I just got Gitlab CE up and running. My local root account works fine and I was able to make a test project. I am trying to get LDAP working as well so AD users can use their normal credentials to log in.
(I am using Gitlab CE 8.17.3 with RHEL 6.8)
I tried following the documentation to add this chunk to my
# LDAP Authentication gitlab_rails['ldap_enabled'] = true gitlab_rails['ldap_servers'] = YAML.load <<-EOS # remember to close this block with 'EOS' below main: label: 'ActiveDirectory' host: '<myhostname>.ad1.prod' port: 636 #Change to 636 if using LDAPS method: 'tls' # Change to "tls" if using LDAPS uid: 'sAMAccountName' # Don't change this bind_dn: 'CN=<serviceacct-name>,OU=Service-Accounts,DC=ad1,DC=prod' password: '<secretpasswd>' timeout: 30 active_directory: true allow_username_or_email_login: false block_auto_created_users: false base: 'DC=PROD' # Optional: the next line specifies that only members of the user group "gitlab-users" can authenticate to Gitlab: #user_filter: '(memberOf:1.2.840.113522.214.171.1241:=CN=GITLAB-USERS,CN=Users,DC=CORP,DC=COM)' EOS
I am pretty sure we are using ldaps. I was given my hostname in the form of ldaps://myhostname.ad1.prod
I wasn’t sure if I was supposed to put the ldaps:// in the config, so I’ve tried every combination.
I’ve also tried the combination of using 389 and plain, 389 tls, 636 tls, 636 plain (since I’m figuring I should be using ldaps)
I was also told, our port is 3629, so I tried that port with tls and plain.
I’ve gotten errors: either “getaddrinfo, name or service unknown” if I use ldaps:// in the hostname. I removed it, and then the error I get is: “connection reset by peer”
The only time it looks like it works is with 389 (even though I’m guessing I should be using ldaps) and plain/tls, not using ldap:// or ldaps://. However, the rake ldap:check, even though it says success, it lists no users (says it will list up to 100). Just says Finished.
Checking LDAP ... Server: ldapmain LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) Checking LDAP ... Finished
And to confirm, when I go to my localhost/ in Chrome, it does show Active Directory login box, but my credentials don’t work. (
Could not authenticate you from Ldapmain because "Invalid credentials".)
I made a table to make sense of each trial and error I did:
I don’t know really anything about LDAP/AD so I can’t really guess what’s wrong, but is it possible I need some type of cert? I only ask cause I know with Rstudio LDAP integration we had to use some root.pem and int.pem. Just a guess.
Any help on getting LDAP to work would be greatly appreciated!