[SOLVED] LDAP issue with Active Directory

How to Use GitLab Self-managed
1

Having an issue with LDAP/Active Directory on Omnibus Gitlab. I am able to query the directory with my settings that I am using with ldapsearch, however gitlab throws the following when a gitlab:check is run:

LDAP users with access to your GitLab server (only showing the first 100 results)
Server: ldapmain
rake aborted!
Errno::ECONNRESET: Connection reset by peer @ io_fillbuf - fd:9

Full trace output below from gitlab:check:

$ sudo gitlab-rake gitlab:check --trace
** Invoke gitlab:check (first_time)
** Invoke gitlab:env:check (first_time)
** Invoke environment (first_time)
** Execute environment
** Execute gitlab:env:check
Checking Environment ...

Git configured for git user? ... yes

Checking Environment ... Finished

** Invoke gitlab:gitlab_shell:check (first_time)
** Invoke environment
** Execute gitlab:gitlab_shell:check
Checking GitLab Shell ...

GitLab Shell version >= 2.4.0 ? ... OK (2.4.0)
Repo base directory exists? ... yes
Repo base directory is a symlink? ... no
Repo base owned by git:git? ... yes
Repo base access is drwxrws---? ... yes
Satellites access is drwxr-x---? ... yes
hooks directories in repos are links: ...
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Check directories and files:
	/var/opt/gitlab/git-data/repositories: OK
	/var/opt/gitlab/.ssh/authorized_keys: OK
Test redis-cli executable: redis-cli 2.8.2
Send ping to redis server: PONG
gitlab-shell self-check successful

Checking GitLab Shell ... Finished

** Invoke gitlab:sidekiq:check (first_time)
** Invoke environment
** Execute gitlab:sidekiq:check
Checking Sidekiq ...

Running? ... yes
Number of Sidekiq processes ... 1

Checking Sidekiq ... Finished

** Invoke gitlab:ldap:check (first_time)
** Invoke environment
** Execute gitlab:ldap:check
Checking LDAP ...

LDAP users with access to your GitLab server (only showing the first 100 results)
Server: ldapmain
rake aborted!
Errno::ECONNRESET: Connection reset by peer @ io_fillbuf - fd:9
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/net-ldap-0.9.0/lib/net/ber/ber_parser.rb:160:in `getbyte'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/net-ldap-0.9.0/lib/net/ber/ber_parser.rb:160:in `read_ber'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/net-ldap-0.9.0/lib/net/ldap/connection.rb:169:in `block in read'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/net-ldap-0.9.0/lib/net/ldap/instrumentation.rb:19:in `instrument'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/net-ldap-0.9.0/lib/net/ldap/connection.rb:168:in `read'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/net-ldap-0.9.0/lib/net/ldap/connection.rb:134:in `queued_read'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/net-ldap-0.9.0/lib/net/ldap/connection.rb:244:in `bind_simple'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/net-ldap-0.9.0/lib/net/ldap/connection.rb:213:in `block in bind'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/net-ldap-0.9.0/lib/net/ldap/instrumentation.rb:19:in `instrument'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/net-ldap-0.9.0/lib/net/ldap/connection.rb:210:in `bind'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/net-ldap-0.9.0/lib/net/ldap.rb:664:in `block in open'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/net-ldap-0.9.0/lib/net/ldap/instrumentation.rb:19:in `instrument'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/net-ldap-0.9.0/lib/net/ldap.rb:655:in `open'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/net-ldap-0.9.0/lib/net/ldap.rb:591:in `open'
/opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/ldap/adapter.rb:7:in `open'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/check.rake:679:in `block in print_users'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/check.rake:677:in `each'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/check.rake:677:in `print_users'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/check.rake:664:in `block (3 levels) in <top (required)>'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:240:in `call'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:240:in `block in execute'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:235:in `each'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:235:in `execute'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:179:in `block in invoke_with_call_chain'
/opt/gitlab/embedded/lib/ruby/2.1.0/monitor.rb:211:in `mon_synchronize'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:172:in `invoke_with_call_chain'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:201:in `block in invoke_prerequisites'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:199:in `each'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:199:in `invoke_prerequisites'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:178:in `block in invoke_with_call_chain'
/opt/gitlab/embedded/lib/ruby/2.1.0/monitor.rb:211:in `mon_synchronize'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:172:in `invoke_with_call_chain'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/task.rb:165:in `invoke'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/application.rb:150:in `invoke_task'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/application.rb:106:in `block (2 levels) in top_level'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/application.rb:106:in `each'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/application.rb:106:in `block in top_level'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/application.rb:115:in `run_with_threads'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/application.rb:100:in `top_level'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/application.rb:78:in `block in run'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/application.rb:176:in `standard_exception_handling'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/lib/rake/application.rb:75:in `run'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/gems/rake-10.3.2/bin/rake:33:in `<top (required)>'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/bin/rake:23:in `load'
/opt/gitlab/embedded/service/gem/ruby/2.1.0/bin/rake:23:in `<main>'
Tasks: TOP => gitlab:check => gitlab:ldap:check

gitlab.rb settings:

gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-EOS # remember to close this block with 'EOS' below
main: # 'main' is the GitLab 'provider ID' of this LDAP server
  ## label
  #
  # A human-friendly name for your LDAP server. It is OK to change the label later,
  # for instance if you find out it is too large to fit on the web page.
  #
  # Example: 'Paris' or 'Acme, Ltd.'
  label: 'Washington DC'

  host: 'my-ad-server.mydomain.net'
  port: 389
  uid: 'sAMAccountName'
  method: 'plain' # "tls" or "ssl" or "plain"
  bind_dn: 'CN=ssMy.User,OU=Service Accounts,OU=Washington\, D.C.,OU=United States,OU=NA,DC=my,DC=domain,DC=net'
  password: 'mypwd'

  # This setting specifies if LDAP server is Active Directory LDAP server.
  # For non AD servers it skips the AD specific queries.
  # If your LDAP server is not AD, set this to false.
  active_directory: true

  # If allow_username_or_email_login is enabled, GitLab will ignore everything
  # after the first '@' in the LDAP username submitted by the user on login.
  #
  # Example:
  # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials;
  # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.
  #
  # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
  # disable this setting, because the userPrincipalName contains an '@'.
  allow_username_or_email_login: false

  # Base where we can search for users
  #
  #   Ex. ou=People,dc=gitlab,dc=example
  #
  base: 'OU=Users,OU=Washington\, D.C.,OU=United States,OU=NA,DC=my,DC=domain,DC=net'

  # Filter LDAP users
  #
  #   Format: RFC 4515 http://tools.ietf.org/search/rfc4515
  #   Ex. (employeeType=developer)
  #
  #   Note: GitLab does not support omniauth-ldap's custom filter syntax.
  #
  user_filter: ''
EOS
2

Found the issue -

Whitespace issue:

gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-EOS # remember to close this block with 'EOS' below
main: # 'main' is the GitLab 'provider ID' of this LDAP server

needs to read:

gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-EOS # remember to close this block with 'EOS' below
 main: # 'main' is the GitLab 'provider ID' of this LDAP server

Notice the space before main

1 Like
3

Was smashing my head against my desk with this issue for hours! Thanks for the tip. In my case I had two spaces instead of no spaces. Changing it to one space fixed it.

4

Lifesaver!