Gitlab LDAP (Active Directory) Authentication without Server Side Access

1.3k views Asked by At

I am using GitLab Omnibus 7.10.0 on RHEL 6.6. I have enabled LDAP using the following configuration:

gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
main: # 'main' is the GitLab 'provider ID' of this LDAP server    
label: 'FOO COM Active Directory (LDAP)'
 host: 'ad.server.foo.com'
 port: 3268
  uid: 'someuser'
 method: 'plain' # "tls" or "ssl" or "plain"
 bind_dn: 'CN=My Whole. Name,OU=Some Users,DC=ad,DC=server,DC=foo,DC=com'
 password: 'thepassword'
 active_directory: true
 allow_username_or_email_login: false
 block_auto_created_users: false
 base: 'DC=ad,DC=server,DC=foo,DC=com'
 user_filter: ''
#     ## EE only
#     group_base: ''
#     admin_group: ''
#     sync_ssh_keys: false
#
#   secondary: # NOT FILLED OUT
EOS

My problem is that I can't get users to authenticate via LDAP. I'm not sure if the configuration is wrong, or I need to do something on the server side (which I have no direct access to). When I run

gitlab-rake gitlab:ldap:check RAILS_ENV=production

I get this

Checking LDAP ...

LDAP users with access to your GitLab server (only showing the first 100 results)
Server: ldapmain 

Checking LDAP ... Finished

I can search for individual users using java with this account (my personal account) or another account for a different application, but can't get AD working with gitlab. I got the bind_dn "My Whole. Name" by running this command on a Windows box. gpresult -r

I have also tried a bind_dn of:

uid=myADaccountname,OU=Some Users,DC=ad,DC=server,DC=foo,DC=com
and 
[email protected]

but I still have the same problem.

2

There are 2 answers

1
Stuart Grassie On BEST ANSWER

For Active Directory, the uid should be:

uid: 'sAMAccountName'

Gitlab should connect using the user specified in the bind_dn, with the given password.

0
moriarty On

Since GitLab 9.5.1 the uid now requires [ ]

See this issue: https://gitlab.com/gitlab-org/gitlab-ce/issues/37120 This might just be a bug which will be fixed.

I had to update the value for Active Directory from the answer above to:

uid: ['sAMAccountName']