Unable to clone in HTTPS using LDAP, error 500

Hello everyone,

I’ve set up a Gitlab Instance running in Docker, behind an NGINX Reverse Proxy.
Everything is working great so far, except when I’m trying to authenticate using LDAP for cloning a repo.

When I’m trying to clone using an LDAP Account, I got this message:

$ git clone https://gitlab.mycompany.local/group/repo_name.git
Cloning into 'repo_name'...
fatal: unable to access 'https://gitlab.mycompany.local/group/repo_name.git': The requested 
URL returned error: 500

Everything works fine with a regular, local account:

$ git clone https://gitlab.mycompany.local/group/repo_name.git
Cloning into 'repo_name'...
remote: Enumerating objects: 594, done.
remote: Counting objects: 100% (594/594), done.
remote: Compressing objects: 100% (281/281), done.
remote: Total 1915 (delta 534), reused 341 (delta 313), pack-reused 1321
Receiving objects: 100% (1915/1915), 2.98 MiB | 5.33 MiB/s, done.
Resolving deltas: 100% (1698/1698), done.

Here are my Gitlab info:

System information
System:
Current User:   git
Using RVM:      no
Ruby Version:   2.6.5p114
Gem Version:    2.7.10
Bundler Version:1.17.3
Rake Version:   12.3.3
Redis Version:  5.0.7
Git Version:    2.24.1
Sidekiq Version:5.2.7
Go Version:     unknown

GitLab information
Version:        12.7.0
Revision:       680a5284470
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     PostgreSQL
DB Version:     10.9
URL:            https://gitlab.mycompany.local
HTTP Clone URL: https://gitlab.mycompany.local/some-group/some-project.git
SSH Clone URL:  ssh://git@gitlab.mycompany.local:9022/some-group/some-project.git
Using LDAP:     yes
Using Omniauth: yes
Omniauth Providers:

GitLab Shell
Version:        11.0.0
Repository storage paths:
- default:      /var/opt/gitlab/git-data/repositories
GitLab Shell path:              /opt/gitlab/embedded/service/gitlab-shell
Git:            /opt/gitlab/embedded/bin/git

In my production.log, I can see this:

Completed 500 Internal Server Error in 85ms (ActiveRecord: 4.5ms | Elasticsearch: 0.0ms)

ArgumentError (encryption or method MUST be provided):

lib/gitlab/auth/ldap/authentication.rb:40:in `new'
lib/gitlab/auth/ldap/authentication.rb:40:in `adapter'
lib/gitlab/auth/ldap/authentication.rb:29:in `login'
lib/gitlab/auth.rb:98:in `block (2 levels) in find_with_user_password'
lib/gitlab/auth.rb:97:in `each'
lib/gitlab/auth.rb:97:in `find'
lib/gitlab/auth.rb:97:in `block in find_with_user_password'
lib/gitlab/auth/unique_ips_limiter.rb:19:in `limit_user!'
lib/gitlab/auth.rb:74:in `find_with_user_password'
lib/gitlab/auth.rb:159:in `user_with_password_for_git'
lib/gitlab/auth.rb:53:in `find_for_git_client'
app/controllers/projects/git_http_client_controller.rb:105:in `handle_basic_authentication'
app/controllers/projects/git_http_client_controller.rb:38:in `authenticate_user'
lib/gitlab/i18n.rb:55:in `with_locale'
lib/gitlab/i18n.rb:61:in `with_user_locale'
app/controllers/application_controller.rb:461:in `set_locale'
lib/gitlab/application_context.rb:18:in `with_context'
app/controllers/application_controller.rb:453:in `set_current_context'
lib/gitlab/error_tracking.rb:34:in `with_context'
app/controllers/application_controller.rb:545:in `sentry_context'
lib/gitlab/middleware/rails_queue_duration.rb:27:in `call'
lib/gitlab/metrics/rack_middleware.rb:17:in `block in call'
lib/gitlab/metrics/transaction.rb:62:in `run'
lib/gitlab/metrics/rack_middleware.rb:17:in `call'
lib/gitlab/request_profiler/middleware.rb:17:in `call'
lib/gitlab/middleware/go.rb:20:in `call'
lib/gitlab/etag_caching/middleware.rb:13:in `call'
lib/gitlab/middleware/multipart.rb:117:in `call'
lib/gitlab/middleware/read_only/controller.rb:48:in `call'
lib/gitlab/middleware/read_only.rb:18:in `call'
lib/gitlab/middleware/basic_health_check.rb:25:in `call'
lib/gitlab/middleware/request_context.rb:23:in `call'
config/initializers/fix_local_cache_middleware.rb:9:in `call'
lib/gitlab/metrics/requests_rack_middleware.rb:49:in `call'
lib/gitlab/middleware/release_env.rb:12:in `call'

Here is my docker-compose.yml file:

version: '3'

services:
    gitlab:
        image: gitlab/gitlab-ce:latest
        restart: always
        container_name: gitlab
        environment:
          GITLAB_OMNIBUS_CONFIG: |
            external_url 'https://gitlab.mycompany.local'
            nginx['listen_port'] = 80
            nginx['listen_https'] = false
            nginx['real_ip_trusted_addresses'] = [ 'REDACTED' ]
            nginx['real_ip_header'] = 'X-Forwarded-For'
            nginx['real_ip_recursive'] = 'on'
            gitlab_rails['gitlab_shell_ssh_port'] = 9022
            gitlab_rails['ldap_enabled'] = true
            gitlab_rails['ldap_servers'] = YAML.load <<-EOS
            main:
              label: 'LDAP'
              host: REDACTED
              port: 389
              uid: 'sAMAccountName'
              bind_dn: 'REDACTED'
              password: "REDACTED"
              active_directory: true
              base: 'DC=mycompany,DC=local'
            EOS

        ports:
            - '5802:80'
            - '5902:443'
            - '9022:22'
        volumes:
            - '/srv/gitlab/config:/etc/gitlab'
            - '/srv/gitlab/logs:/var/log/gitlab'
            - '/srv/gitlab/data:/var/opt/gitlab'

The weird thing is that when I’m trying to login through the WebUI, everything is working as expected …

Any clues would be appreciated .

I went through the exact same problem and unfortunately saw your topic with no solution. So I had to figure it out.
Actually what was missing in the omnibus LDAP configuration is the encryption method. It is required according to the documentation https://docs.gitlab.com/ee/administration/auth/ldap/ but unfortunately we missed it, but NO ERROR MESSAGE so far. and the LDAP login on the web portal was totally fine which is misleading.

Nevertheless I have added the encryption method as per the documentation and checked for other missing required values :
encryption: ‘plain’
and it worked just fine

设置ldap的encryption: 'plain’参数确实有用，helm部署的同样有效，如下
ldap:
servers:
main:
encryption: ‘plain’

yaml格式空格被删掉了，结构是这样的ldap.servers.main.encryption: ‘plain’