"docker login" to self-hosted omnibus gitlab registry requires a previous LDAP password (no sync?)

Summary

On a self hosted gitlab omnibus installation that has a gitlab registry running and LDAP synchronisation enabled, docker login registry-gitlab.example.com -u jdoe will only succeed with the initial LDAP password.

Our LDAP forces us to change our passwords every 6 months. To login I have to use my previous password, not my current one.

Steps to reproduce

Install gitlab omnibus, activate the registry, activate LDAP sync
Create a user, login to gitlab, login to registry with docker login
Change user password,
Remove .docker/config.json, try to login with new password.
fails.

Note: no 2FA is used.

What is the current bug behavior?

cf above.

What is the expected correct behavior?

Gitlab registry login credentials should be identical to the current LDAP password.

Relevant logs and/or screenshots

Instance is gitlab.example.com.

Relevant /etc/gitlab/gitlab.rb


registry_external_url 'https://registry-gitlab.example.com:5001'

### Settings used by GitLab application
# gitlab_rails['registry_enabled'] = true
# gitlab_rails['registry_host'] = "registry.example.com"
# gitlab_rails['registry_port'] = "5005"
# gitlab_rails['registry_path'] = "/var/opt/gitlab/gitlab-rails/shared/registry"

###! **Do not change the following 3 settings unless you know what you are
###!   doing**
# gitlab_rails['registry_api_url'] = "http://localhost:5000"
# gitlab_rails['registry_key_path'] = "/var/opt/gitlab/gitlab-rails/certificate.key"
# gitlab_rails['registry_issuer'] = "omnibus-gitlab-issuer"

### Settings used by Registry application
# registry['enable'] = true
# registry['username'] = "registry"
# registry['group'] = "registry"
# registry['uid'] = nil
# registry['gid'] = nil
# registry['dir'] = "/var/opt/gitlab/registry"
# registry['registry_http_addr'] = "localhost:5000"
# registry['debug_addr'] = "localhost:5001"
# registry['log_directory'] = "/var/log/gitlab/registry"
# registry['env_directory'] = "/opt/gitlab/etc/registry/env"
# registry['env'] = { 
#   'SSL_CERT_DIR' => "/opt/gitlab/embedded/ssl/certs/"
# } 
# registry['log_level'] = "info"
# registry['log_formatter'] = "text"
# registry['rootcertbundle'] = "/var/opt/gitlab/registry/certificate.crt"
# registry['health_storagedriver_enabled'] = true
# registry['storage_delete_enabled'] = true
# registry['validation_enabled'] = false
# registry['autoredirect'] = false
# registry['compatibility_schema1_enabled'] = false

### Registry backend storage
###! Docs: https://docs.gitlab.com/ce/administration/container_registry.html#container-registry-storage-driver
# registry['storage'] = { 
#   's3' => { 
#     'accesskey' => 'AKIAKIAKI',
#     'secretkey' => 'secret123',
#     'region' => 'us-east-1',
#     'bucket' => 'gitlab-registry-bucket-AKIAKIAKI'
#   } 
# } 

### Registry notifications endpoints
# registry['notifications'] = [ 
#   { 
#     'name' => 'test_endpoint',
#     'url' => 'https://gitlab.example.com/notify2',
#     'timeout' => '500ms',
#     'threshold' => 5,
#     'backoff' => '1s',
#     'headers' => { 
#       "Authorization" => ["AUTHORIZATION_EXAMPLE_TOKEN"]
#     } 
#   } 
# ]

Relevant ` /var/opt/gitlab/registry/config.yml`

version: 0.1 log: level: info formatter: text fields: service: registry environment: production storage: {"filesystem":{"rootdirectory":"/var/opt/gitlab/gitlab-rails/shared/registry"},"cache":{"blobdescriptor":"inmemory"},"delete":{"enabled":true}} http: addr: localhost:5000 secret: "7c4e76d019a6a1734d18d9efa7437d2fcdf4e81b756259771d0fd25894a68dea1b7a2377b4c590f86efc68c623044debf32c6c2e1c2cda0eb91128f09035ba30" headers: X-Content-Type-Options: [nosniff] health: storagedriver: enabled: true interval: 10s threshold: 3 auth: token: realm: https://gitlab.example.com/jwt/auth service: container_registry issuer: omnibus-gitlab-issuer rootcertbundle: /var/opt/gitlab/registry/gitlab-registry.crt autoredirect: false validation: disabled: true

Output of checks

(If you are reporting a bug on GitLab.com, write: This bug happens on GitLab.com)

Results of GitLab environment info

Expand for output related to GitLab environment info

$ sudo gitlab-rake gitlab:env:info

System information System: Debian 8.11 Proxy: no Current User: git Using RVM: no Ruby Version: 2.6.3p62 Gem Version: 2.7.9 Bundler Version:1.17.3 Rake Version: 12.3.2 Redis Version: 3.2.12 Git Version: 2.22.0 Sidekiq Version:5.2.7 Go Version: unknown

GitLab information Version: 12.3.3-ee Revision: 47e969b011f Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 10.9 URL: https://gitlab.XXXXXXXX.com HTTP Clone URL: https://gitlab.XXXXXXXX.com/some-group/some-project.git SSH Clone URL: git@gitlab.XXXXXXXX.com:some-group/some-project.git Elasticsearch: yes Geo: no Using LDAP: yes Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 10.0.0 Repository storage paths:

default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check

Checking LDAP ...

LDAP: ... Server: ldapmain not verifying SSL hostname of LDAPS server 'ad01.XXXXX.com:389' LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) User output sanitized. Found 75 users of 100 limit. Server: ldapad02 not verifying SSL hostname of LDAPS server 'ad02.XXXXX.com:389' LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) User output sanitized. Found 75 users of 100 limit. Server: ldapad03 not verifying SSL hostname of LDAPS server 'ad03.XXXXX.com:389' LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) User output sanitized. Found 75 users of 100 limit.

Possible fixes

None.

No workaround has been found, since using a token is not possible as this enables only read access and no write access.

Edited Oct 04, 2019 by Julien Lecomte