Logging in with LDAP user without email attribute and TFA enabled results in "The page isn’t redirecting properly"
I did a fresh install 8.13.0-rc3 from source with LDAP authentication enabled and set two-factor authentication compulsory. When an LDAP user which does not have his e-mail address configured in LDAP and who has never logged in in Gitlab before, logs in, the authentication succeeds but the user only gets a browser error stating "The page isn’t redirecting properly", instead of the screen where he can set up his account. Either adding an email attribute in the LDAP directory, either disabling the setting "Require all users to setup Two-factor authentication" in Gitlab, works around this problem.
In gitlab.yml:
ldap:
enabled: true
servers:
label: 'LDAP'
host: 'localhost'
port: 389
uid: 'uid'
bind_dn:
password:
timeout: 10
active_directory: false
allow_username_or_email_login: false
block_auto_created_users: false
base: 'dc=example,dc=com'
user_filter: ''
attributes:
username: ['uid', 'userid', 'sAMAccountName']
email: ['mail', 'email', 'userPrincipalName']
name: 'cn'
first_name: 'givenName'
last_name: 'sn'Example of an LDAP entry of a user which gets this error:
dn: cn=testuser testuser,ou=People,dc=example,dc=com
sn: testuser
givenName: testuser
uid: testuser
cn: testuser testuser
structuralObjectClass: inetOrgPerson
entryUUID: 58764204-2bde-1036-9992-2b72ee90a592
creatorsName: cn=admin,dc=wise,dc=vub,dc=ac,dc=be
createTimestamp: 20161021133058Z
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: gosaAccount
sambaLMPassword: foo
sambaNTPassword: foo
sambaPwdLastSet: 1477056665
sambaBadPasswordCount: 0
sambaBadPasswordTime: 0
userPassword:: foo
entryCSN: 20161021135202.996627Z#000000#000#000000
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 20161021135202ZAdding
mail: testuser@example.comis enough to make the error go away. Or disabling the requiement to set up TFA.
gitlab-workhorse.log shows the endless loop redirecting the user:
wisepc20.vub.ac.be 127.0.0.1:34002 - - [2016-10-21 15:20:52.707460517 +0200 CEST] "GET / HTTP/1.1" 302 106 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0" 0.062912
wisepc20.vub.ac.be 127.0.0.1:34004 - - [2016-10-21 15:20:54.049021376 +0200 CEST] "GET /users/sign_in HTTP/1.1" 200 8541 "" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0" 0.087993
wisepc20.vub.ac.be 127.0.0.1:34006 - - [2016-10-21 15:21:15.448529794 +0200 CEST] "POST /users/auth/ldapmain/callback HTTP/1.1" 302 93 "https://wisepc20.vub.ac.be/users/sign_in" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0" 0.375853
wisepc20.vub.ac.be 127.0.0.1:34020 - - [2016-10-21 15:21:15.841171633 +0200 CEST] "GET / HTTP/1.1" 302 116 "https://wisepc20.vub.ac.be/users/sign_in" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0" 0.063049
wisepc20.vub.ac.be 127.0.0.1:34022 - - [2016-10-21 15:21:15.913567229 +0200 CEST] "GET /profile/two_factor_auth HTTP/1.1" 302 100 "https://wisepc20.vub.ac.be/users/sign_in" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0" 0.062087
wisepc20.vub.ac.be 127.0.0.1:34024 - - [2016-10-21 15:21:15.991717987 +0200 CEST] "GET /profile HTTP/1.1" 302 116 "https://wisepc20.vub.ac.be/users/sign_in" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0" 0.052817
wisepc20.vub.ac.be 127.0.0.1:34026 - - [2016-10-21 15:21:16.056152065 +0200 CEST] "GET /profile/two_factor_auth HTTP/1.1" 302 100 "https://wisepc20.vub.ac.be/users/sign_in" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0" 0.062733
wisepc20.vub.ac.be 127.0.0.1:34028 - - [2016-10-21 15:21:16.128526891 +0200 CEST] "GET /profile HTTP/1.1" 302 116 "https://wisepc20.vub.ac.be/users/sign_in" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0" 0.064151
wisepc20.vub.ac.be 127.0.0.1:34030 - - [2016-10-21 15:21:16.201834122 +0200 CEST] "GET /profile/two_factor_auth HTTP/1.1" 302 100 "https://wisepc20.vub.ac.be/users/sign_in" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0" 0.063101
wisepc20.vub.ac.be 127.0.0.1:34032 - - [2016-10-21 15:21:16.271394534 +0200 CEST] "GET /profile HTTP/1.1" 302 116 "https://wisepc20.vub.ac.be/users/sign_in" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0" 0.057066
wisepc20.vub.ac.be 127.0.0.1:34034 - - [2016-10-21 15:21:16.425293807 +0200 CEST] "GET /profile/two_factor_auth HTTP/1.1" 302 100 "https://wisepc20.vub.ac.be/users/sign_in" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0" 0.054861
wisepc20.vub.ac.be 127.0.0.1:34036 - - [2016-10-21 15:21:16.490410362 +0200 CEST] "GET /profile HTTP/1.1" 302 116 "https://wisepc20.vub.ac.be/users/sign_in" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0" 0.061281
wisepc20.vub.ac.be 127.0.0.1:34038 - - [2016-10-21 15:21:16.563351852 +0200 CEST] "GET /profile/two_factor_auth HTTP/1.1" 302 100 "https://wisepc20.vub.ac.be/users/sign_in" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0" 0.065696
wisepc20.vub.ac.be 127.0.0.1:34040 - - [2016-10-21 15:21:16.639670983 +0200 CEST] "GET /profile HTTP/1.1" 302 116 "https://wisepc20.vub.ac.be/users/sign_in" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0" 0.054232
[...]sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
Checking GitLab Shell ...
GitLab Shell version >= 3.6.6 ? ... OK (3.6.6)
Repo base directory exists?
default... yes
Repo storage directories are symlinks?
default... no
Repo paths owned by git:git?
default... yes
Repo paths access is drwxrws---?
default... yes
hooks directories in repos are links: ...
2/1 ... ok
Running /home/git/gitlab-shell/bin/check
Check GitLab API access: OK
Access to /home/git/.ssh/authorized_keys: OK
Send ping to redis server: OK
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Sidekiq ...
Running? ... yes
Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Reply by email ...
Reply by email is disabled in config/gitlab.yml
Checking Reply by email ... Finished
Checking LDAP ...
LDAP users with access to your GitLab server (only showing the first 100 results)
Server: ldapmain
DN: uid=foo,ou=People,dc=example,dc=com uid: foo
[...]
Checking LDAP ... Finished
Checking GitLab ...
Git configured with autocrlf=input? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config outdated? ... no
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory setup correctly? ... skipped (no tmp uploads folder yet)
Init script exists? ... yes
Init script up-to-date? ... yes
projects have namespace: ...
2/1 ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.1.0 ? ... yes (2.3.1)
Your git bin path is "/usr/bin/git"
Git version >= 2.7.3 ? ... yes (2.9.3)
Active users: 3
Checking GitLab ... Finishedsudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production
System information
System: Debian 8.6
Current User: git
Using RVM: no
Ruby Version: 2.3.1p112
Gem Version: /home/git/gitlab/Gemfile:16:in `eval_gemfile': (Bundler::Dsl::DSLError)
[!] There was an error parsing `Gemfile`: compile error - syntax error, unexpected ':', expecting $end
gem 'mysql2', '~> 0.3.16', group: :mysql
^. Bundler cannot continue.
# from /home/git/gitlab/Gemfile:16
# -------------------------------------------
# # Supported DBs
> gem 'mysql2', '~> 0.3.16', group: :mysql
# gem 'pg', '~> 0.18.2', group: :postgres
# -------------------------------------------
from /usr/lib/ruby/vendor_ruby/bundler/dsl.rb:11:in `evaluate'
from /usr/lib/ruby/vendor_ruby/bundler/definition.rb:25:in `build'
from /usr/lib/ruby/vendor_ruby/bundler.rb:123:in `definition'
from /usr/lib/ruby/vendor_ruby/bundler.rb:91:in `setup'
from /usr/lib/ruby/vendor_ruby/bundler/setup.rb:19
Bundler Version:1.12.5
Rake Version: 10.5.0
Sidekiq Version:4.2.1
GitLab information
Version: 8.13.0-rc3
Revision: 726a853
Directory: /home/git/gitlab
DB Adapter: postgresql
URL: https://wisepc20.vub.ac.be
HTTP Clone URL: https://wisepc20.vub.ac.be/some-group/some-project.git
SSH Clone URL: git@wisepc20.vub.ac.be:some-group/some-project.git
Using LDAP: yes
Using Omniauth: no
GitLab Shell
Version: 3.6.6
Repository storage paths:
- default: /home/git/repositories/
Hooks: /home/git/gitlab-shell/hooks/
Git: /usr/bin/git