GitLab

Created by: bhuisgen

LDAP authentication with TLS seems to be broken with gitlab 6-9-stable. A previous installation in version 6.6 works perfectly with TLS & and this issue is not related to the ldap_filter bug of versions 6.7 to 6.9.2

The first signin creates correctly the user in gitlab database but user login will be denied.

What I see in LDAP log is that the second LDAP connection is done without TLS :

Jun 17 14:30:50 ldap-server slapd[30961]: conn=92289 fd=83 ACCEPT from IP=192.168.3.15:60020 (IP=0.0.0.0:389) Jun 17 14:30:50 ldap-server slapd[30961]: conn=92289 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Jun 17 14:30:50 ldap-server slapd[30961]: conn=92289 op=0 STARTTLS Jun 17 14:30:50 ldap-server slapd[30961]: conn=92289 op=0 RESULT oid= err=0 text= Jun 17 14:30:50 ldap-server slapd[30961]: conn=92289 fd=83 TLS established tls_ssf=256 ssf=256 Jun 17 14:30:50 ldap-server slapd[30961]: conn=92289 op=1 BIND dn="uid=proxy,dc=my,dc=domain" method=128 Jun 17 14:30:50 ldap-server slapd[30961]: conn=92289 op=1 BIND dn="uid=proxy,dc=my,dc=domain" mech=SIMPLE ssf=0 Jun 17 14:30:50 ldap-server slapd[30961]: conn=92289 op=1 RESULT tag=97 err=0 text= Jun 17 14:30:50 ldap-server slapd[30961]: conn=92289 op=2 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Jun 17 14:30:50 ldap-server slapd[30961]: conn=92289 op=2 SRCH attr=namingContexts supportedLdapVersion altServer supportedControl supportedExtension supportedFeatures supportedSASLMechanisms Jun 17 14:30:50 ldap-server slapd[30961]: conn=92289 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 17 14:30:50 ldap-server slapd[30961]: conn=92289 op=3 SRCH base="dc=my,dc=domain" scope=2 deref=0 filter="(uid=boris.huisgen)" Jun 17 14:30:50 ldap-server slapd[30961]: conn=92289 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Jun 17 14:30:50 ldap-server slapd[30961]: conn=92289 op=4 BIND anonymous mech=implicit ssf=0 Jun 17 14:30:50 ldap-server slapd[30961]: conn=92289 op=4 BIND dn="uid=boris.huisgen,ou=company,dc=my,dc=domain" method=128 Jun 17 14:30:50 ldap-server slapd[30961]: conn=92289 op=4 BIND dn="uid=boris.huisgen,ou=company,dc=my,dc=domain" mech=SIMPLE ssf=0 Jun 17 14:30:50 ldap-server slapd[30961]: conn=92289 op=4 RESULT tag=97 err=0 text= Jun 17 14:30:50 ldap-server slapd[30961]: conn=92289 fd=83 closed (connection lost)

Jun 17 14:30:50 ldap-server slapd[30961]: conn=92290 fd=83 ACCEPT from IP=192.168.3.15:60021 (IP=0.0.0.0:389) Jun 17 14:30:50 ldap-server slapd[30961]: conn=92290 op=0 BIND dn="uid=proxy,dc=my,dc=domain" method=128 Jun 17 14:30:50 ldap-server slapd[30961]: conn=92290 op=0 RESULT tag=97 err=13 text=confidentiality required Jun 17 14:30:50 ldap-server slapd[30961]: conn=92290 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=_)" Jun 17 14:30:50 ldap-server slapd[30961]: conn=92290 op=1 SRCH attr=namingContexts supportedLdapVersion altServer supportedControl supportedExtension supportedFeatures supportedSASLMechanisms _Jun 17 14:30:50 ldap-server slapd[30961]: conn=92290 op=1 SEARCH RESULT tag=101 err=13 nentries=0 text=confidentiality required* Jun 17 14:30:50 ldap-server slapd[30961]: conn=92290 op=2 SRCH base="uid=boris.huisgen,ou=company,dc=my,dc=domain" scope=0 deref=0 filter="(objectClass=*)" Jun 17 14:30:50 ldap-server slapd[30961]: conn=92290 op=2 SEARCH RESULT tag=101 err=13 nentries=0 text=confidentiality required Jun 17 14:30:50 ldap-server slapd[30961]: conn=92290 fd=83 closed (connection lost)

Gitlab log :

LDAP search error: unknown result (13) Redirected to https://gitlab.my.domain/users/sign_in Filter chain halted as :ldap_security_check rendered or redirected

LDAP configuration :

host: 'ldap.my.domain' port: 389 uid: 'uid' method: 'tls' bind_dn: 'uid=proxy,dc=my,dc=domain' password: '123456' allow_username_or_email_login: true base: 'dc=my,dc=domain' user_filter: ''

Thanks for your help.