Skip to content
Snippets Groups Projects

LDAP Auth Problem for new Users with SAML SSO enabled

    • Closed Issue created by Robin Naundorf @senk

    Summary

    When enabling SAML SSO with previously using LDAP as the Auth method, new users are not able to pull via https using their ldap credentials before initially log in via ldap

    Steps to reproduce

    1. Configure LDAP
    2. Configure SAML SSO
    3. Login with new user through SAML SSO
    4. Create a Project
    5. Try to pull this project via git clone https://yourgitlab.example.com/newuser/newproject.git
    6. Enter LDAP credentials

    Example Project

    No example Project

    What is the current bug behavior?

    Users trying to pull via https using ldap credentials are not able to pull

    What is the expected correct behavior?

    Users trying to pull via https using ldap credentials are able to pull. Their ldap identity gets linked to their account as it happens when logging in via webinterface using ldap cred.

    Relevant logs and/or screenshots

    user error:

    robin@robin-dev:~/test$ git clone https://git.fh-muenster.de/fhms111257/testproj.git
Cloning into ‘testproj’…
Username for ‘https://git.fh-muenster.de’: fhms111257
Password for ‘https://fhms111257@git.fh-muenster.de’:
remote: HTTP Basic: Access denied
fatal: Authentication failed for ‘https://git.fh-muenster.de/fhms111257/testproj.git/’

    production.log:

    Started GET “/fhms111257/testproj.git/info/refs?service=git-upload-pack” for 1.1.2.4 at 2020-12-01 19:59:18 +0100
Processing by Repositories::GitHttpController#info_refs as /
Parameters: {“service”=>“git-upload-pack”, “namespace_id”=>“fhms111257”, “repository_id”=>“testproj.git”}
Filter chain halted as :authenticate_user rendered or redirected
Completed 401 Unauthorized in 9ms (Views: 0.5ms | ActiveRecord: 1.9ms | Elasticsearch: 0.0ms | Allocations: 3339)
Started GET “/fhms111257/testproj.git/info/refs?service=git-upload-pack” for 1.1.2.4 at 2020-12-01 19:59:18 +0100
Processing by Repositories::GitHttpController#info_refs as /
Parameters: {“service”=>“git-upload-pack”, “namespace_id”=>“fhms111257”, “repository_id”=>“testproj.git”}
Filter chain halted as :authenticate_user rendered or redirected

    Output of checks

    Results of GitLab environment info

    Expand for output related to GitLab environment info 
    System information
System:		Debian 9.13
Proxy:		no
Current User:	git
Using RVM:	no
Ruby Version:	2.7.2p137
Gem Version:	3.1.4
Bundler Version:2.1.4
Rake Version:	13.0.1
Redis Version:	5.0.9
Git Version:	2.29.0
Sidekiq Version:5.2.9
Go Version:	unknown

GitLab information
Version:	13.6.1-ee
Revision:	a0e59de39b3
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	PostgreSQL
DB Version:	11.9
URL:		https://git.fh-muenster.de
HTTP Clone URL:	https://git.fh-muenster.de/some-group/some-project.git
SSH Clone URL:	ssh://git@git.fh-muenster.de:2323/some-group/some-project.git
Elasticsearch:	yes
Geo:		no
Using LDAP:	yes
Using Omniauth:	yes
Omniauth Providers: saml

GitLab Shell
Version:	13.13.0
Repository storage paths:
- default: 	/srv/gitlab-data/git-data/repositories
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell
Git:		/opt/gitlab/embedded/bin/git

    Results of GitLab application Check

    Expand for output related to the GitLab application check 
    Checking GitLab subtasks ...
    

    Checking GitLab Shell ...
    

    GitLab Shell: ... GitLab Shell version >= 13.13.0 ? ... OK (13.13.0)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful
    

    Checking GitLab Shell ... Finished
    

    Checking Gitaly ...
    

    Gitaly: ... default ... OK
    

    Checking Gitaly ... Finished
    

    Checking Sidekiq ...
    

    Sidekiq: ... Running? ... yes
Number of Sidekiq processes ... 1
    

    Checking Sidekiq ... Finished
    

    Checking Incoming Email ...
    

    Incoming Email: ... Checking Reply by email ...
    

    IMAP server credentials are correct? ... Checking fhms658679
yes
Init.d configured correctly? ... skipped
MailRoom running? ... skipped
    

    Checking Reply by email ... Finished
    

    Checking Incoming Email ... Finished
    

    Checking LDAP ...
    

    LDAP: ... Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
User output sanitized. Found 100 users of 100 limit.
    

    Checking LDAP ... Finished
    

    Checking GitLab App ...
    

    Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
4/2 ... yes
4/5 ... yes

5121/8050 ... yes
Redis version >= 4.0.0? ... yes
Ruby version >= 2.5.3 ? ... yes (2.7.2)
Git version >= 2.29.0 ? ... yes (2.29.0)
Git user has default SSH configuration? ... yes
Active users: ... 3922
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes
Elasticsearch version 7.x (6.4 - 6.x deprecated to be removed in 13.8)? ... yes
    

    Checking GitLab App ... Finished
    

    Checking GitLab subtasks ... Finished

    Possible fixes

    Designs

      Child items ...

      2. Activity

      Please register or sign in to reply