Hi, I'm running the docker gitlab-ce:latest,

When I run bash from the container and install ldapsearch I can 
successfully run the test search with the settings in the 
docker-compose.yml and get the correct 3 users back. But gitlab doesn't 
tell me what is preventing them from logging in. I just don't see why I can 
search or users but gitlab can't. Even tried this with the gitlab AD 
account as a domain admin. Can I check some ldap config on the DC for 
anything? what does gitlab expect?

Here's everything;

ldapsearch from inside the container -- 
ldapsearch -H ldap://org-dc01.org.internal -D "CN=Gitlab Community 
Edition,OU=System Accounts,OU=Users,DC=ORG,DC=INTERNAL" -b 
'(memberOf=CN=AccessCode,OU=Access/Shares Groups,OU=Security 
Groups,OU=ORG,DC=ORG,DC=INTERNAL)' sAMAccountName -W
# Password copy/pasted from config.

# extended LDIF
# LDAPv3
# base <OU=Users,OU=ORG,dc=ORG,dc=INTERNAL> with scope subtree
# filter: (memberOf=CN=AccessCode,OU=Access/Shares Groups,OU=Security 
# requesting: sAMAccountName

# USER1, System Administrators, Users, ORG, ORG.INTERNAL
dn: CN=user1,OU=System Administrators,OU=Users,OU=ORG,DC=ORG,DC=INTERNAL
sAMAccountName: user1

# USER2, System Administrators, Users, ORG, ORG.INTERNAL
dn: CN=user2,OU=System Administrators,OU=Users,OU=ORG,DC=ORG,DC=INTERNAL
sAMAccountName: user2

# Test1, 2013, Students, Users, ORG, ORG.INTERNAL
dn: CN=Test1,OU=2013,OU=Students,OU=Users,OU=ORG,DC=ORG,DC=INTERNAL
sAMAccountName: Test1

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

docker-compose.yml ---
version: '2'
    image: 'gitlab/gitlab-ce:latest'
    restart: always
    hostname: 'api.org.internal'
        external_url 'http://code.org.internal'
        gitlab_rails['gitlab_shell_ssh_port'] = 2224
        gitlab_rails['smtp_enable'] = true
        gitlab_rails['smtp_address'] = 'org-mail01.org.internal'
        gitlab_rails['smtp_port'] = 587
        gitlab_rails['smtp_user_name'] = 'sys-gitlab'
        gitlab_rails['smtp_password'] = 'redacted'
        gitlab_rails['smtp_domain'] = 'org.co.uk'
        gitlab_rails['smtp_authentication'] = "plain"
        gitlab_rails['smtp_enable_starttls_auto'] = true
        gitlab_rails['smtp_openssl_verify_mode'] = 'peer'
        gitlab_rails['gitlab_email_from'] = 'c...@org.co.uk'
        gitlab_rails['gitlab_email_reply_to'] = 'nore...@org.co.uk'
        gitlab_rails['ldap_enabled'] = true
        gitlab_rails['ldap_servers'] = YAML.load <<-EOS # close this block 
with matching last.
            label: 'LDAP'
            host: 'org-dc01.org.internal'
            port: 389 # 389 insecure, 636 secure port
            uid: 'sAMAccountName' # field name
            method: 'plain' # tls, ssl or plain
            bind_dn: 'CN=Gitlab Community Edition,OU=System 
            password: 'redacted'
            #LDAP query timeout (seconds)
            timeout: 10
            active_directory: true
            # if using uid: userPrincipalName disable this as it contains 
            allow_username_or_email_login: true
            block_auto_created_users: false
            base: 'OU=Users,OU=org,dc=org,dc=INTERNAL'
            # Filter format RFC 4515 https://tools.ietf.org/search/rfc4515
            # ex (employeeType=developer)
Groups,OU=Security Groups,OU=org,DC=org,DC=INTERNAL)'
            # LDAP Attributes gitlab will use to create accounts.
            # can be a string or and array of strings or attributes to try 
in order.
              username: ['uid', 'sAMAccountName']
              email:    ['mail', 'emailAddress']
              first_name: 'givenName'
              last_name: 'surname'
      - '80:80'
      - '2224:22'
      - '587:587'
      - '389:389'
      - '636:636'
      - '/srv/gitlab-ldap/config:/etc/gitlab'
      - '/srv/gitlab-ldap/logs:/var/log/gitlab'
      - '/srv/gitlab-ldap/data:/var/opt/gitlab'

Logging ---
production.log ---
** [Raven] Raven 2.0.2 configured not to capture errors.
LDAP search error: Operations Error

Command ---
[root@api gitlab]# docker-compose exec web gitlab-rake gitlab:ldap:check
WARNING: The okKm variable is not set. Defaulting to a blank string.
Checking LDAP ...

LDAP users with access to your GitLab server (only showing the first 100 
Server: ldapmain

Checking LDAP ... Finished

unicorn_stdout.log ---
I, [2016-10-13T10:04:40.683996 #411]  INFO -- omniauth: (ldapmain) Callback 
phase initiated.
E, [2016-10-13T10:04:40.692487 #411] ERROR -- omniauth: (ldapmain) 
Authentication failure! invalid_credentials encountered.

also production.log at login ---
Started GET "/users/sign_in" for at 2016-10-13 09:57:59 +0000
Processing by SessionsController#new as HTML
Completed 200 OK in 37ms (Views: 12.4ms | ActiveRecord: 2.8ms)
Started POST "/users/auth/ldapmain/callback" for at 2016-10-13 
09:58:03 +0000
Processing by OmniauthCallbacksController#failure as HTML
  Parameters: {"utf8"=>"✓", 
"username"=>"user2", "password"=>"[FILTERED]"}
Redirected to http://code.org.internal/users/sign_in
Completed 302 Found in 18ms (ActiveRecord: 1.6ms)
Started GET "/users/sign_in" for at 2016-10-13 09:58:03 +0000

You received this message because you are subscribed to the Google Groups 
"GitLab" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to gitlabhq+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to