Configure GitLab with open LDAP

Issue

I am trying to configure my gitlab with openldap to authenticate the users. I have configured the openldap and it is working fine with Jenkins. But with gitlab it is giving the error that Could not authenticate you from Ldapmain because "Invalid credentials".

Below are the gitlab.rb configs:

gitlab_rails['ldap_enabled'] = true
 gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
   main: # 'main' is the GitLab 'provider ID' of this LDAP server
     label: 'LDAP'
     host: 'localhost'
     port: 389
     uid: 'uid'
     method: 'plain' # "tls" or "ssl" or "plain"
     bind_dn: 'cn=admin,dc=ldap,dc=com'
     password: 'waqas'
     active_directory: false
     allow_username_or_email_login: true
    #block_auto_created_users: false
     base: 'cn=Appliance,dc=ldap,dc=com'
     user_filter: ''
# attributes:
#   username: ['uid', 'userid', 'sAMAccountName']
#   email:    ['mail', 'email', 'userPrincipalName']
#   name:       'cn'
#       first_name: 'givenName'
#       last_name:  'sn'
#     ## EE only
#    group_base: 'ou=W-Integrate,dc=ldap,dc=com'
     #admin_group: 'cn=admin,dc=ldap,dc=com'
#     sync_ssh_keys: false
#

 EOS

enter image description here
And My openLDAP screen shoot is also attached. can any one correct me what I am doing wrong.

Solution

Your base should not be a user (or inetOrgPerson, group of users cn=Appliance), it should be limited to dc entries for a base dn:

base: 'dc=ldap,dc=com'

This differ from bind_dn, the binding account, which does reference a user: bind_dn: 'cn=admin,dc=ldap,dc=com': there is a cn there.


Note that since GitLab 13.7 (December 2020):

Support for encrypted LDAP credentials

GitLab uses a unified configuration file, for example gitlab.rb in Omnibus GitLab, which makes configuration easy across all of the bundled services.

Included in this configuration file are some secrets, like the
credentials to authenticate to the LDAP server.
While access to this file does require elevated privileges, best practice
is to separate secrets from configuration.

Omnibus GitLab and Source installs now support encrypted credentials, with the first credential supported being LDAP.
This reduces the sensitivity of the GitLab configuration file, and also helps to achieve customer compliance requirements.

See Documentation and Issue.

Answered By – VonC

This Answer collected from stackoverflow, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply

(*) Required, Your email will not be published