Hi, I'm running the docker gitlab-ce:latest, When I run bash from the container and install ldapsearch I can successfully run the test search with the settings in the docker-compose.yml and get the correct 3 users back. But gitlab doesn't tell me what is preventing them from logging in. I just don't see why I can search or users but gitlab can't. Even tried this with the gitlab AD account as a domain admin. Can I check some ldap config on the DC for anything? what does gitlab expect?
Here's everything; ldapsearch from inside the container -- ldapsearch -H ldap://org-dc01.org.internal -D "CN=Gitlab Community Edition,OU=System Accounts,OU=Users,DC=ORG,DC=INTERNAL" -b 'OU=Users,OU=ORG,dc=ORG,dc=INTERNAL' '(memberOf=CN=AccessCode,OU=Access/Shares Groups,OU=Security Groups,OU=ORG,DC=ORG,DC=INTERNAL)' sAMAccountName -W # Password copy/pasted from config. # extended LDIF # # LDAPv3 # base <OU=Users,OU=ORG,dc=ORG,dc=INTERNAL> with scope subtree # filter: (memberOf=CN=AccessCode,OU=Access/Shares Groups,OU=Security Groups,OU=ORG,DC=ORG,DC=INTERNAL) # requesting: sAMAccountName # # USER1, System Administrators, Users, ORG, ORG.INTERNAL dn: CN=user1,OU=System Administrators,OU=Users,OU=ORG,DC=ORG,DC=INTERNAL sAMAccountName: user1 # USER2, System Administrators, Users, ORG, ORG.INTERNAL dn: CN=user2,OU=System Administrators,OU=Users,OU=ORG,DC=ORG,DC=INTERNAL sAMAccountName: user2 # Test1, 2013, Students, Users, ORG, ORG.INTERNAL dn: CN=Test1,OU=2013,OU=Students,OU=Users,OU=ORG,DC=ORG,DC=INTERNAL sAMAccountName: Test1 # search result search: 2 result: 0 Success # numResponses: 4 # numEntries: 3 docker-compose.yml --- version: '2' services: web: image: 'gitlab/gitlab-ce:latest' restart: always hostname: 'api.org.internal' environment: GITLAB_OMNIBUS_CONFIG: | external_url 'http://code.org.internal' gitlab_rails['gitlab_shell_ssh_port'] = 2224 gitlab_rails['smtp_enable'] = true gitlab_rails['smtp_address'] = 'org-mail01.org.internal' gitlab_rails['smtp_port'] = 587 gitlab_rails['smtp_user_name'] = 'sys-gitlab' gitlab_rails['smtp_password'] = 'redacted' gitlab_rails['smtp_domain'] = 'org.co.uk' gitlab_rails['smtp_authentication'] = "plain" gitlab_rails['smtp_enable_starttls_auto'] = true gitlab_rails['smtp_openssl_verify_mode'] = 'peer' gitlab_rails['gitlab_email_from'] = 'c...@org.co.uk' gitlab_rails['gitlab_email_reply_to'] = 'nore...@org.co.uk' gitlab_rails['ldap_enabled'] = true gitlab_rails['ldap_servers'] = YAML.load <<-EOS # close this block with matching last. main: label: 'LDAP' host: 'org-dc01.org.internal' port: 389 # 389 insecure, 636 secure port uid: 'sAMAccountName' # field name method: 'plain' # tls, ssl or plain bind_dn: 'CN=Gitlab Community Edition,OU=System Accounts,OU=Users,OU=org,DC=org,DC=INTERNAL' password: 'redacted' #LDAP query timeout (seconds) timeout: 10 active_directory: true # if using uid: userPrincipalName disable this as it contains '@' allow_username_or_email_login: true block_auto_created_users: false base: 'OU=Users,OU=org,dc=org,dc=INTERNAL' # Filter format RFC 4515 https://tools.ietf.org/search/rfc4515 # ex (employeeType=developer) user_filter: '(memberOf:1.2.840.113556.1.4.1941:=CN=AccessCode,OU=Access/Shares Groups,OU=Security Groups,OU=org,DC=org,DC=INTERNAL)' # LDAP Attributes gitlab will use to create accounts. # can be a string or and array of strings or attributes to try in order. attributes: username: ['uid', 'sAMAccountName'] email: ['mail', 'emailAddress'] first_name: 'givenName' last_name: 'surname' EOS ports: - '80:80' - '2224:22' - '587:587' - '389:389' - '636:636' volumes: - '/srv/gitlab-ldap/config:/etc/gitlab' - '/srv/gitlab-ldap/logs:/var/log/gitlab' - '/srv/gitlab-ldap/data:/var/opt/gitlab' Logging --- production.log --- ** [Raven] Raven 2.0.2 configured not to capture errors. LDAP search error: Operations Error Command --- [root@api gitlab]# docker-compose exec web gitlab-rake gitlab:ldap:check WARNING: The okKm variable is not set. Defaulting to a blank string. Checking LDAP ... LDAP users with access to your GitLab server (only showing the first 100 results) Server: ldapmain Checking LDAP ... Finished unicorn_stdout.log --- I, [2016-10-13T10:04:40.683996 #411] INFO -- omniauth: (ldapmain) Callback phase initiated. E, [2016-10-13T10:04:40.692487 #411] ERROR -- omniauth: (ldapmain) Authentication failure! invalid_credentials encountered. also production.log at login --- Started GET "/users/sign_in" for 10.101.3.240 at 2016-10-13 09:57:59 +0000 Processing by SessionsController#new as HTML Completed 200 OK in 37ms (Views: 12.4ms | ActiveRecord: 2.8ms) Started POST "/users/auth/ldapmain/callback" for 10.101.3.240 at 2016-10-13 09:58:03 +0000 Processing by OmniauthCallbacksController#failure as HTML Parameters: {"utf8"=>"✓", "authenticity_token"=>"ZnEBh7QEa9WCXkv9rA8TzTkIxBreu/Hdo5fmRV33AUoME0LlvVzN8V28/gzLua+nFHL5C64UaWrrUfDnx7074A==", "username"=>"user2", "password"=>"[FILTERED]"} Redirected to http://code.org.internal/users/sign_in Completed 302 Found in 18ms (ActiveRecord: 1.6ms) Started GET "/users/sign_in" for 10.101.3.240 at 2016-10-13 09:58:03 +0000 -- You received this message because you are subscribed to the Google Groups "GitLab" group. To unsubscribe from this group and stop receiving emails from it, send an email to gitlabhq+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/gitlabhq/a6bebfdb-dffa-4eb6-9665-74c97d1e74f3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.