LDAP GroupSync doesn't work with a group_base defined with a cn
Zendesk Ticket: https://gitlab.zendesk.com/agent/tickets/119924
A customer is attempting to use GroupSync with the following configuration:
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'LDAP'
host: '<redacted>'
port: '7636'
uid: 'uid'
encryption: 'simple_tls'
ca_file: '/etc/ssl/certs/<cert_name>.CA.pem'
bind_dn: 'uid=<user>,cn=users,dc=xxx,dc=xxx,dc=xxx,dc=xx'
password: '********'
active_directory: false
allow_username_or_email_login: false
block_auto_created_users: false
base: 'dc=xxx,dc=xxx,dc=xxx,dc=xx'
verify_certificates: true
## EE only
group_base: 'cn=groups,dc=xxx,dc=xxx,dc=xxx,dc=xx'
EOSHowever, no groups are found. We ran the following in the rails console:
Rails.logger.level = Logger::DEBUG
LdapAllGroupsSyncWorker.new.perform
adapter = Gitlab::Auth::LDAP::Adapter.new('ldapmain')
ldap_group = EE::Gitlab::Auth::LDAP::Group.find_by_cn('customers', adapter)
adapter.groupsThe GroupSync threw no errors although it seemed like nothing was found. However, we received the following output from each of the last 2 commands:
LDAP search error: No Such ObjectThe dn for customers is cn=customers,cn=groups,dc=xxx,dc=xxx,dc=xxx,dc=xx, which falls directly under the group_base.
I see that the GroupSync docs state that the group_base has to be a base LDAP ‘container’, such as an ‘organization’ or ‘organizational unit’, that contains LDAP groups. I think this means that only an ou or dc will work as the group_base, but am not certain. Looking through the net-ldap gem, it looks like it expects a tree-base which the definition alludes to as an ou or dc, but this is also not clear.
In the end, is this a bug or is it expected? If this is expected, we should update the docs to clarify that only an ou or dc will work because some customers think that a cn qualifies as a container too.