Skip to content

GitLab

Closed
Created by Administrator@rootOwner

LDAP login failed with "Could not authorize you from Ldapmain because "Invalid credentials"

Created by: CHERTS

I use GitLab CE with OpenLDAP.

Environment:

My /etc/gitlab/gitlab.rb (LDAP part):

gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
   main:
     label: 'XXX'
     host: 'localhost'
     port: 389
     uid: 'uid'
     method: 'plain'
     bind_dn: 'cn=root,dc=office,dc=xxx,dc=ru'
     password: '********'
     active_directory: false
     allow_username_or_email_login: false
     block_auto_created_users: false
     base: 'ou=users,dc=office,dc=xxx,dc=ru'
     user_filter: '(objectClass=posixAccount)'
EOS

Application Checks

# gitlab-rake gitlab:check
nothing spectial. all tests passed

# gitlab-rake gitlab:ldap:check
Checking LDAP ...

LDAP users with access to your GitLab server (only showing the first 100 results)
Server: ldapmain
        DN: uid=test1,ou=users,dc=office,dc=xxx,dc=ru         uid: test1
        DN: uid=test2,ou=users,dc=office,dc=xxx,dc=ru         uid: test2
...
        DN: uid=test99,ou=users,dc=office,dc=xxx,dc=ru     uid: test99
        DN: uid=test100,ou=users,dc=office,dc=xxx,dc=ru     uid: test100

Checking LDAP ... Finished
# gitlab-rake gitlab:env:info
System information
System:         Debian 7.8
Current User:   git
Using RVM:      no
Ruby Version:   2.1.6p336
Gem Version:    2.2.1
Bundler Version:1.5.3
Rake Version:   10.4.2
Sidekiq Version:3.3.0

GitLab information
Version:        7.11.4
Revision:       b725318
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     postgresql
URL:            https://gitlab.xxx.ru
HTTP Clone URL: https://gitlab.xxx.ru/some-project.git
SSH Clone URL:  [email protected]:some-project.git
Using LDAP:     yes
Using Omniauth: no

GitLab Shell
Version:        2.6.3
Repositories:   /home/gitlab/repositories
Hooks:          /opt/gitlab/embedded/service/gitlab-shell/hooks/
Git:            /opt/gitlab/embedded/bin/git

Gitlab Sign in with LDAP Error: Could not authorize you from Ldapmain because "Invalid credentials".

Gitlab log

gitlab-ctl tail gitlab-rails

Started POST "/users/auth/ldapmain/callback" for 5.9.158.75 at 2015-06-04 17:16:18 +0500
Processing by OmniauthCallbacksController#failure as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "username"=>"test1", "password"=>"[FILTERED]"}
Redirected to https://gitlab.xxx.ru/users/sign_in
Completed 302 Found in 24ms (ActiveRecord: 4.7ms)
Started GET "/users/sign_in" for 5.9.158.75 at 2015-06-04 17:16:19 +0500
Processing by SessionsController#new as HTML
Completed 200 OK in 31ms (Views: 7.1ms | ActiveRecord: 4.0ms)

OpenLDAP (slapd) log:

55704192 daemon: activity on 1 descriptor
55704192 daemon: activity on:55704192
55704192 daemon: epoll: listen=7 busy
55704192 daemon: epoll: listen=8 active_threads=0 tvp=NULL
55704192 daemon: listen=7, new connection on 19
55704192 daemon: activity on 1 descriptor
55704192 daemon: activity on:55704192
55704192 daemon: epoll: listen=7 active_threads=0 tvp=NULL
55704192 daemon: epoll: listen=8 active_threads=0 tvp=NULL
55704192 daemon: added 19r (active) listener=(nil)
55704192 conn=1037 fd=19 ACCEPT from IP=127.0.0.1:50238 (IP=0.0.0.0:389)
55704192 daemon: activity on 2 descriptors
55704192 daemon: activity on:55704192  19r55704192
55704192 daemon: read active on 19
55704192 daemon: epoll: listen=7 active_threads=0 tvp=NULL
55704192 daemon: epoll: listen=8 active_threads=0 tvp=NULL
55704192 conn=1037 op=0 BIND dn="cn=root,dc=office,dc=xxx,dc=ru" method=128
55704192 conn=1037 op=0 BIND dn="cn=root,dc=office,dc=xxx,dc=ru" mech=SIMPLE ssf=0
55704192 daemon: activity on 1 descriptor
55704192 daemon: activity on:55704192
55704192 daemon: epoll: listen=7 active_threads=0 tvp=NULL
55704192 daemon: epoll: listen=8 active_threads=0 tvp=NULL
55704192 conn=1037 op=0 RESULT tag=97 err=0 text=
55704192 daemon: activity on 1 descriptor
55704192 daemon: activity on:55704192  19r55704192
55704192 daemon: read active on 19
55704192 daemon: epoll: listen=7 active_threads=0 tvp=NULL
55704192 daemon: epoll: listen=8 active_threads=0 tvp=NULL
55704192 begin get_filter
55704192 PRESENT
55704192 end get_filter 0
55704192 daemon: activity on 1 descriptor
55704192 daemon: activity on:55704192
55704192 conn=1037 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
55704192 daemon: epoll: listen=7 active_threads=0 tvp=NULL
55704192 daemon: epoll: listen=8 active_threads=0 tvp=NULL
55704192 conn=1037 op=1 SRCH attr=altServer namingContexts supportedCapabilities supportedControl supportedExtension supportedFeatures supportedLdapVersion supportedSASLMechanisms
55704192 => test_filter
55704192     PRESENT
55704192 => access_allowed: search access to "" "objectClass" requested
55704192 => acl_get: [5] attr objectClass
55704192 => acl_mask: access to entry "", attr "objectClass" requested
55704192 => acl_mask: to all values by "cn=root,dc=office,dc=xxx,dc=ru", (=0)
55704192 <= check a_dn_pat: self
55704192 <= check a_dn_pat: anonymous
55704192 <= check a_sockurl_pat: ^ldapi:///$
55704192 <= check a_dn_pat: uid=replicator,ou=users,dc=office,dc=xxx,dc=ru
55704192 <= check a_dn_pat: uid=heimdal,dc=office,dc=xxx,dc=ru
55704192 <= check a_dn_pat: *
55704192 <= acl_mask: [6] applying read(=rscxd) (stop)
55704192 <= acl_mask: [6] mask: read(=rscxd)
55704192 => slap_access_allowed: search access granted by read(=rscxd)
55704192 => access_allowed: search access granted by read(=rscxd)
55704192 <= test_filter 6
55704192 => access_allowed: read access to "" "entry" requested
55704192 => acl_get: [5] attr entry
55704192 => acl_mask: access to entry "", attr "entry" requested
55704192 => acl_mask: to all values by "cn=root,dc=office,dc=xxx,dc=ru", (=0)
55704192 <= check a_dn_pat: self
55704192 <= check a_dn_pat: anonymous
55704192 <= check a_sockurl_pat: ^ldapi:///$
55704192 <= check a_dn_pat: uid=replicator,ou=users,dc=office,dc=xxx,dc=ru
55704192 <= check a_dn_pat: uid=heimdal,dc=office,dc=xxx,dc=ru
55704192 <= check a_dn_pat: *
55704192 <= acl_mask: [6] applying read(=rscxd) (stop)
55704192 <= acl_mask: [6] mask: read(=rscxd)
55704192 => slap_access_allowed: read access granted by read(=rscxd)
55704192 => access_allowed: read access granted by read(=rscxd)
55704192 => access_allowed: result not in cache (namingContexts)
55704192 => access_allowed: read access to "" "namingContexts" requested
55704192 => acl_get: [5] attr namingContexts
55704192 => acl_mask: access to entry "", attr "namingContexts" requested
55704192 => acl_mask: to value by "cn=root,dc=office,dc=xxx,dc=ru", (=0)
55704192 <= check a_dn_pat: self
55704192 <= check a_dn_pat: anonymous
55704192 <= check a_sockurl_pat: ^ldapi:///$
55704192 <= check a_dn_pat: uid=replicator,ou=users,dc=office,dc=xxx,dc=ru
55704192 <= check a_dn_pat: uid=heimdal,dc=office,dc=xxx,dc=ru
55704192 <= check a_dn_pat: *
55704192 <= acl_mask: [6] applying read(=rscxd) (stop)
55704192 <= acl_mask: [6] mask: read(=rscxd)
55704192 => slap_access_allowed: read access granted by read(=rscxd)
55704192 => access_allowed: read access granted by read(=rscxd)
55704192 => access_allowed: result not in cache (supportedControl)
55704192 => access_allowed: read access to "" "supportedControl" requested
55704192 => acl_get: [5] attr supportedControl
55704192 => acl_mask: access to entry "", attr "supportedControl" requested
55704192 => acl_mask: to value by "cn=root,dc=office,dc=xxx,dc=ru", (=0)
55704192 <= check a_dn_pat: self
55704192 <= check a_dn_pat: anonymous
55704192 <= check a_sockurl_pat: ^ldapi:///$
55704192 <= check a_dn_pat: uid=replicator,ou=users,dc=office,dc=xxx,dc=ru
55704192 <= check a_dn_pat: uid=heimdal,dc=office,dc=xxx,dc=ru
55704192 <= check a_dn_pat: *
55704192 <= acl_mask: [6] applying read(=rscxd) (stop)
55704192 <= acl_mask: [6] mask: read(=rscxd)
55704192 => slap_access_allowed: read access granted by read(=rscxd)
55704192 => access_allowed: read access granted by read(=rscxd)
55704192 => access_allowed: result was in cache (supportedControl)
55704192 => access_allowed: result was in cache (supportedControl)
55704192 => access_allowed: result was in cache (supportedControl)
55704192 => access_allowed: result was in cache (supportedControl)
55704192 => access_allowed: result was in cache (supportedControl)
55704192 => access_allowed: result was in cache (supportedControl)
55704192 => access_allowed: result was in cache (supportedControl)
55704192 => access_allowed: result not in cache (supportedExtension)
55704192 => access_allowed: read access to "" "supportedExtension" requested
55704192 => acl_get: [5] attr supportedExtension
55704192 => acl_mask: access to entry "", attr "supportedExtension" requested
55704192 => acl_mask: to value by "cn=root,dc=office,dc=xxx,dc=ru", (=0)
55704192 <= check a_dn_pat: self
55704192 <= check a_dn_pat: anonymous
55704192 <= check a_sockurl_pat: ^ldapi:///$
55704192 <= check a_dn_pat: uid=replicator,ou=users,dc=office,dc=xxx,dc=ru
55704192 <= check a_dn_pat: uid=heimdal,dc=office,dc=xxx,dc=ru
55704192 <= check a_dn_pat: *
55704192 <= acl_mask: [6] applying read(=rscxd) (stop)
55704192 <= acl_mask: [6] mask: read(=rscxd)
55704192 => slap_access_allowed: read access granted by read(=rscxd)
55704192 => access_allowed: read access granted by read(=rscxd)
55704192 => access_allowed: result was in cache (supportedExtension)
55704192 => access_allowed: result was in cache (supportedExtension)
55704192 => access_allowed: result not in cache (supportedFeatures)
55704192 => access_allowed: read access to "" "supportedFeatures" requested
55704192 => acl_get: [5] attr supportedFeatures
55704192 => acl_mask: access to entry "", attr "supportedFeatures" requested
55704192 => acl_mask: to value by "cn=root,dc=office,dc=xxx,dc=ru", (=0)
55704192 <= check a_dn_pat: self
55704192 <= check a_dn_pat: anonymous
55704192 <= check a_sockurl_pat: ^ldapi:///$
55704192 <= check a_dn_pat: uid=replicator,ou=users,dc=office,dc=xxx,dc=ru
55704192 <= check a_dn_pat: uid=heimdal,dc=office,dc=xxx,dc=ru
55704192 <= check a_dn_pat: *
55704192 <= acl_mask: [6] applying read(=rscxd) (stop)
55704192 <= acl_mask: [6] mask: read(=rscxd)
55704192 => slap_access_allowed: read access granted by read(=rscxd)
55704192 => access_allowed: read access granted by read(=rscxd)
55704192 => access_allowed: result was in cache (supportedFeatures)
55704192 => access_allowed: result was in cache (supportedFeatures)
55704192 => access_allowed: result was in cache (supportedFeatures)
55704192 => access_allowed: result was in cache (supportedFeatures)
55704192 => access_allowed: result was in cache (supportedFeatures)
55704192 => access_allowed: result not in cache (supportedLDAPVersion)
55704192 => access_allowed: read access to "" "supportedLDAPVersion" requested
55704192 => acl_get: [5] attr supportedLDAPVersion
55704192 => acl_mask: access to entry "", attr "supportedLDAPVersion" requested
55704192 => acl_mask: to value by "cn=root,dc=office,dc=xxx,dc=ru", (=0)
55704192 <= check a_dn_pat: self
55704192 <= check a_dn_pat: anonymous
55704192 <= check a_sockurl_pat: ^ldapi:///$
55704192 <= check a_dn_pat: uid=replicator,ou=users,dc=office,dc=xxx,dc=ru
55704192 <= check a_dn_pat: uid=heimdal,dc=office,dc=xxx,dc=ru
55704192 <= check a_dn_pat: *
55704192 <= acl_mask: [6] applying read(=rscxd) (stop)
55704192 <= acl_mask: [6] mask: read(=rscxd)
55704192 => slap_access_allowed: read access granted by read(=rscxd)
55704192 => access_allowed: read access granted by read(=rscxd)
55704192 => access_allowed: result not in cache (supportedSASLMechanisms)
55704192 => access_allowed: read access to "" "supportedSASLMechanisms" requested
55704192 => acl_get: [5] attr supportedSASLMechanisms
55704192 => acl_mask: access to entry "", attr "supportedSASLMechanisms" requested
55704192 => acl_mask: to value by "cn=root,dc=office,dc=xxx,dc=ru", (=0)
55704192 <= check a_dn_pat: self
55704192 <= check a_dn_pat: anonymous
55704192 <= check a_sockurl_pat: ^ldapi:///$
55704192 <= check a_dn_pat: uid=replicator,ou=users,dc=office,dc=xxx,dc=ru
55704192 <= check a_dn_pat: uid=heimdal,dc=office,dc=xxx,dc=ru
55704192 <= check a_dn_pat: *
55704192 <= acl_mask: [6] applying read(=rscxd) (stop)
55704192 <= acl_mask: [6] mask: read(=rscxd)
55704192 => slap_access_allowed: read access granted by read(=rscxd)
55704192 => access_allowed: read access granted by read(=rscxd)
55704192 => access_allowed: result was in cache (supportedSASLMechanisms)
55704192 => access_allowed: result was in cache (supportedSASLMechanisms)
55704192 => access_allowed: result was in cache (supportedSASLMechanisms)
55704192 => access_allowed: result was in cache (supportedSASLMechanisms)
55704192 => access_allowed: result was in cache (supportedSASLMechanisms)
55704192 => access_allowed: result was in cache (supportedSASLMechanisms)
55704192 conn=1037 op=1 ENTRY dn=""
55704192 conn=1037 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
55704192 daemon: activity on 1 descriptor
55704192 daemon: activity on:55704192  19r55704192
55704192 daemon: read active on 19
55704192 daemon: epoll: listen=7 active_threads=0 tvp=NULL
55704192 daemon: epoll: listen=8 active_threads=0 tvp=NULL
55704192 daemon: activity on 1 descriptor
55704192 daemon: activity on:55704192 begin get_filter
55704192 EQUALITY
55704192
55704192 get_ava: unknown attributeType posixAccount
55704192 end get_filter 0
55704192 daemon: epoll: listen=7 active_threads=0 tvp=NULL
55704192 daemon: epoll: listen=8 active_threads=0 tvp=NULL
55704192 conn=1037 op=2 SRCH base="ou=users,dc=office,dc=xxx,dc=ru" scope=2 deref=0 filter="(?posixAccount=test1)"
55704192 => access_allowed: search access to "ou=users,dc=office,dc=xxx,dc=ru" "entry" requested
55704192 <= root access granted
55704192 => access_allowed: search access granted by manage(=mwrscxd)
55704192 => bdb_filter_candidates
55704192        AND
55704192 => bdb_list_candidates 0xa0
55704192 => bdb_filter_candidates
55704192        OR
55704192 => bdb_list_candidates 0xa1
55704192 => bdb_filter_candidates
55704192        EQUALITY
55704192 <= bdb_filter_candidates: id=0 first=0 last=0
55704192 => bdb_filter_candidates
55704192 <= bdb_filter_candidates: id=0 first=0 last=0
55704192 <= bdb_list_candidates: id=0 first=0 last=0
55704192 <= bdb_filter_candidates: id=0 first=0 last=0
55704192 <= bdb_list_candidates: id=0 first=2 last=0
55704192 <= bdb_filter_candidates: id=0 first=2 last=0
55704192 conn=1037 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
55704192 daemon: activity on 1 descriptor
55704192 daemon: activity on:55704192  19r55704192
55704192 daemon: read active on 19
55704192 daemon: epoll: listen=7 active_threads=0 tvp=NULL
55704192 daemon: epoll: listen=8 active_threads=0 tvp=NULL
55704192 connection_read(19): input error=-2 id=1037, closing.
55704192 connection_closing: readying conn=1037 sd=19 for close
55704192 daemon: removing 19
55704192 daemon: activity on 1 descriptor
55704192 daemon: activity on:55704192
55704192 conn=1037 fd=19 closed (connection lost)
55704192 daemon: epoll: listen=7 active_threads=0 tvp=NULL
55704192 daemon: epoll: listen=8 active_threads=0 tvp=NULL

_I do not like the line in the log openldap_

55704192 conn = 1037 op = 2 SRCH base = "ou = users, dc = office, dc = xxx, dc = ru" scope = 2 deref = 0 filter = "(? PosixAccount = test1)"

_What kind of filter, and where does it come?_