User first Login with Kerberos / SPNEGO fills out LDAP details incorrectly
Summary
If a (Active Directory LDAP) user logs in for the first time via Kerberos Spnego, the "Name" field is not populated with the settings from LDAP configuration (Here name: "displayName"). Instead it is populated with sAMAccountname.
Steps to reproduce
Create Testuser in AD Login into gitlab ee via Kerberos Spnego Name is sAMAccountname Delete this user in gitlab Login via Username / Password Name is displayName Logout Login with Kerberos Spnego Name is displayName
Example Project
On Premise Gitlab ee 11.5.3
What is the current bug behavior?
User Field "name" is populated with sAMAccountname instead of config in gitlab.rb
What is the expected correct behavior?
Use settings for LDAP matching from gitlab.rb
Relevant logs and/or screenshots
LDAP Configuration (excerpt)
gitlab_rails['ldap_enabled'] = true
###! **remember to close this block with 'EOS' below**
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'Domain AD Account'
host: 'domain.local'
port: 636
uid: 'sAMAccountName'
method: 'ssl' # "tls" or "ssl" or "plain"
bind_dn: 'redacted'
password: 'redacted'
# encryption: 'plain' # "start_tls" or "simple_tls" or "plain"
verify_certificates: false
# ca_file: ''
# ssl_version: ''
active_directory: true
allow_username_or_email_login: false
block_auto_created_users: false
base: 'OU=Git-Team,DC=domain,DC=local'
user_filter: ''
attributes:
username: ['uid', 'userid', 'sAMAccountName']
email: ['mail', 'email', 'userPrincipalName']
name: 'displayName'
first_name: 'givenName'
last_name: 'sn'
Kerberos settings
### OmniAuth Settings
###! Docs: https://docs.gitlab.com/ce/integration/omniauth.html
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['kerberos']
# gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'saml'
# gitlab_rails['omniauth_block_auto_created_users'] = true
gitlab_rails['omniauth_auto_link_ldap_user'] = true
# gitlab_rails['omniauth_auto_link_saml_user'] = false
# gitlab_rails['omniauth_external_providers'] = ['twitter', 'google_oauth2']
# gitlab_rails['omniauth_providers'] = [
# {
# "name" => "google_oauth2",
# "app_id" => "YOUR APP ID",
# "app_secret" => "YOUR APP SECRET",
# "args" => { "access_type" => "offline", "approval_prompt" => "" }
# }
# ]
Output of checks
(If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com)
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Proxy: no Current User: git Using RVM: no Ruby Version: 2.4.5p335 Gem Version: 2.7.6 Bundler Version:1.16.6 Rake Version: 12.3.1 Redis Version: 3.2.12 Git Version: 2.18.1 Sidekiq Version:5.2.1 Go Version: unknown
GitLab information Version: 11.5.3-ee Revision: 588b25b Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql DB Version: 9.6.8 URL: https://build-test.domain.local/source HTTP Clone URL: https://build-test.domain.local/source/some-group/some-project.git SSH Clone URL: git@git-test.domain.local:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: yes Using Omniauth: yes Omniauth Providers: kerberos_spnego
GitLab Shell Version: 8.4.1 Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab Shell ...
GitLab Shell version >= 8.4.1 ? ... OK (8.4.1) hooks directories in repos are links: ... 10/3 ... ok 9/4 ... ok 13/5 ... ok 9/7 ... ok 14/8 ... ok 9/9 ... ok 2/10 ... ok 24/11 ... ok 70/12 ... ok 10/13 ... ok 10/14 ... repository is empty 10/15 ... ok Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Redis available via internal API: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Running? ... yes Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Reply by email is disabled in config/gitlab.yml Checking LDAP ...
Server: ldapmain not verifying SSL hostname of LDAPS server 'domain.local:636' LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) (Output removed) Checking LDAP ... Finished
Checking GitLab ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 10/3 ... yes 9/4 ... yes 13/5 ... yes 9/7 ... yes 14/8 ... yes 9/9 ... yes 2/10 ... yes 24/11 ... yes 70/12 ... yes 10/13 ... yes 10/14 ... yes 10/15 ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.3.5 ? ... yes (2.4.5) Git version >= 2.9.5 ? ... yes (2.18.1) Git user has default SSH configuration? ... yes Active users: ... 46 Elasticsearch version 5.1 - 5.5? ... skipped (elasticsearch is disabled)
Checking GitLab ... Finished
Possible fixes
(If you can, link to the line of code that might be responsible for the problem)