Gitlab 9.4.2 fails to perform git-http operations when LDAP auth is enabled
Summary
After upgrading to Gitlab Omnibus 9.4.2, operations (fetching, pushing, etc) no longer work with LDAP authentication. Signing into the admin pages works, however.
The issue is not present in 9.4.1.
Steps to reproduce
We use the following config in /etc/gitlab/gitlab.rb
. No cert is presented to Gitlab. Proprietary or irrelevant lines have been removed
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_host'] = [snip]
gitlab_rails['ldap_port'] = 636
gitlab_rails['ldap_uid'] = 'uid'
gitlab_rails['ldap_method'] = 'ssl' # 'ssl' or 'plain'
gitlab_rails['ldap_allow_username_or_email_login'] = false
Example Project
N/A
What is the current bug behavior?
Git client returns a 500 Internal Server error
What is the expected correct behavior?
Normal fetch/push/etc operations.
Relevant logs and/or screenshots
LDAP SSL certificate verification is disabled for backwards-compatibility.
Please add the "verify_certificates" option to gitlab.yml for each LDAP
server. Certificate verification will be enabled by default in GitLab 9.5.
[snip]
Parameters: {"service"=>"git-upload-pack", "namespace_id"=>"usf", "project_id"=>"parsely.git"}
Filter chain halted as :authenticate_user rendered or redirected
Completed 401 Unauthorized in 202ms (Views: 14.4ms | ActiveRecord: 6.7ms)
Started GET "/usf/parsely.git/info/refs?service=git-upload-pack" for 10.1.0.1 at 2017-07-30 09:22:05 -0500
Processing by Projects::GitHttpController#info_refs as */*
Parameters: {"service"=>"git-upload-pack", "namespace_id"=>"usf", "project_id"=>"parsely.git"}
Completed 500 Internal Server Error in 289ms (ActiveRecord: 45.8ms)
Net::LDAP::Error (SSL_connect returned=1 errno=0 state=error: certificate verify failed):
lib/gitlab/ldap/authentication.rb:37:in `login'
lib/gitlab/ldap/authentication.rb:18:in `block in login'
lib/gitlab/ldap/authentication.rb:16:in `each'
lib/gitlab/ldap/authentication.rb:16:in `find'
lib/gitlab/ldap/authentication.rb:16:in `login'
lib/gitlab/auth.rb:60:in `block in find_with_user_password'
lib/gitlab/auth/unique_ips_limiter.rb:17:in `limit_user!'
lib/gitlab/auth.rb:51:in `find_with_user_password'
lib/gitlab/auth.rb:109:in `user_with_password_for_git'
lib/gitlab/auth.rb:34:in `find_for_git_client'
app/controllers/projects/git_http_client_controller.rb:98:in `handle_basic_authentication'
app/controllers/projects/git_http_client_controller.rb:34:in `authenticate_user'
lib/gitlab/i18n.rb:45:in `with_locale'
lib/gitlab/i18n.rb:51:in `with_user_locale'
app/controllers/application_controller.rb:294:in `set_locale'
lib/gitlab/performance_bar/peek_performance_bar_with_rack_body.rb:16:in `call'
lib/gitlab/middleware/multipart.rb:93:in `call'
lib/gitlab/request_profiler/middleware.rb:14:in `call'
lib/gitlab/middleware/go.rb:16:in `call'
lib/gitlab/etag_caching/middleware.rb:11:in `call'
lib/gitlab/request_context.rb:18:in `call'
lib/gitlab/metrics/requests_rack_middleware.rb:27:in `call'