Skip to content

LDAP simple authentication failing with "Invalid binding information" error, due to user_allowed checks not presenting credentials.

Summary

Attempting to login to an LDAP account presents the error:

 Could not authenticate you from Ldapmain because "Invalid binding information"

I am using an LDAP server to authenticate with a simple auth. I do not control the LDAP server and don't have an admin account to use on it. Instead I authenticate by attempting to bind to the server with the credentials of the user logging in. This had worked fine on Gitlab 7.10 but broke when I upgraded to 8.11.4.

When I attempt to login I receive the error above. I have tracked this down to omniauth_callbacks_controller.rb doing a check to see if the user is allowed after the initial authentication to check if the account is disabled. This triggers a second call to the LDAP server but it presents no credentials and fails to bind because no credentials are present.

Steps to reproduce

Login to an LDAP account with valid credentials.

Expected behavior

Login should succeed.

Actual behavior

Login fails with error: Ldapmain because "Invalid binding information"

Relevant logs and/or screenshots

ldap_error

unicorn log says:

E, [2016-09-07T17:23:05.148211 #16663] ERROR -- omniauth: (ldapmain) Authentication failure! ldap_error: Net::LDAP::BindingInformationInvalidError, Invalid binding information

LDAP section from my gitlab.rb

gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
   main: # 'main' is the GitLab 'provider ID' of this LDAP server
     label: 'LDAP'
     host: 'ldap.mysite.com'
     port: 636
     uid: 'cn'
     method: 'ssl' # "tls" or "ssl" or "plain"
     bind_dn: 'ou=Users,dc=ldap,dc=mysite,dc=com'
     active_directory: true
     allow_username_or_email_login: true
     block_auto_created_users: true
     base: 'ou=Users,dc=ldap,dc=mysite,dc=com'
EOS

Output of checks

Results of GitLab application Check

gitlab-rake gitlab:check SANITIZE=true
Checking GitLab Shell ...

GitLab Shell version >= 3.4.0 ? ... OK (3.4.0)
Repo base directory exists?
default... yes
Repo storage directories are symlinks?
default... no
Repo paths owned by git:git?
default... yes
Repo paths access is drwxrws---?
default... yes
hooks directories in repos are links: ... 
4/2 ... ok
4/3 ... ok
4/4 ... ok
4/5 ... ok
4/8 ... ok
4/9 ... ok
4/10 ... repository is empty
4/11 ... ok
4/12 ... ok
4/13 ... ok
4/14 ... ok
4/15 ... ok
4/16 ... ok
4/17 ... ok
2/18 ... ok
4/19 ... ok
4/20 ... ok
2/21 ... ok
2/22 ... ok
2/23 ... ok
4/24 ... ok
2/25 ... ok
2/29 ... ok
2/30 ... ok
13/33 ... ok
15/35 ... ok
16/36 ... repository is empty
4/38 ... repository is empty
5/40 ... ok
4/41 ... ok
5/42 ... ok
17/45 ... ok
17/46 ... ok
5/49 ... ok
2/50 ... ok
2/51 ... ok
4/52 ... ok
4/54 ... ok
19/55 ... ok
2/57 ... ok
19/58 ... ok
4/59 ... ok
20/61 ... ok
4/63 ... ok
19/64 ... ok
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK
Send ping to redis server: OK
gitlab-shell self-check successful

Checking GitLab Shell ... Finished

Checking Sidekiq ...

Running? ... yes
Number of Sidekiq processes ... 1

Checking Sidekiq ... Finished

Checking Reply by email ...

Reply by email is disabled in config/gitlab.yml

Checking Reply by email ... Finished

Checking LDAP ...

LDAP users with access to your GitLab server (only showing the first 100 results)
Server: ldapmain
rake aborted!
Net::LDAP::BindingInformationInvalidError: Invalid binding information
/opt/gitlab/embedded/service/gem/ruby/2.3.0/gems/net-ldap-0.12.1/lib/net/ldap/auth_adapter/simple.rb:14:in `bind'
/opt/gitlab/embedded/service/gem/ruby/2.3.0/gems/net-ldap-0.12.1/lib/net/ldap/connection.rb:246:in `block in bind'
/opt/gitlab/embedded/service/gem/ruby/2.3.0/gems/net-ldap-0.12.1/lib/net/ldap/instrumentation.rb:19:in `instrument'
/opt/gitlab/embedded/service/gem/ruby/2.3.0/gems/net-ldap-0.12.1/lib/net/ldap/connection.rb:241:in `bind'
/opt/gitlab/embedded/service/gem/ruby/2.3.0/gems/net-ldap-0.12.1/lib/net/ldap.rb:684:in `block in open'
/opt/gitlab/embedded/service/gem/ruby/2.3.0/gems/net-ldap-0.12.1/lib/net/ldap/instrumentation.rb:19:in `instrument'
/opt/gitlab/embedded/service/gem/ruby/2.3.0/gems/net-ldap-0.12.1/lib/net/ldap.rb:680:in `open'
/opt/gitlab/embedded/service/gem/ruby/2.3.0/gems/net-ldap-0.12.1/lib/net/ldap.rb:616:in `open'
/opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/ldap/adapter.rb:7:in `open'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/check.rake:786:in `block in print_users'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/check.rake:784:in `each'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/check.rake:784:in `print_users'
/opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/check.rake:771:in `block (3 levels) in <top (required)>'
/opt/gitlab/embedded/bin/bundle:22:in `load'
/opt/gitlab/embedded/bin/bundle:22:in `<main>'
Tasks: TOP => gitlab:check => gitlab:ldap:check
(See full trace by running task with --trace)

Test appears to have failed due to this bug!

Results of GitLab environment info

(For installations with omnibus-gitlab package run and paste the output of: sudo gitlab-rake gitlab:env:info)

System information
System:         Ubuntu 12.04
Current User:   git
Using RVM:      no
Ruby Version:   2.3.1p112
Gem Version:    2.6.6
Bundler Version:2.3.0
Rake Version:   10.5.0
Sidekiq Version:4.1.4

GitLab information
Version:        8.11.4
Revision:       b871b76
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     postgresql
URL:            https://support.plant-phenomics.ac.uk:8081
HTTP Clone URL: https://support.plant-phenomics.ac.uk:8081/some-group/some-project.git
SSH Clone URL:  git@support.plant-phenomics.ac.uk:some-group/some-project.git
Using LDAP:     yes
Using Omniauth: no

GitLab Shell
Version:        3.4.0
Repository storage paths:
- default:      /var/opt/gitlab/git-data/repositories
Hooks:          /opt/gitlab/embedded/service/gitlab-shell/hooks/
Git:            /opt/gitlab/embedded/bin/git

Possible fixes

(If you can, link to the line of code that might be responsible for the problem) Disable additional LDAP user allowed checks on line 32 of gitlab-rails/app/controllers/omniauth_callbacks_controller.rb (https://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/controllers/omniauth_callbacks_controller.rb#L32)

Change the following code:

    # Do additional LDAP checks for the user filter and EE features
    if ldap_user.allowed?
      if @user.two_factor_enabled?
        prompt_for_two_factor(@user)
      else
        log_audit_event(@user, with: :ldap)
        sign_in_and_redirect(@user)
      end
    else
      flash[:alert] = "Access denied for your LDAP account."
      redirect_to new_user_session_path
    end

to

    # Do additional LDAP checks for the user filter and EE features
      if @user.two_factor_enabled?
        prompt_for_two_factor(@user)
      else
        log_audit_event(@user, with: :ldap)
        sign_in_and_redirect(@user)
      end

This doesn't allow invalid passwords to login. It might allow disabled accounts to login, I haven't got a disabled account (and don't control the LDAP server) to test with.