Rake gitlab:ldap:check seems to do anonymous bind search
Summary
Rake gitlab:ldap:check
seems to allow anonymous bind even when a bind_dn
and password
are provided.
Steps to reproduce
While debugging LDAP issues with a customer, we observed that a gitlab-rake gitlab:ldap:check
would return 100 users easily. It gave no errors. However, every other attempt to use LDAP in GitLab failed - logins, manual searches in the Rails console, etc. All gave the error "Invalid credentials". The credentials we, in fact, invalid and things worked once we fixed that. The question remains, why did gitlab:ldap:check
allow the query - it must have done an anonymous bind, which was allowed by this particular server.
The only difference I could nail down from looking at code is that the Rake task uses Gitlab::LDAP::Adapter.open
and then does the user search. Most other places in GitLab simply create an adapter and do one query - such as adapter = Gitlab::LDAP::Adapter.new('ldapmain'); Gitlab::LDAP::Person.find_by_uid('foo', adapter)
. The former worked, the latter gave the error, when tried in the Rails console. What is this madness?
cc/ @jacobvosmaer-gitlab Any thoughts on why Gitlab::LDAP::Adapter#open
+ query inside a block would differ from Gitlab::LDAP::Adapter#new
+ query by passing the adapter? Both adapters should have the full connection details including bind_dn
and password
.