I just got Gitlab CE up and running. My local root account works fine and I was able to make a test project. I am trying to get LDAP working as well so AD users can use their normal credentials to log in.
(I am using Gitlab CE 8.17.3 with RHEL 6.8)
I tried following the documentation to add this chunk to my gitlab.rb
file.
# LDAP Authentication
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-EOS # remember to close this block with 'EOS' below
main:
label: 'ActiveDirectory'
host: '<myhostname>.ad1.prod'
port: 636 #Change to 636 if using LDAPS
method: 'tls' # Change to "tls" if using LDAPS
uid: 'sAMAccountName' # Don't change this
bind_dn: 'CN=<serviceacct-name>,OU=Service-Accounts,DC=ad1,DC=prod'
password: '<secretpasswd>'
timeout: 30
active_directory: true
allow_username_or_email_login: false
block_auto_created_users: false
base: 'DC=PROD'
# Optional: the next line specifies that only members of the user group "gitlab-users" can authenticate to Gitlab:
#user_filter: '(memberOf:1.2.840.113556.1.4.1941:=CN=GITLAB-USERS,CN=Users,DC=CORP,DC=COM)'
EOS
I am pretty sure we are using ldaps. I was given my hostname in the form of ldaps://myhostname.ad1.prod
I wasn’t sure if I was supposed to put the ldaps:// in the config, so I’ve tried every combination.
I’ve also tried the combination of using 389 and plain, 389 tls, 636 tls, 636 plain (since I’m figuring I should be using ldaps)
I was also told, our port is 3629, so I tried that port with tls and plain.
I’ve gotten errors: either “getaddrinfo, name or service unknown” if I use ldaps:// in the hostname. I removed it, and then the error I get is: “connection reset by peer”
The only time it looks like it works is with 389 (even though I’m guessing I should be using ldaps) and plain/tls, not using ldap:// or ldaps://. However, the rake ldap:check, even though it says success, it lists no users (says it will list up to 100). Just says Finished.
Checking LDAP ...
Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
Checking LDAP ... Finished
And to confirm, when I go to my localhost/ in Chrome, it does show Active Directory login box, but my credentials don’t work. (Could not authenticate you from Ldapmain because "Invalid credentials"
.)
I made a table to make sense of each trial and error I did:
I don’t know really anything about LDAP/AD so I can’t really guess what’s wrong, but is it possible I need some type of cert? I only ask cause I know with Rstudio LDAP integration we had to use some root.pem and int.pem. Just a guess.
Any help on getting LDAP to work would be greatly appreciated!