`Undefined method `provider' for nil:nilclass` shown at login page for new AD LDAP users if custom password length limits is set in GitLab
Summary
If custom password length limits is set in GitLab, new AD LDAP users that try to login to GitLab for the first time will see the error at login page:
Could not authenticate you from Ldapmain because "Undefined method `provider' for nil:nilclass".
Steps to reproduce
- Set custom password length limit, reconfigure and restart GitLab
- Create new LDAP user with the password length meeting the defined requirements and try to login to GitLab
What is the current bug behavior?
The error will be shown on attempt to login for all new AD LDAP users (both with passwords that are longer and shorter than needed):
Could not authenticate you from Ldapmain because "Undefined method `provider' for nil:nilclass".
What is the expected correct behavior?
- No errors should be shown for LDAP users that has valid password length
- Clear error should be shown for LDAP users that have password length shorter than required
Relevant logs and/or screenshots
The following info is shown in logs:
==> /var/log/gitlab/gitlab-rails/production.log <==
Processing by Ldap::OmniauthCallbacksController#ldapmain as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "username"=>"atata1", "password"=>"[FILTERED]"}
==> /var/log/gitlab/gitlab-rails/application.log <==
May 24, 2018 03:15: (LDAP) Error saving user cn=alexander testpassword,cn=users,dc=vosmaer,dc=com (atata1@domain.com): ["Password is too short (minimum is 14 characters)"]
==> /var/log/gitlab/gitlab-rails/production.log <==
Completed 500 Internal Server Error in 156ms (ActiveRecord: 8.0ms | Elasticsearch: 0.0ms)
==> /var/log/gitlab/unicorn/unicorn_stdout.log <==
E, [2018-05-24T03:15:47.467214 #11758] ERROR -- omniauth: (ldapmain) Authentication failure! ldap_error: NoMethodError, undefined method `provider' for nil:NilClass
However, the password length is more than 14 symbols.
Additional info
-
Custom password length works correctly for new/existing internal (non-LDAP) users and for existing LDAP users
-
If custom password length is removed, new LDAP users can login successfully
-
The behavior has been reproduced on a test set with GitLab 10.8
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Debian 8.10 Proxy: no Current User: git Using RVM: no Ruby Version: 2.3.7p456 Gem Version: 2.6.14 Bundler Version:1.13.7 Rake Version: 12.3.1 Redis Version: 3.2.11 Git Version: 2.16.3 Sidekiq Version:5.0.5 Go Version: unknown
GitLab information Version: 10.8.0-ee Revision: caa6172 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql DB Version: 9.6.8 URL: https://gitlabhost.tld HTTP Clone URL: https://gitlabhost.tld/some-group/some-project.git SSH Clone URL: git@gitlabhost.tld:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: yes Using Omniauth: yes Omniauth Providers: google_oauth2, azure_oauth2
GitLab Shell Version: 7.1.2 Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab Shell ...
GitLab Shell version >= 7.1.2 ? ... OK (7.1.2) Repo base directory exists? default... yes Repo storage directories are symlinks? default... no Repo paths owned by git:root, or git:git? default... yes Repo paths access is drwxrws---? default... yes hooks directories in repos are links: ... 1/1 ... repository is empty 1/2 ... repository is empty 1/3 ... repository is empty 1/4 ... ok 1/5 ... repository is empty 2/9 ... ok 1/10 ... repository is empty 1/11 ... ok 1/12 ... repository is empty 1/13 ... ok 1/15 ... ok 1/17 ... ok 1/18 ... repository is empty 1/19 ... ok 1/20 ... ok 8/21 ... ok 2/22 ... repository is empty 2/23 ... repository is empty 2/24 ... repository is empty 2/25 ... repository is empty 2/26 ... repository is empty 1/27 ... repository is empty Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Redis available via internal API: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Sidekiq ...
Running? ... yes Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished ... Init.d configured correctly? ... skipped MailRoom running? ... skipped
Checking Reply by email ... Finished
Checking LDAP ...
Server: ldapmain LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) ... DN: cn=access control assistance operators,cn=builtin,dc=domain,dc=com sAMAccountName: Access Control Assistance Operators DN: cn=account operators,cn=builtin,dc=domain,dc=com sAMAccountName: Account Operators DN: cn=alex,cn=users,dc=domain,dc=com sAMAccountName: alexx DN: cn=distributiongroup,ou=groups,dc=domain,dc=com sAMAccountName: DistributionGroup ... Checking LDAP ... Finished
Checking GitLab ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 1/1 ... yes 1/2 ... yes 1/3 ... yes 1/4 ... yes 1/5 ... yes 2/9 ... yes 1/10 ... yes 1/11 ... yes 1/12 ... yes 1/13 ... yes 1/15 ... yes 1/17 ... yes 1/18 ... yes 1/19 ... yes 1/20 ... yes 8/21 ... yes 2/22 ... yes 2/23 ... yes 2/24 ... yes 2/25 ... yes 2/26 ... yes 1/27 ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.3.5 ? ... yes (2.3.7) Git version >= 2.9.5 ? ... yes (2.16.3) Git user has default SSH configuration? ... yes Active users: ... 4 Elasticsearch version 5.1 - 5.5? ... skipped (elasticsearch is disabled)
Checking GitLab ... Finished