Trying to set up LDAP with Gitlab

I just got Gitlab CE up and running. My local root account works fine and I was able to make a test project. I am trying to get LDAP working as well so AD users can use their normal credentials to log in.

(I am using Gitlab CE 8.17.3 with RHEL 6.8)

I tried following the documentation to add this chunk to my gitlab.rb file.

# LDAP Authentication
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-EOS # remember to close this block with 'EOS' below
  label: 'ActiveDirectory'
  host: '<myhostname>'
  port: 636 #Change to 636 if using LDAPS
  method: 'tls' # Change to "tls" if using LDAPS
  uid: 'sAMAccountName' # Don't change this
  bind_dn: 'CN=<serviceacct-name>,OU=Service-Accounts,DC=ad1,DC=prod'
  password: '<secretpasswd>'
  timeout: 30
  active_directory: true
  allow_username_or_email_login: false
  block_auto_created_users: false
  base: 'DC=PROD'
  # Optional: the next line specifies that only members of the user group "gitlab-users" can authenticate to Gitlab:
  #user_filter: '(memberOf:1.2.840.113556.1.4.1941:=CN=GITLAB-USERS,CN=Users,DC=CORP,DC=COM)'

I am pretty sure we are using ldaps. I was given my hostname in the form of ldaps://

I wasn’t sure if I was supposed to put the ldaps:// in the config, so I’ve tried every combination.
I’ve also tried the combination of using 389 and plain, 389 tls, 636 tls, 636 plain (since I’m figuring I should be using ldaps)

I was also told, our port is 3629, so I tried that port with tls and plain.

I’ve gotten errors: either “getaddrinfo, name or service unknown” if I use ldaps:// in the hostname. I removed it, and then the error I get is: “connection reset by peer”

The only time it looks like it works is with 389 (even though I’m guessing I should be using ldaps) and plain/tls, not using ldap:// or ldaps://. However, the rake ldap:check, even though it says success, it lists no users (says it will list up to 100). Just says Finished.

Checking LDAP ... 
Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)

Checking LDAP ... Finished

And to confirm, when I go to my localhost/ in Chrome, it does show Active Directory login box, but my credentials don’t work. (Could not authenticate you from Ldapmain because "Invalid credentials".)

I made a table to make sense of each trial and error I did:

I don’t know really anything about LDAP/AD so I can’t really guess what’s wrong, but is it possible I need some type of cert? I only ask cause I know with Rstudio LDAP integration we had to use some root.pem and int.pem. Just a guess.

Any help on getting LDAP to work would be greatly appreciated!

When using tls you probably want to specify verify_certificates: false as otherwise the client needs the certificates from the server (and you would need a CA for that) and you need to use a working DNS.
If you don’t need tls, you can try using an ip.
My working config on server 2016 (perhaps it helps you)

gitlab_rails[‘ldap_enabled’] = true
gitlab_rails[‘ldap_servers’] = YAML.load <<-EOS
label: ‘ActiveDirectory’
host: ‘’
port: 389
method: ‘plain’ # Change to “tls” if using LDAPS
uid: ‘sAMAccountName’
bind_dn: ‘CN=gitlab_link,OU=MYOU,DC=DOMAIN,DC=LOCAL’
password: ‘examplepass’
timeout: 10
active_directory: true
allow_username_or_email_login: false
block_auto_created_users: false