I've been having trouble with validating LDAP logins through my GitLab server. Both servers are on Ubuntu 16.04, pretty much freshly setup on Google Cloud.
This is what the ldap section of my gitlab.rb file looks like:
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main:
label: 'LDAP'
host: '<internal IP of domain controller>'
port: 389
uid: 'uid'
bind_dn: 'CN=admin,DC=<project_name>,DC=local'
password: '<password>'
encryption: 'simple_tls' # "start_tls" or "simple_tls" or "plain"
verify_certificates: false
active_directory: false
allow_username_or_email_login: true
lowercase_usernames: false
block_auto_created_users: false
base: 'CN=GitLab,DC=<project_name>,DC=local'
user_filter: ''
Originally, I had encryption: 'plain' which kind of worked. When I used the command sudo gitlab-rake gitlab:ldap:check while encryption was set to plain, I actually got a list of users with access to the server:
Checking LDAP ...
Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
DN: cn=<name1>,cn=gitlab,dc=<project_name>,dc=local uid: <username1>
DN: cn=<name2>,cn=gitlab,dc=<project_name>,dc=local uid: <username2>
DN: cn=<name3>,cn=gitlab,dc=<project_name>,dc=local uid: <username3>
Checking LDAP ... Finished
Which made me think that everything was all set to go, yet when I try to login with one of those three users it fails to authenticate properly. The error that shows up on the gitlab page is something along the lines of "Falied to authenticate user: incorrect credentials for username" despite being correct. (Unless I'm incorrect here: I've been using uid for login)
This made me think it had something to do with the encryption since the users are clearly shown as above and the connection is being made. So I tried changing encryption: simple_tls since it seemed like most tutorials for GitLab with LDAP used that same setting. This gave me new errors when I tried sudo gitlab-rake gitlab:ldap:check
Checking LDAP ...
Server: ldapmain
rake aborted!
Net::LDAP::Error: SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A
/opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/auth/ld/adapter.rb:8:in `open'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/check.rake:355:in `block in check_ldap'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/check.rake:351:in `each'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/check.rake:351:in `check_ldap'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/check.rake:340:in `block (3 levels) in <top (required)>'
/opt/gitlab/embedded/bin/bundle:23:in `load'
/opt/gitlab/embedded/bin/bundle:23:in `<main>'
I've read around and it seems like this error can be cause by some sort of version mismatch with OpenSSL, but all of the solutions suggested haven't worked yet.
So I'm curious if anyone can help me with either of these problems (whichever is easier): either changing my LDAP server to work with simple authentication, or fixing the gitlab/ldap server to work with simple_tls.
Somehow fixed it. I switched encryption back to encryption:'plain' since I felt like I was getting closer with that (since at least gitlab-rake gitlab:ldap:check returned the proper usernames). All I did was make users in my LDAP store their password with "clear" rather than "md5," and ran update-ca-certificates on both servers. Any LDAP user with a password stored in md5 does not work.
I know this is an insecure solution so I'm still interested in hearing other ideas for using tls_simple for people who might come across this thread.