GitLab ce-8.0.x 8.1.0 FreeIPA LDAP email field always updates to temporary email, LDAP e-mail ignored
We have the following issue.
GitLab version: 8.0.4, 8.0.5, 8.1.0
Summary:
We have gitlab working fine, as admin I can create, import and manege project , repositories etc. I linked our FreeIPA and it seems to work, as much as users can log in using their ldap password. However we hit a problem; the LDAP email is not read by GitLab, and a a temp one is assigned.
Firs thing I tried was to, as admin, update manually the e-mail field for each user. But at next login, the e-mail, and avatar are deleted and the fixed, read only valued are back there. User s cannot WORK while the temporary password is in place, as they are redirected to the complete profile section every time.
Either some logic is broken or we have hugely overlooked something in our deployment.
We have followed this for the LDAP section: https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/integration/ldap.md
Steps to reproduce:
Configuration.
This is our /etc/gitlab/gitlab.rb:
main: label: 'LDAP Authentication' host: 'host.domain.com' port: 389 uid: 'uid' method: 'plain' bind_dn: 'cn=ldapbind,cn=groups,cn=accounts,dc=domain,dc=com' password: 'XXXXXXXXXX'
base: 'cn=accounts,dc=domain,dc=com'
groupbase: 'cn=git-users,cn=groups,cn=accounts,dc=domain,dc=com'
filter: ''
allow_username_or_email_login: true
attributes:
username: ['uid', 'userid', 'sAMAccountName']
email: ['email', 'mail', 'userPrincipalName']
name: 'cn'
first_name: 'givenname'
last_name: 'sn'
EOS
Things I have tried with this configuration already:
Just empty base.
Just empty group base
filter instead of base
No attributes
mail first instead of email in attributes list
attributes with no list
givenName and givenname produce same result in attributes
We tried with name.surname and name.s...@domain.com, same reults.
The result is always the same, if the combination allows LDAP users to log in (the one above does) they will not get the email filed populated and there is the eternal loop where we can never continue.
Just in case it is suggested, no, we will not change IPA for another DS or LDAP solution, it works and integrates very well with many other things. We are actually moving away from SCM manager, where we have this working well.
The LDAP for the objects is like that:
dn: uid=name.surnam,cn=users,cn=accounts,dc=domain,dc=com uid: name.surname givenname: Name sn: Surname cn: Name Surname initials: NS homedirectory: /home/name.surname gecos: Name Surname loginshell: /bin/bash mail: name.s...@domain.com
...
memberof: cn=git-users,cn=groups,cn=accounts,dc=domain,dc=com
...
Observed behavior:
What I see in the log.
login:
==> /var/log/gitlab/unicorn/unicorn_stdout.log <== I, [2015-10-08T13:29:56.644683 #29472 (closed)] INFO -- omniauth: (ldapmain) Callback phase initiated.
==> /var/log/gitlab/gitlab-rails/production.log <== Processing by OmniauthCallbacksController#ldapmain as HTML Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "username"=>"user.name", "password"=>"[FILTERED]"} Redirected to http://gitlab.domain.com/ Completed 302 Found in 3403ms (ActiveRecord: 607.2ms)
==> /var/log/gitlab/nginx/gitlab_access.log <== x.x.x.x - - [08/Oct/2015:13:30:05 +0200] "POST /users/auth/ldapmain/callback HTTP/1.1" 302 110 "http://gitlab.domain.com/users/sign_in" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0"
==> /var/log/gitlab/gitlab-rails/production.log <== Started GET "/" for x.x.x.x at 2015-10-08 13:30:06 +0200 Processing by RootController#index as HTML Redirected to http://gitlab.domain.com/profile Filter chain halted as :require_email rendered or redirected Completed 302 Found in 75ms (ActiveRecord: 16.0ms)
==> /var/log/gitlab/nginx/gitlab_access.log <== x.x.x.x- - [08/Oct/2015:13:30:06 +0200] "GET / HTTP/1.1" 302 117 "http://gitlab.domain.com/users/sign_in" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0"
==> /var/log/gitlab/gitlab-rails/production.log <== Started GET "/profile" for x.x.x.x at 2015-10-08 13:30:06 +0200 Processing by ProfilesController#show as HTML
After this, no matter if I delete the account and and a new login is done, the result is the same. Any additional login result in the same:
Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "user"=>{"name"=>"Name Surname", "email"=>"temp-email-for-oauth-name.surname@gitlab.localhost", "public_email"=>"", "skype"=>"", "linkedin"=>"", "twitter"=>"", "website_url"=>"", "location"=>"", "bio"=>""}}
Any ideas or suggestions? Are we doing anything wrong here?
Many thanks in advance.
Full thread in GitLab group:
https://groups.google.com/forum/#!topic/gitlabhq/cnC1V1tfgIE