Hi,
I'm trying to configure a GitLab EE instance (in a docker container) to use
LDAP (the AD kind) for authentication and authorisation. The LDAP config
section (sanitised) in my /etc/gitlab/gitlab.rb looks like:
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this
block with 'EOS' below
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'LDAP'
host: 'ldap.example.net'
port: 389
uid: 'userPrincipalName'
method: 'plain' # "tls" or "ssl" or "plain"
bind_dn: ‘***’
password: ‘***’
active_directory: true
allow_username_or_email_login: false
block_auto_created_users: false
base: 'DC=example,DC=com'
user_filter: '(userPrincipalName={0})'
attributes:
username: ['uid', 'userid', 'sAMAccountName']
email: ['mail', 'email', 'userPrincipalName']
name: 'cn'
first_name: 'givenName'
last_name: 'sn'
## EE only
group_base: 'OU=Access Control,DC=example,DC=com'
admin_group: 'AC-GitLab-Owners’
sync_ssh_keys: false
EOS
And this seems to work okay up to a point, in that when I attempt to sign
in to GitLab with my LDAP credentials a GitLab User is created with the
correct LDAP uid. However, the login actually fails displaying the
following error:
Could not authenticate you from Ldapmain because "Undefined method `uid'
for nil:nilclass".
Looking in the logs (obtained using 'docker logs' and sanitised) I see the
following:
==> /var/log/gitlab/gitlab-rails/application.log <==
February 24, 2016 14:36: User "Me” (m...@example.com) was created
==> /var/log/gitlab/gitlab-rails/production.log <==
[1m[36mSystemHook Load (0.5ms)[0m [1mSELECT "web_hooks".* FROM
"web_hooks" WHERE "web_hooks"."type" IN ('SystemHook') ORDER BY
"web_hooks"."id" DESC[0m
[1m[35mNamespace Load (0.3ms)[0m SELECT "namespaces".* FROM
"namespaces" WHERE "namespaces"."owner_id" = $1 AND "namespaces"."type" IS
NULL ORDER BY "namespaces"."id" DESC LIMIT 1 [["owner_id", 10]]
[1m[36mUser Load (3.7ms)[0m [1mSELECT "users".* FROM "users" WHERE
"users"."id" = $1 ORDER BY "users"."id" DESC LIMIT 1[0m [["id", 10]]
[1m[35mNamespace Exists (0.7ms)[0m SELECT 1 AS one FROM "namespaces"
WHERE "namespaces"."name" = 'me’ LIMIT 1
[1m[36mNamespace Exists (0.4ms)[0m [1mSELECT 1 AS one FROM "namespaces"
WHERE LOWER("namespaces"."path") = LOWER(‘me’) LIMIT 1[0m
[1m[35mSQL (1.3ms)[0m INSERT INTO "namespaces" ("path", "name",
"owner_id", "created_at", "updated_at") VALUES ($1, $2, $3, $4, $5)
RETURNING "id" [["path", “me”], ["name", “me”], ["owner_id", 10],
["created_at", "2016-02-24 14:36:41.697501"], ["updated_at", "2016-02-24
14:36:41.697501"]]
[1m[36mNamespace Exists (0.3ms)[0m [1mSELECT 1 AS one FROM "namespaces"
WHERE ("namespaces"."name" = ‘me’ AND "namespaces"."id" != 11) LIMIT 1[0m
[1m[35mNamespace Exists (0.4ms)[0m SELECT 1 AS one FROM "namespaces"
WHERE (LOWER("namespaces"."path") = LOWER(‘me’) AND "namespaces"."id" !=
11) LIMIT 1
[1m[36m (1.0ms)[0m [1mCOMMIT[0m
==> /var/log/gitlab/gitlab-rails/application.log <==
February 24, 2016 14:36: (OAuth) saving user m...@example.com from login with
extern_uid => CN=Me,OU=Users,OU=Example,DC=example,DC=com
==> /var/log/gitlab/gitlab-rails/production.log <==
[1m[35mIdentity Load (0.3ms)[0m SELECT "identities".* FROM "identities"
WHERE "identities"."user_id" = $1 AND (provider LIKE 'ldap%') ORDER BY
"identities"."id" DESC LIMIT 1 [["user_id", 10]]
[1m[36mSQL (0.5ms)[0m [1mSELECT "namespaces"."id" AS t0_r0,
"namespaces"."name" AS t0_r1, "namespaces"."path" AS t0_r2,
"namespaces"."owner_id" AS t0_r3, "namespaces"."created_at" AS t0_r4,
"namespaces"."updated_at" AS t0_r5, "namespaces"."type" AS t0_r6,
"namespaces"."description" AS t0_r7, "namespaces"."avatar" AS t0_r8,
"namespaces"."membership_lock" AS t0_r9,
"namespaces"."share_with_group_lock" AS t0_r10, "ldap_group_links"."id" AS
t1_r0, "ldap_group_links"."cn" AS t1_r1, "ldap_group_links"."group_access"
AS t1_r2, "ldap_group_links"."group_id" AS t1_r3,
"ldap_group_links"."created_at" AS t1_r4, "ldap_group_links"."updated_at"
AS t1_r5, "ldap_group_links"."provider" AS t1_r6 FROM "namespaces" LEFT
OUTER JOIN "ldap_group_links" ON "ldap_group_links"."group_id" =
"namespaces"."id" WHERE "namespaces"."type" IN ('Group') AND
("ldap_group_links"."id" IS NOT NULL) AND "ldap_group_links"."provider" =
$1 ORDER BY "namespaces"."id" DESC[0m [["provider", "ldapmain"]]
Instantiating Gitlab::LDAP::Group with LDIF:
dn: CN=AC-GitLab-Owners,OU=Access Control,DC=example,DC=com
cn: AC-GitLab-Owners
description: GitLab Owners Group
distinguishedname: CN=AC-GitLab-Owners,OU=Access Control,DC=example,DC=com
dscorepropagationdata: 16010101000000.0Z
grouptype: -2147483640
instancetype: 4
member: CN=Me,OU=Users,OU=Example,DC=example,DC=com
member: CN=You,OU=Users,OU=Example,DC=example,DC=com
name: AC-GitLab-Owners
objectcategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com
objectclass: top
objectclass: group
objectguid:: ***
objectsid:: ***
samaccountname: AC-GitLab-Owners
samaccounttype: 268435456
usnchanged: 1073273
usncreated: 575588
whenchanged: 20151207124528.0Z
whencreated: 20151008121610.0Z
Completed 500 Internal Server Error in 738ms (ActiveRecord: 36.3ms)
==> /var/log/gitlab/unicorn/unicorn_stdout.log <==
E, [2016-02-24T14:36:41.882950 #17944] ERROR -- omniauth: (ldapmain)
Authentication failure! ldap_error: NoMethodError, undefined method `uid'
for nil:NilClass
==> /var/log/gitlab/gitlab-rails/production.log <==
Processing by OmniauthCallbacksController#failure as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]",
"username"=>”m...@example.com", "password"=>"[FILTERED]"}
[1m[35mUser Load (0.9ms)[0m SELECT "users".* FROM "users" WHERE
"users"."authentication_token" = $1 ORDER BY "users"."id" DESC LIMIT 1
[["authentication_token", “***”]]
[1m[36m (0.4ms)[0m [1mBEGIN[0m
[1m[35m (0.4ms)[0m ROLLBACK
Redirected to http://localhost/users/sign_in
Completed 302 Found in 67ms (ActiveRecord: 1.7ms)
So GitLab is happy creating my user, and it's happy retrieving the
AC-GitLab-Owners group from LDAP, but it bombs out straight after that with
the "undefined method `uid' for nil:NilClass".
What am I missing? Any suggestions very gratefully received?
Thanks. Martin.
--
You received this message because you are subscribed to the Google Groups
"GitLab" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to gitlabhq+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/gitlabhq/eb392c24-9752-4df4-ac64-d0db678376bc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
