Creation of new users from LDAP does not evaluate mail attribute as multi-value entry
Summary
When LDAP authentication is configured in a system, only one of the values of the mail attribute will be considered as registration address and will be checked against the whitelist of valid domains.
If the mail address does not match the whitelist, the error message shown in the image below is presented. No user will be created.
The behaviour differs from invalid credentials. In that case a concise 'invalid credentials' error message is thrown.
Steps to reproduce
In a system with a configured LDAP authentication provider add/select a user that has not previously been added to GitLab. Set multiple email addresses in a/the attribute configured for retrieving the mail-address.
Variant a) At least one address should not have a domain part at all (i.e a local address)
Variant b) at least one address should have a domain that is not in the whitelist of allowed domains
Expected behavior
Each mail address in the mail attribute, that matches the whitelist, should be listed in the mail addresses of the user. If at least one domain matches the user should be created.
Actual behavior
Warning: this is a Heisenbug! Since the order of the values is not defined any may act as 'first' for a given retrieval. Due to common implementations, choosing an address that is first in alphabetical order may help.
If the adress given is not acceptable to GitLab (variants above), the user will be rejected with the error message given.
Relevant logs and/or screenshots
The following message will appear in /var/log/gitlab/gitlab-rails/production.log
:
Started POST "/users/auth/ldapmain/callback" for 141.22.XXX.XXX at 2016-12-13 07:05:07 +0100
Processing by OmniauthCallbacksController#ldapmain as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"[an authentication token]", "username"=>"[valid LDAP user]", "password"=>"[FILTERED]"}
Completed 500 Internal Server Error in 130ms (ActiveRecord: 4.7ms)
The user is presented with this error message:
Output of checks
Results of GitLab application Check
Checking GitLab Shell ...
GitLab Shell version >= 4.0.3 ? ... OK (4.0.3)
Repo base directory exists?
default... yes
Repo storage directories are symlinks?
default... no
Repo paths owned by git:git?
default... no
User id for git: 998. Groupd id for git: 998
Try fixing it:
sudo chown -R git:git /var/opt/gitlab/git-data/repositories
For more information see:
doc/install/installation.md in section "GitLab Shell"
Please fix the error above and rerun the checks.
Repo paths access is drwxrws---?
default... yes
hooks directories in repos are links: ...
8/1 ... ok
8/2 ... ok
8/3 ... ok
8/4 ... ok
8/5 ... ok
8/6 ... ok
8/7 ... ok
8/8 ... ok
8/9 ... ok
8/10 ... ok
8/11 ... ok
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK
Send ping to redis server: OK
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Sidekiq ...
Running? ... yes
Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Reply by email ...
Reply by email is disabled in config/gitlab.yml
Checking Reply by email ... Finished
Checking LDAP ...
Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
[List of 100 users removed]
Checking LDAP ... Finished
Checking GitLab ...
Git configured with autocrlf=input? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config outdated? ... no
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory setup correctly? ... no
Try fixing it:
sudo chown -R git /var/opt/gitlab/gitlab-rails/uploads
sudo find /var/opt/gitlab/gitlab-rails/uploads -type f -exec chmod 0644 {} \;
sudo find /var/opt/gitlab/gitlab-rails/uploads -type d -not -path /var/opt/gitlab/gitlab-rails/uploads -exec chmod 0700 {} \;
For more information see:
doc/install/installation.md in section "GitLab"
Please fix the error above and rerun the checks.
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
projects have namespace: ...
8/1 ... yes
8/2 ... yes
8/3 ... yes
8/4 ... yes
8/5 ... yes
8/6 ... yes
8/7 ... yes
8/8 ... yes
8/9 ... yes
8/10 ... yes
8/11 ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.1.0 ? ... yes (2.3.1)
Your git bin path is "/opt/gitlab/embedded/bin/git"
Git version >= 2.7.3 ? ... yes (2.7.4)
Active users: 6
Checking GitLab ... Finished
Results of GitLab environment info
System information
System: Ubuntu 16.04
Current User: git
Using RVM: no
Ruby Version: 2.3.1p112
Gem Version: 2.6.6
Bundler Version:1.13.6
Rake Version: 10.5.0
Sidekiq Version:4.2.1
GitLab information
Version: 8.14.4
Revision: 3ea6c8d
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: postgresql
URL: https://gitlab.informatik.haw-hamburg.de
HTTP Clone URL: https://gitlab.informatik.haw-hamburg.de/some-group/some-project.git
SSH Clone URL: git@ssh.informatik.haw-hamburg.de:some-group/some-project.git
Using LDAP: yes
Using Omniauth: no
GitLab Shell
Version: 4.0.3
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks/
Git: /opt/gitlab/embedded/bin/git
Possible fixes
Treat mail attribute as multi-value and process all entries.
edit: improve formating for readbility