Fixing that made the changes in your first post work. I’m now able to login using LDAP, thanks a bunch!