2

I'm currently trying to make our GitLab authenticate to LDAP that is provided by CommuniGate Pro server. When using command line tests (like ldapsearch) I'm successfully authenticating and getting information. But when I try to do it from GitLab's web interface I get

Could not authenticate you from Ldapmain because "Invalid credentials".

From the logs on the LDAP server I see the following:

11:39:51.061 4 LDAP-000601([xx.xx.xx.99]:37160) BINDing as 'postmaster@mx01.ldap.net'
11:39:51.061 2 LDAP-000601([xx.xx.xx.99]:37160) ACCOUNT(postmaster@mx01.ldap.net) connected(CLRTXT) [xx.xx.xx.99]:37160->[xx.xx.xx.251]:636(tls)
11:39:51.062 4 LDAP-000601([xx.xx.xx.99]:37160) Logged in as <master>. authType=0
11:39:51.063 4 LDAP-000601([xx.xx.xx.99]:37160) searching(base) ''
11:39:51.063 4 LDAP-000601([xx.xx.xx.99]:37160) searching where (objectClass=*)
11:39:51.063 4 LDAP-000601([xx.xx.xx.99]:37160) searching for (altServer namingContexts supportedCapabilities...)
11:39:51.064 4 LDAP-000601([xx.xx.xx.99]:37160) '' retrieved
11:39:51.064 2 LDAP-000601([xx.xx.xx.99]:37160) search finished
11:39:51.105 4 LDAP-000601([xx.xx.xx.99]:37160) searching(sub) 'cn=domain.bg'
11:39:51.105 4 LDAP-000601([xx.xx.xx.99]:37160) searching where (uid=f.lastname)
11:39:51.105 4 LDAP-000601([xx.xx.xx.99]:37160) searching for ALL
11:39:51.105 4 LDAP-000601([xx.xx.xx.99]:37160) search paging: n=126, cookie=''
11:39:51.105 4 LDAP-000601([xx.xx.xx.99]:37160) 'uid=f.lastname,cn=domain.bg' retrieved
11:39:51.105 2 LDAP-000601([xx.xx.xx.99]:37160) search finished
11:39:51.121 2 LDAP-000601([xx.xx.xx.99]:37160) ACCOUNT(postmaster@mx01.ldap.net) disconnected ([xx.xx.xx.99]:37160)
11:39:51.121 4 LDAP-000601([xx.xx.xx.99]:37160) BINDing as 'uid=f.lastname,cn=domain.bg'
11:39:51.121 1 LDAP-000601([xx.xx.xx.99]:37160) BIND failed. Error Code=incorrect password or account name
11:39:51.122 3 LDAP-000601([xx.xx.xx.99]:37160) request reading failed. Error Code=TLS connection closed by peer
11:39:51.122 4 LDAP-000601([xx.xx.xx.99]:37160) TLS connection is closing
11:39:51.122 2 TLS-576189 closed by LDAP-000601
11:39:51.122 4 LDAP-000601([xx.xx.xx.99]:37160) closing connection
11:39:51.122 4 LDAP-000601([xx.xx.xx.99]:37160) releasing stream

When I try with ldapsearch:

ldapsearch -x -LLL -H ldaps://mx01.ldap.net -D 'mail=f.lastname@domain.bg' -W -b 'cn=domain.bg' "(uid=f.lastname)"

I'm able to authenticate:

12:15:51.336 4 LDAP-000612([xx.xx.xx.33]:53142) [xx.xx.xx.251]:636 <- [xx.xx.xx.33]:53142 incoming connection(mx01.ldap.net)
12:15:51.383 2 TLS-578274 created(TLSv1.2,AES256_SHA256) for LDAP-000612
12:15:51.441 4 LDAP-000612([xx.xx.xx.33]:53142) TLS-578274(AES256_SHA256) connection accepted for DOMAIN(mx01.ldap.net)
12:15:51.448 4 LDAP-000612([xx.xx.xx.33]:53142) BINDing as 'f.lastname@domain.bg'
12:15:51.448 2 LDAP-000612([xx.xx.xx.33]:53142) ACCOUNT(f.lastname@domain.bg) connected(CLRTXT) [xx.xx.xx.33]:53142->[xx.xx.xx.251]:636(tls)
12:15:51.448 4 LDAP-000612([xx.xx.xx.33]:53142) Logged in as uid=f.lastname,domain.bg=domain.bg,cn=domain.bg. authType=0
12:15:51.452 4 LDAP-000612([xx.xx.xx.33]:53142) searching(sub) 'cn=domain.bg'
12:15:51.452 4 LDAP-000612([xx.xx.xx.33]:53142) searching where (uid=f.lastname)
12:15:51.452 4 LDAP-000612([xx.xx.xx.33]:53142) searching for ALL
12:15:51.453 4 LDAP-000612([xx.xx.xx.33]:53142) 'uid=f.lastname,cn=domain.bg' retrieved
12:15:51.453 2 LDAP-000612([xx.xx.xx.33]:53142) search finished
12:15:51.459 4 LDAP-000612([xx.xx.xx.33]:53142) disconnecting
12:15:51.459 2 LDAP-000612([xx.xx.xx.33]:53142) ACCOUNT(f.lastname@domain.bg) disconnected ([xx.xx.xx.33]:53142)
12:15:51.459 4 LDAP-000612([xx.xx.xx.33]:53142) TLS connection is closing
12:15:51.459 2 TLS-578274 closed by LDAP-000612
12:15:51.459 4 LDAP-000612([xx.xx.xx.33]:53142) closing connection
12:15:51.459 4 LDAP-000612([xx.xx.xx.33]:53142) releasing stream

My config is the following:

main:
  label: 'Domain.Bg LDAP'
  host: 'mx01.ldap.net'
  port: 636
  uid: 'uid'
  method: 'ssl'
  bind_dn: 'mail=postmaster@mx01.ldap.net'
  password: 'password'
  active_directory: false
  allow_username_or_email_login: true
  base: 'top'
  user_filter: ''

The RAILS_ENV=production gitlab-rake -v --trace gitlab:ldap:check check is successful too.

Anyone with similar issue? From what I see in the logs I think the problem is in BINDing as 'uid=f.lastname,cn=domain.bg' after authenticating with postmaster. Is there a way to make GitLab use BINDing as 'f.lastname@domain.bg' for users, after postmaster is authenticated instead?

plamer
  • 205
  • 2
  • 10

1 Answers1

0

For binding as uid=f.lastname,cn=domain.bg to work with CommuniGate that record should contain the userPassword attribute. The LDAP Central Directory in CommuniGate can be configured to copy account passwords to the directory records.

Another option is to enable the LDAP Direct Provisioning option in CommuniGate: it this case operations that use DNs pointing to account records will be run in the server account context, not in the context of LDAP directory record.

Outtruder
  • 116
  • 1