GitLab & OpenLDAP: Invalid credentials

Question

I have two machines with CentOS 7.0 on each one. The first one is domain controller with OpenLDAP only. I configured OpenLDAP according this tutorial: http://www.server-world.info/en/note?os=CentOS_7&p=openldap

Then, I have another machine with GitLab. I'm trying to configure LDAP authentication, but each time I receive 'Invalid Credentials' error.

My GitLab config:

gitlab-rails": {
  "ldap_enabled": true,
  "ldap_servers": {
    "main": {
      "label": "LDAP",
      "host": "192.168.50.4",
      "port": 389,
      "uid": "uid",
      "method": "plain",
      "bind_dn": "CN=gitlab,OU=people,DC=courseproject,DC=org",
      "password": "mypass",
      "active_directory": false,
      "allow_username_or_email_login": false,
      "base": "OU=people,DC=courseproject,DC=org",
      "user_filter": ""
    }

I have to use plain auth and LDAP, not LDAPS for another project.

My users & groups configuration:

dn: dc=courseproject,dc=org
objectClass: top
objectClass: dcObject
objectclass: organization
o: courseproject org
dc: courseproject

dn: cn=admin,dc=courseproject,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: mySHApass

dn: ou=people,dc=courseproject,dc=org
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=courseproject,dc=org
objectClass: organizationalUnit
ou: groups

I'm not really familiar with OpenLDAP, had only previous experience with AD.

What information can I provide for investigating this issue?

the entry CN=gitlab,OU=people,DC=courseproject,DC=org must exist on the database — Reinaldo Gil, Jan 13 '15 at 15:59
refer this answer as well: https://stackoverflow.com/a/54462889/6290553 — Raktim Biswas, Jan 31 '19 at 14:54

Sebastien Varrette · Answer 1 · 2015-08-07T22:59:00.047

First of all, you shall probably change the configuration for allow_username_or_email_login to true.

Then you probably want to create a group gitlabusers holding the users you wish to grant access to the server and modify the user_filter to '(memberOf=cn=gitlabusers,ou=groups,dc=courseproject,dc=org)'

Then apply the changes using gitlab-ctl reconfigure and check the LDAP configuration using

   gitlab-rake gitlab:ldap:check RAILS_ENV=production

Unless this command succeed to give you the list of users you expect, you have a mistake in your configuration...

For info, my below configuration (against a FreeIPA server) works:

 gitlab_rails['ldap_enabled'] = true 
 gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
   main: # 'main' is the GitLab 'provider ID' of this LDAP server
     label: 'IPA'
     host: 'ipa.mydomain.com'
     port: 389
     uid: 'uid'
     method: 'tls' # "tls" or "ssl" or "plain"
     bind_dn: 'uid=gitlab,cn=sysaccounts,cn=etc,dc=mydomain,dc=com'
     password: '<password>'
     active_directory: false
     allow_username_or_email_login: true
     #block_auto_created_users: false
     base: 'cn=users,cn=accounts,dc=mydomain,dc=com'
     user_filter: '(memberOf=cn=gitlabusers,cn=groups,cn=accounts,dc=mydomain,dc=com)'
     ## EE only
     group_base: 'cn=groups,cn=accounts,dc=mydomain,dc=com'
     #admin_group: ''
     #sync_ssh_keys: true
 EOS

If this is not working, try this post: http://serverfault.com/questions/707770/gitlab-active-directory-authentication-no-results-and-no-authentication — Noir, Jul 28 '16 at 12:17

GitLab & OpenLDAP: Invalid credentials

1 Answers1