Skip to content

Git clone with git-lfs submodule causes LDAP account lockout

Summary

When performing checkout, our LDAP server is hit with large number of authentications that it causes the account to be locked out.

Steps to reproduce

  1. Create project and populate git repo
  2. Create second project with git-lfs enabled add about 4000 large files configured for git-lfs repo
  3. Configure first project to use second project as submodule
  4. Clone the first project, then perform 'git submodule update --init'

Expected behavior

We would expect user to be able to clone repo without issues to other network resources

Actual behavior

We are seeing that user is unable to access gitlab server and other network resources are unavailable.

Relevant logs and/or screenshots

(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's very hard to read otherwise.)

Output of checks

Results of GitLab application Check

gitlab-rake gitlab:check SANITIZE=true

Checking GitLab Shell ...

GitLab Shell version >= 3.6.6 ? ... OK (3.6.6) Repo base directory exists? default... yes Repo storage directories are symlinks? default... no Repo paths owned by git:git? default... yes Repo paths access is drwxrws---? default... yes hooks directories in repos are links: ... 61/4 ... ok 61/5 ... repository is empty 21/8 ... ok 48/11 ... ok 48/12 ... ok 16/13 ... ok 16/14 ... ok 16/15 ... ok 16/16 ... ok 16/17 ... ok 16/18 ... ok 61/19 ... ok 16/20 ... ok 55/21 ... ok 16/22 ... ok 16/23 ... ok 16/24 ... ok 61/25 ... ok 61/26 ... ok 61/27 ... ok 61/28 ... ok 61/29 ... ok 61/30 ... ok 61/31 ... ok 61/32 ... ok 61/33 ... ok 61/34 ... ok 61/35 ... ok 61/36 ... ok 16/37 ... ok 16/39 ... ok 61/40 ... ok 16/41 ... ok 16/42 ... ok 16/43 ... ok 16/44 ... ok 16/45 ... ok 16/46 ... ok 16/47 ... ok 16/48 ... ok 16/49 ... ok 16/50 ... ok 16/51 ... ok 16/53 ... ok 16/54 ... ok 16/55 ... ok 16/56 ... ok 16/57 ... ok 16/58 ... ok 16/59 ... ok 61/60 ... ok 16/61 ... ok 61/62 ... ok 16/63 ... ok 21/65 ... ok 231/67 ... ok 9/70 ... ok 55/71 ... ok 31/72 ... ok 112/79 ... ok 112/83 ... ok 116/84 ... ok 116/85 ... ok 121/87 ... ok 121/88 ... ok 23/89 ... ok 41/90 ... ok 48/91 ... ok 128/92 ... ok 112/96 ... ok 112/97 ... ok 112/98 ... ok 112/99 ... ok 112/100 ... ok 112/101 ... ok 112/103 ... ok 112/104 ... ok 112/110 ... ok 112/112 ... ok 112/113 ... ok 112/114 ... ok 128/120 ... ok 160/124 ... ok 235/128 ... ok 235/129 ... ok 48/130 ... ok 224/131 ... ok 116/132 ... ok 183/133 ... ok 55/134 ... ok 21/135 ... repository is empty 55/136 ... ok 158/137 ... ok 288/138 ... repository is empty 55/139 ... ok 305/140 ... ok 273/141 ... ok 306/143 ... ok 306/144 ... ok 306/145 ... ok 306/146 ... ok 306/147 ... repository is empty 306/148 ... ok 306/149 ... ok 306/150 ... ok 306/151 ... ok 306/152 ... ok 159/153 ... ok 306/154 ... ok 128/155 ... ok 160/158 ... ok 55/159 ... ok 228/161 ... ok Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Access to /var/opt/gitlab/.ssh/authorized_keys: OK Send ping to redis server: OK gitlab-shell self-check successful

Checking GitLab Shell ... Finished

Checking Sidekiq ...

Running? ... yes Number of Sidekiq processes ... 1

Checking Sidekiq ... Finished

Checking Reply by email ...

Reply by email is disabled in config/gitlab.yml

Checking Reply by email ... Finished

Checking LDAP ...

LDAP users with access to your GitLab server (only showing the first 100 results) Server: ldapmain

...

Checking LDAP ... Finished

Checking GitLab ...

Git configured with autocrlf=input? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config outdated? ... no Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory setup correctly? ... no Try fixing it: sudo chown -R git /var/opt/gitlab/gitlab-rails/uploads sudo find /var/opt/gitlab/gitlab-rails/uploads -type f -exec chmod 0644 {} ; sudo find /var/opt/gitlab/gitlab-rails/uploads -type d -not -path /var/opt/gitlab/gitlab-rails/uploads -exec chmod 0700 {} ; For more information see: doc/install/installation.md in section "GitLab" Please fix the error above and rerun the checks. Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) projects have namespace: ... 61/4 ... yes 61/5 ... yes 21/8 ... yes 48/11 ... yes 48/12 ... yes 16/13 ... yes 16/14 ... yes 16/15 ... yes 16/16 ... yes 16/17 ... yes 16/18 ... yes 61/19 ... yes 16/20 ... yes 55/21 ... yes 16/22 ... yes 16/23 ... yes 16/24 ... yes 61/25 ... yes 61/26 ... yes 61/27 ... yes 61/28 ... yes 61/29 ... yes 61/30 ... yes 61/31 ... yes 61/32 ... yes 61/33 ... yes 61/34 ... yes 61/35 ... yes 61/36 ... yes 16/37 ... yes 16/39 ... yes 61/40 ... yes 16/41 ... yes 16/42 ... yes 16/43 ... yes 16/44 ... yes 16/45 ... yes 16/46 ... yes 16/47 ... yes 16/48 ... yes 16/49 ... yes 16/50 ... yes 16/51 ... yes 16/53 ... yes 16/54 ... yes 16/55 ... yes 16/56 ... yes 16/57 ... yes 16/58 ... yes 16/59 ... yes 61/60 ... yes 16/61 ... yes 61/62 ... yes 16/63 ... yes 21/65 ... yes 231/67 ... yes 9/70 ... yes 55/71 ... yes 31/72 ... yes 112/79 ... yes 112/83 ... yes 116/84 ... yes 116/85 ... yes 121/87 ... yes 121/88 ... yes 23/89 ... yes 41/90 ... yes 48/91 ... yes 128/92 ... yes 112/96 ... yes 112/97 ... yes 112/98 ... yes 112/99 ... yes 112/100 ... yes 112/101 ... yes 112/103 ... yes 112/104 ... yes 112/110 ... yes 112/112 ... yes 112/113 ... yes 112/114 ... yes 128/120 ... yes 160/124 ... yes 235/128 ... yes 235/129 ... yes 48/130 ... yes 224/131 ... yes 116/132 ... yes 183/133 ... yes 55/134 ... yes 21/135 ... yes 55/136 ... yes 158/137 ... yes 288/138 ... yes 55/139 ... yes 305/140 ... yes 273/141 ... yes 306/143 ... yes 306/144 ... yes 306/145 ... yes 306/146 ... yes 306/147 ... yes 306/148 ... yes 306/149 ... yes 306/150 ... yes 306/151 ... yes 306/152 ... yes 159/153 ... yes 306/154 ... yes 128/155 ... yes 160/158 ... yes 55/159 ... yes 228/161 ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.1.0 ? ... yes (2.3.1) Your git bin path is "/opt/gitlab/embedded/bin/git" Git version >= 2.7.3 ? ... yes (2.7.4) Active users: 292

Checking GitLab ... Finished

Results of GitLab environment info

sudo gitlab-rake gitlab:env:info

System information System: CentOS 6.7 Current User: git Using RVM: no Ruby Version: 2.3.1p112 Gem Version: 2.6.6 Bundler Version:1.13.6 Rake Version: 10.5.0 Sidekiq Version:4.2.1

GitLab information Version: 8.13.5 Revision: 09cedb5f Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql URL: https://git-av.nvidia.com HTTP Clone URL: https://git-av.nvidia.com/some-group/some-project.git SSH Clone URL: git@git-av.nvidia.com:some-group/some-project.git Using LDAP: yes Using Omniauth: no

GitLab Shell Version: 3.6.6 Repository storage paths:

  • default: /local/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks/ Git: /opt/gitlab/embedded/bin/git

Possible fixes

(If you can, link to the line of code that might be responsible for the problem)