Ldap authentification with gitlab-shell
Created by: ssmb
Hi, I'm working with Gitlab for many projects and many users managed by ldap (openldap). I just migrate from 6.1 to 6.2, 6.2 to 6.3 and 6.3 to 6.4-stable (and gitlab-shell 1.8.0).
All was working well in 6.1, but now it's impossible to send any git request using a ldaped user. It's working well with a "classic" user.
Here a sample of request :
git clone [email protected]:xxx/yyy.git
and the result in the /home/git/gitlab-shell/gitlab-shell.log log file
D, [2014-01-06T09:20:28.867811 #29178] DEBUG -- : Performing GET http://git.test.services.local//api/v3/internal/allowed?key_id=63&action=git-upload-pack&ref=_any&project=xxx/yyy D, [2014-01-06T09:20:28.902288 #29178] DEBUG -- : Received response 200 => . W, [2014-01-06T09:20:28.902465 #29178] WARN -- : gitlab-shell: Access denied for git command by user with key key-63.
The user with key-63 is master on this project (this clone was working before the migration).
The only way to pass this problem and to be able to work again with gitlab is to force to true the result of the "allowed" function in /home/git/gitlab-shell/lib/gitlab_net.rb file as
class GitlabNet
def allowed?(cmd, repo, key, ref)
...
# !!(resp.code == '200' && resp.body == 'true')
!!(1 == 1)
It's working now, but there is no more control ;-b
Here my sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production results
/home/git/gitlab# sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production
Checking Environment ...
Git configured for git user? ... yes
Has python2? ... yes
python2 is supported version? ... yes
Checking Environment ... Finished
Checking GitLab Shell ...
GitLab Shell version >= 1.7.9 ? ... OK (1.8.0)
Repo base directory exists? ... yes
Repo base directory is a symlink? ... no
Repo base owned by git:git? ... yes
Repo base access is drwxrws---? ... yes
update hook up-to-date? ... yes
update hooks in repos are links: ...
...
Running /home/git/gitlab-shell/bin/check
Check GitLab API access: OK
Check directories and files:
/home/git/repositories: OK
/home/git/.ssh/authorized_keys: OK
Test redis-cli executable: redis-cli 2.2.12
Send ping to redis server: PONG
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Sidekiq ...
Running? ... yes
Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking LDAP ...
LDAP users with access to your GitLab server (limit: 100):
Checking LDAP ... Finished
Checking GitLab ...
Database config exists? ... yes
Database is SQLite ... no
All migrations up? ... yes
GitLab config exists? ... yes
GitLab config outdated? ... no
Log directory writable? ... yes
Tmp directory writable? ... yes
Init script exists? ... yes
Init script up-to-date? ... yes
projects have namespace: ...
...
Checking GitLab ... Finished
and
/home/git/gitlab# sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production System information System: Ubuntu 12.04 Current User: git Using RVM: no Ruby Version: 1.9.3p392 Gem Version: 1.8.23 Bundler Version:1.3.5 Rake Version: 10.1.0 GitLab information Version: 6.4.3 Revision: 42131d0 Directory: /home/git/gitlab DB Adapter: mysql2 URL: http://git.test.services.local HTTP Clone URL: http://git.test.services.local/some-project.git SSH Clone URL: [email protected]:some-project.git Using LDAP: yes Using Omniauth: no GitLab Shell Version: 1.8.0 Repositories: /home/git/repositories/ Hooks: /home/git/gitlab-shell/hooks/ Git: /usr/bin/git
Thanks for you help Jérôme