A user which is created in Gitlab after LDAP sign in cannot sign in again

Installation details:

• Gitlab 8.0.4 installed in Docker
• Completely fresh installation with only root user.

Problem description:

I have a user with username bstinson which is automatically created in Gitlab when he logs in using LDAP authentication. This is the output of gitlab-rails/application.log:

October 21, 2015 12:44: User "Barney Stinson" (bstinson@gna.com) was created
October 21, 2015 12:44: (OAuth) saving user Bstinson@gna.com from login with extern_uid => CN=Barney Stinson,OU=Dev Users,OU=Development,DC=gna,DC=local

When this user logs out and tries to sign in again, the "Sign in" form shows the error:

Could not authorize you from Ldapmain because "Undefined method `provider' for nil:nilclass". 

and gitlab-rails/application.log shows:

October 21, 2015 12:47: (OAuth) Error saving user: ["Email has already been taken", "Identities extern uid has already been taken"]

and gitlab-rails/production.log shows:

Started POST "/users/auth/ldapmain/callback" for 127.0.0.1 at 2015-10-21 12:47:24 +0300
Processing by OmniauthCallbacksController#ldapmain as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "username"=>"bstinson", "password"=>"[FILTERED]"}
Completed 500 Internal Server Error in 276ms (ActiveRecord: 23.5ms)

My LDAP configuration is the following:

gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
  main: # 'main' is the GitLab 'provider ID' of this LDAP server
     label: 'LDAP'
     host: '192.168.10.2'
     port: 389
     uid: 'sAMAccountName'
     method: 'plain' # "tls" or "ssl" or "plain"
     bind_dn: 'CN=admin,OU=Dev Users,OU=Development,DC=gna,DC=local'
     password: 'mypass'
     active_directory: true
     allow_username_or_email_login: false
     block_auto_created_users: false
     base: 'dc=gna,dc=local'
     user_filter: ''
     attributes:
       username: ['sAMAccountName']
       email:    ['mail', 'email', 'userPrincipalName']

Concerning the database, I connect using psql and the results of users table entry is:

gitlabhq_production=# select * from users where username like '%bstinson%';
-[ RECORD 1 ]--------------+----------------------------------------------------
---------
id                         | 8
email                      | bstinson@gnb.com
encrypted_password         | $2a$1rWL15b0of0vdPe4GHeN7cBGn4/.85nUhS1Bbr
g3jcpGTw.
reset_password_token       | 
reset_password_sent_at     | 
remember_created_at        | 
sign_in_count              | 1
current_sign_in_at         | 2015-10-21 09:44:23.49429
last_sign_in_at            | 2015-10-21 09:44:23.49429
current_sign_in_ip         | 127.0.0.1
last_sign_in_ip            | 127.0.0.1
created_at                 | 2015-10-21 09:44:23.070246
updated_at                 | 2015-10-21 09:47:16.207773
name                       | Barney Stinson
admin                      | f
projects_limit             | 10
skype                      | 
linkedin                   | 
twitter                    | 
authentication_token       | uoc413too2PKkVMBFqLw
theme_id                   | 2
bio                        | 
failed_attempts            | 0
locked_at                  | 
username                   | bstinson1
can_create_group           | t
can_create_team            | f
state                      | active
color_scheme_id            | 1
notification_level         | 1
password_expires_at        | 
created_by_id              | 
last_credential_check_at   | 2015-10-21 09:44:23.37368
avatar                     | 
confirmation_token         | 
confirmed_at               | 2015-10-21 09:44:22.459343
confirmation_sent_at       | 
unconfirmed_email          | 
hide_no_ssh_key            | f
website_url                | 
notification_email         | bstinson@gnb.com
hide_no_password           | f
password_automatically_set | t
location                   | 
encrypted_otp_secret       | 
encrypted_otp_secret_iv    | 
encrypted_otp_secret_salt  | 
otp_required_for_login     | f
otp_backup_codes           | null
public_email               | 
dashboard                  | 0
project_view               | 0
consumed_timestep          | 

and identities table entry for this user is:

gitlabhq_production=# select * from identities;
-[ RECORD 1 ]----------------------------------------------------------------------------
id         | 7
extern_uid | CN=Barney Stinson,OU=Dev Users,OU=Development,DC=gna,DC=local
provider   | ldapmain
user_id    | 8
created_at | 2015-10-21 09:44:23.094698
updated_at | 2015-10-21 09:44:23.094698

As far as I can see, everytime the user tries to sign in via LDAP the following happen:

1. Gitlab tries to recreate the user.
2. An integer is appended after username, so "bstinson" becomes "bstinson1"
3. I have run sudo gitlab-rake gitlab:check, and it shows no errors.

I have searched for other issues having the same problem using this query but I could not find any issue similar to mine ... I have read and tried all possible solutions described in issues #993,#1875,#1964,#946.

Is there something I am missing?

Thank you in advance,

Christos

Hello! After over 7 hours of searching, I dived into Gitlab source code! According to my investigation, the problem is solved in version 8.0.5 with commit ada2c4552861455c6da09b74feaf0e8cf96c29bd.

Workaround: Until a new tag for version 8.0.5 is pushed on Gitlab Docker Hub page, I found a workaround that worked for me:

1. Connect to docker container and execute an interactive bash shell:

   docker exec -t -i gitlab /bin/bash

2. Then inside, execute the following commands:

   # goto ldap scripts directory
   cd /opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/ldap
   
   # backup suspect script
   mv user.rb user.rb.bak
   
   # get script from version 8.0.5
   wget "https://gitlab.com/gitlab-org/gitlab-ce/raw/ada2c4552861455c6da09b74feaf0e8cf96c29bd/lib/gitlab/ldap/user.rb"
   
   # exit from interactive shell
   exit

3. Restart container and you are done

   docker restart gitlab

I hope this helps others having the same problem!

Added ldap label

mentioned in issue #32572 (moved)

moved to gitlab#3874

Hey!

GitLab is moving all development for both GitLab Community Edition and Enterprise Edition into a single codebase. The current gitlab-ce repository will become a read-only mirror, without any proprietary code. All development is moved to the current gitlab-ee repository, which we will rename to just gitlab in the coming weeks. As part of this migration, issues will be moved to the current gitlab-ee project.

If you have any questions about all of this, please ask them in our dedicated FAQ issue.

https://gitlab.com/gitlab-org/gitlab-ee/issues/13855

You can also find more information here:

• https://gitlab.com/gitlab-org/gitlab-ee/issues/13304
• https://about.gitlab.com/2019/08/23/a-single-codebase-for-gitlab-community-and-enterprise-edition/

Frequently Asked Questions

For an up to date list of questions and answers, please take a look at https://gitlab.com/gitlab-org/gitlab-ee/issues/13855

What will we do with the repository names?

https://gitlab.com/gitlab-org/gitlab-ee/ will become https://gitlab.com/gitlab-org/gitlab, and https://gitlab.com/gitlab-org/gitlab-ce will become https://gitlab.com/gitlab-org/gitlab-foss.

Why rename gitlab-ce to gitlab-foss?

Using "gitlab" and "gitlab-ce" would be confusing, so we decided to rename gitlab-ce to gitlab-foss to make the purpose of this FOSS repository more clear

I created a merge requests for CE, and this got closed. What do I need to do?

You will need to create a merge request at https://gitlab.com/gitlab-org/gitlab-ee/. This link will eventually redirect to https://gitlab.com/gitlab-org/gitlab.

How does the licensing work in this new setup?

Everything in the ee/ directory is proprietary. Everything else is free and open source software. If your merge request does not change anything in the ee/ directory, the process of contributing changes is the same as when using the gitlab-ce repository.

Will you accept merge requests on the gitlab-ce/gitlab-foss project after it has been renamed?

No. Merge requests submitted to this project will be closed automatically.

Will I still be able to view old issues and merge requests in gitlab-ce/gitlab-foss?

Yes.

How will this affect users of GitLab CE using Omnibus?

No changes will be necessary, as the packages built remain the same.

How will this affect users of GitLab CE that build from source?

Once the project has been renamed, you will need to change your Git remotes to use this new URL. GitLab will take care of redirecting Git operations so there is no hard deadline, but we recommend doing this as soon as the projects have been renamed.

Where can I see a timeline of the remaining steps?

https://gitlab.com/gitlab-org/gitlab-ee/issues/13304

Will community contributions submitted to the new "gitlab" repository be available in the new gitlab-foss repository?

Yes, these changes will be synced to gitlab-foss automatically, several times per day.

locked this issue

mentioned in merge request !14785