ldap auth failing on new gitlab server
Help, I can't get ldap working on my new gitlab server. Any ideas?
Oracle Linux 7 x64
gitlab-7.3.1_omnibus-1.el7.x86_64
gitlab.rb:
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_host'] = '192.168.1.10'
gitlab_rails['ldap_port'] = 389
gitlab_rails['ldap_uid'] = 'sAMAccountName'
gitlab_rails['ldap_method'] = 'plain'
gitlab_rails['ldap_bind_dn'] = 'CN=ldapro,CN=special,DC=sss,DC=pp1,DC=xyzzy,DC=com'
gitlab_rails['ldap_password'] = 'secret'
gitlab_rails['ldap_allow_username_or_email_login'] = true
gitlab_rails['ldap_base'] = 'DC=sss,DC=pp1,DC=xyzzy,DC=com'
gitlab-ctl reconfigure
gitlab-tail
login as opennms user via webui (which I know works)
=> /var/log/gitlab/gitlab-rails/production.log <==
Started POST "/users/auth/ldap/callback" for 127.0.0.1 at 2014-10-01 20:27:58 +0000
==> /var/log/gitlab/unicorn/unicorn_stdout.log <==
I, [2014-10-01T20:27:58.649703 #28787] INFO -- omniauth: (ldap) Callback phase initiated.
E, [2014-10-01T20:28:03.658851 #28787] ERROR -- omniauth: (ldap) Authentication failure! invalid_credentials encountered.
==> /var/log/gitlab/gitlab-rails/production.log <==
Processing by OmniauthCallbacksController#failure as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"M4VhQMxGa0TijXqb2O8ZWl662M4k674rAPIjfc83fmc=", "username"=>"opennms", "password"=>"[FILTERED]"}
Redirected to http://localhost/users/sign_in
Completed 302 Found in 47ms (ActiveRecord: 8.5ms)
==> /var/log/gitlab/nginx/gitlab_access.log <==
127.0.0.1 - - [01/Oct/2014:20:28:03 +0000] "POST /users/auth/ldap/callback HTTP/1.1" 302 107 "http://localhost/users/sign_in" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0"
==> /var/log/gitlab/gitlab-rails/production.log <==
Started GET "/users/sign_in" for 127.0.0.1 at 2014-10-01 20:28:03 +0000
Processing by SessionsController#new as HTML
Completed 200 OK in 155ms (Views: 40.3ms | ActiveRecord: 6.0ms)
==> /var/log/gitlab/nginx/gitlab_access.log <==
127.0.0.1 - - [01/Oct/2014:20:28:04 +0000] "GET /users/sign_in HTTP/1.1" 200 1852 "http://localhost/users/sign_in" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0"
This works. We see my 'special' group, ldapro user, and opennms user
ldapsearch -v -H ldaps://192.168.1.10 -b "ou=special,dc=sss,dc=pp1,dc=xyzzy,dc=com" -D "cn=opennms,ou=special,dc=sss,dc=pp1,dc=xyzzy,dc=com" -W
Enter LDAP Password:
filter: (objectclass=*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <ou=special,dc=sss,dc=pp1,dc=xyzzy,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# special, sss.pp1.xyzzy.com
dn: OU=special,DC=sss,DC=pp1,DC=xyzzy,DC=com
objectClass: top
objectClass: organizationalUnit
ou: special
distinguishedName: OU=special,DC=sss,DC=pp1,DC=xyzzy,DC=com
instanceType: 4
whenCreated: 20140505030204.0Z
whenChanged: 20140505030204.0Z
uSNCreated: 32800
uSNChanged: 32801
name: special
objectGUID:: aUrZJkKd1k2ocm2uPYQF0A==
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=sss,DC=pp1,DC=xyzzy,DC=com
dSCorePropagationData: 20140505030204.0Z
dSCorePropagationData: 16010101000000.0Z
# ldapro, special, sss.pp1.xyzzy.com
dn: CN=ldapro,OU=special,DC=sss,DC=pp1,DC=xyzzy,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: ldapro
givenName: ldapro
distinguishedName: CN=ldapro,OU=special,DC=sss,DC=pp1,DC=xyzzy,DC=com
instanceType: 4
whenCreated: 20140612194124.0Z
whenChanged: 20140926232147.0Z
displayName: ldapro
uSNCreated: 53364
memberOf: CN=Administrators,CN=Builtin,DC=sss,DC=pp1,DC=xyzzy,DC=com
uSNChanged: 204325
name: ldapro
objectGUID:: Ow7Iyxp6wkuOQEomHShwig==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 130566678211679687
lastLogoff: 0
lastLogon: 130566678244804687
pwdLastSet: 130501940866406250
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAde1FhlvoyL1wYns+VAQAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: ldapro
sAMAccountType: 805306368
userPrincipalName: ldapro@sss.pp1.xyzzy.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=sss,DC=pp1,DC=xyzzy,DC=com
dSCorePropagationData: 20140718221939.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 130562473075625000
# opennms, special, sss.pp1.xyzzy.com
dn: CN=opennms,OU=special,DC=sss,DC=pp1,DC=xyzzy,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: opennms
sn: Monitor
givenName: OpenNMS
distinguishedName: CN=opennms,OU=special,DC=sss,DC=pp1,DC=xyzzy,DC=com
instanceType: 4
whenCreated: 20140718162525.0Z
whenChanged: 20140930220903.0Z
displayName: OpenNMS Monitor
uSNCreated: 58491
uSNChanged: 232941
name: opennms
objectGUID:: rCOFUikIpkGCP6wSSr+zKg==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 130566687482460937
lastLogoff: 0
lastLogon: 130566687565742187
pwdLastSet: 130501743252031250
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAde1FhlvoyL1wYns+ZQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: opennms
sAMAccountType: 805306368
userPrincipalName: opennms@sss.pp1.xyzzy.com
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=sss,DC=pp1,DC=xyzzy,DC=com
dSCorePropagationData: 20140718162525.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 130565875479648437
mail: opennms@xyxxy.com