LDAP authentication fails where ldapsearch works
Summary: "gitlab-rake gitlab:ldap:check RAILS_ENV=production" results in an empty response from LDAP, whereas the identical ldapsearch command works.
Version/package: gitlab-ce-7.12.0~omnibus-1.x86_64 (centos6)
Output of checks:
Checking GitLab Shell ...
GitLab Shell version >= 2.6.3 ? ... OK (2.6.3)
Repo base directory exists? ... yes
Repo base directory is a symlink? ... no
Repo base owned by git:git? ... yes
Repo base access is drwxrws---? ... yes
Satellites access is drwxr-x---? ... yes
hooks directories in repos are links: ...
2/1 ... repository is empty
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Check directories and files:
/var/opt/gitlab/git-data/repositories: OK
/var/opt/gitlab/.ssh/authorized_keys: OK
Test redis-cli executable: redis-cli 2.8.20
Send ping to redis server: PONG
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Sidekiq ...
Running? ... yes
Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking LDAP ...
LDAP users with access to your GitLab server (only showing the first 100 results)
Server: ldapmain
Checking LDAP ... Finished
Checking GitLab ...
Git configured with autocrlf=input? ... yes
Database config exists? ... yes
Database is SQLite ... no
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config outdated? ... no
Log directory writable? ... yes
Tmp directory writable? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
projects have namespace: ...
2/1 ... yes
Projects have satellites? ...
2/1 ... can't create, repository is empty
Redis version >= 2.0.0? ... yes
Ruby version >= 2.0.0 ? ... yes (2.1.6)
Your git bin path is "/opt/gitlab/embedded/bin/git"
Git version >= 1.7.10 ? ... yes (2.4.3)
Active users: 2
Checking GitLab ... Finished
gitlab.rb passage:
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'LDAP'
host: 'HOSTNAME'
port: 389
uid: 'sAMAccountName'
method: 'plain' # "tls" or "ssl" or "plain" --- Ill start experimenting with TLS once I get the basic functionality working...
bind_dn: 'uid=USERNAME,ou=tuser,ou=CORPNAME,ou=organization,dc=CORPDOM,dc=com'
password: 'redacted'
active_directory: true #also tried false here, no difference
allow_username_or_email_login: false
block_auto_created_users: false
base: 'ou=organization,dc=CORPDOM,dc=com'
#user_filter: '(&(uid=%v)(objectclass=inetOrgPerson))'
#user_filter: '(&(objectCategory=Person)(sAMAccountName=*))'
user_filter: ''
## EE only
group_base: ''
#admin_group: ''
#sync_ssh_keys: false
HOSTNAME, USERNAME, CORPNAME and CORPDOM are anonymisation tokens
The other 2 listed filters I tried as well to no avail (they are in use in other applications)
(Yes, USERNAME is the/a special query user)
Like I said, the same thing works when run via ldapsearch:
ldapsearch -v -H ldap://HOSTNAME -b "ou=organization,DC=CORPDOM,DC=com" -D "uid=USERNAME,ou=tuser,ou=CORPNAME,ou=organization,dc=CORPDOM,dc=com" -W
returns the full user list (after the password promppt obviously).
Ive even gone so far as to run tcpdump. There I could see that gitlab does an extraneous "searchRequest(2) "(ROOT)" baseObject", which ldapsearch doesnt do. As such ldapsearch shows results, but gitlab only gets an empty query result:
*> LDAPMessage bindRequest(1) "uid=USERNAME,ou=tuser,ou=CORPNAME,ou=organization,dc=CORPDOM,dc=com" simple
*< LDAPMessage bindResponse(1) success
*> LDAPMessage searchRequest(2) "<ROOT>" baseObject
*< LDAPMessage searchResEntry(2) "<ROOT>"
*> LDAPMessage searchRequest(3) "ou=organization,DC=CORPDOM,DC=com" wholeSubtree
*< LDAPMessage searchResDone(3) success [0 results]