Undefined method provider' for nil:nilclass` shown at login page for new AD LDAP users if custom password length limits is set in GitLab

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Work on this issue
• Close this issue

Summary

If custom password length limits is set in GitLab, new AD LDAP users that try to login to GitLab for the first time will see the error at login page:

Could not authenticate you from Ldapmain because "Undefined method `provider' for nil:nilclass".

Steps to reproduce

• Set custom password length limit, reconfigure and restart GitLab
• Create new LDAP user with the password length meeting the defined requirements and try to login to GitLab

What is the current bug behavior?

The error will be shown on attempt to login for all new AD LDAP users (both with passwords that are longer and shorter than needed):

Could not authenticate you from Ldapmain because "Undefined method `provider' for nil:nilclass".

What is the expected correct behavior?

• No errors should be shown for LDAP users that has valid password length
• Clear error should be shown for LDAP users that have password length shorter than required

Relevant logs and/or screenshots

The following info is shown in logs:

==> /var/log/gitlab/gitlab-rails/production.log <==
Processing by Ldap::OmniauthCallbacksController#ldapmain as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "username"=>"atata1", "password"=>"[FILTERED]"}

==> /var/log/gitlab/gitlab-rails/application.log <==
May 24, 2018 03:15: (LDAP) Error saving user cn=alexander testpassword,cn=users,dc=vosmaer,dc=com (atata1@domain.com): ["Password is too short (minimum is 14 characters)"]

==> /var/log/gitlab/gitlab-rails/production.log <==
Completed 500 Internal Server Error in 156ms (ActiveRecord: 8.0ms | Elasticsearch: 0.0ms)

==> /var/log/gitlab/unicorn/unicorn_stdout.log <==
E, [2018-05-24T03:15:47.467214 #11758] ERROR -- omniauth: (ldapmain) Authentication failure! ldap_error: NoMethodError, undefined method `provider' for nil:NilClass

However, the password length is more than 14 symbols.

Additional info

• Custom password length works correctly for new/existing internal (non-LDAP) users and for existing LDAP users

• If custom password length is removed, new LDAP users can login successfully

• The behavior has been reproduced on a test set with GitLab 10.8

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info

System information
System:		Debian 8.10
Proxy:		no
Current User:	git
Using RVM:	no
Ruby Version:	2.3.7p456
Gem Version:	2.6.14
Bundler Version:1.13.7
Rake Version:	12.3.1
Redis Version:	3.2.11
Git Version:	2.16.3
Sidekiq Version:5.0.5
Go Version:	unknown
GitLab information
Version:	10.8.0-ee
Revision:	caa6172
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	postgresql
DB Version:	9.6.8
URL:		https://gitlabhost.tld
HTTP Clone URL:	https://gitlabhost.tld/some-group/some-project.git
SSH Clone URL:	git@gitlabhost.tld:some-group/some-project.git
Elasticsearch:	no
Geo:		no
Using LDAP:	yes
Using Omniauth:	yes
Omniauth Providers: google_oauth2, azure_oauth2
GitLab Shell
Version:	7.1.2
Repository storage paths:

• default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check

Checking GitLab Shell ...
GitLab Shell version >= 7.1.2 ? ... OK (7.1.2)
Repo base directory exists?
default... yes
Repo storage directories are symlinks?
default... no
Repo paths owned by git:root, or git:git?
default... yes
Repo paths access is drwxrws---?
default... yes
hooks directories in repos are links: ...
1/1 ... repository is empty
1/2 ... repository is empty
1/3 ... repository is empty
1/4 ... ok
1/5 ... repository is empty
2/9 ... ok
1/10 ... repository is empty
1/11 ... ok
1/12 ... repository is empty
1/13 ... ok
1/15 ... ok
1/17 ... ok
1/18 ... repository is empty
1/19 ... ok
1/20 ... ok
8/21 ... ok
2/22 ... repository is empty
2/23 ... repository is empty
2/24 ... repository is empty
2/25 ... repository is empty
2/26 ... repository is empty
1/27 ... repository is empty
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Redis available via internal API: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Sidekiq ...
Running? ... yes
Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
...
Init.d configured correctly? ... skipped
MailRoom running? ... skipped
Checking Reply by email ... Finished
Checking LDAP ...
Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
...
DN: cn=access control assistance operators,cn=builtin,dc=domain,dc=com	 sAMAccountName: Access Control Assistance Operators
DN: cn=account operators,cn=builtin,dc=domain,dc=com	 sAMAccountName: Account Operators
DN: cn=alex,cn=users,dc=domain,dc=com	 sAMAccountName: alexx
DN: cn=distributiongroup,ou=groups,dc=domain,dc=com	 sAMAccountName: DistributionGroup
...
Checking LDAP ... Finished
Checking GitLab ...
Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
1/1 ... yes
1/2 ... yes
1/3 ... yes
1/4 ... yes
1/5 ... yes
2/9 ... yes
1/10 ... yes
1/11 ... yes
1/12 ... yes
1/13 ... yes
1/15 ... yes
1/17 ... yes
1/18 ... yes
1/19 ... yes
1/20 ... yes
8/21 ... yes
2/22 ... yes
2/23 ... yes
2/24 ... yes
2/25 ... yes
2/26 ... yes
1/27 ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.3.5 ? ... yes (2.3.7)
Git version >= 2.9.5 ? ... yes (2.16.3)
Git user has default SSH configuration? ... yes
Active users: ... 4
Elasticsearch version 5.1 - 5.5? ... skipped (elasticsearch is disabled)
Checking GitLab ... Finished

/cc @stanhu @jeremy_