LDAP integration generates massive amount of invalid logins
Summary
I have updated to Version 14.1.2 yesterday since then the are huge amounts of invalid logins via LDAP on the configured AD Controller. This locks affacted ad accounts.
We have registered over 5000 failed log in events in the last 12h.
Steps to reproduce
Unclear, update to version 14.1.2 with unkown prerequisites
Current LDAP configuration:
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'AD'
host: '192.168.X.Y'
port: 636
uid: 'sAMAccountName'
bind_dn: '<USER>'
password: '<PW>'
encryption: 'simple_tls' # "start_tls" or "simple_tls" or "plain"
verify_certificates: false
smartcard_auth: false
active_directory: true
lowercase_usernames: false
block_auto_created_users: false
base: 'OU=Users,DC=example,DC=de'
user_filter: '(objectclass=user)'
attributes:
username: ['uid', 'userid', 'sAMAccountName']
email: ['mail', 'email', 'userPrincipalName']
name: 'cn'
first_name: 'givenName'
last_name: 'sn'
EOSWhat is the current bug behavior?
In irregular intervalls a huge amount of invalid logins of different a sent to the domain controller within ca. 3 mins then there is some pause then the behaivor repeats.
What is the expected correct behavior?
No invalid login attempts on the dc
Relevant logs and/or screenshots
In the production log there are only around 20 LDAP appearances of legitamate logins.
Same for application log there are like 5 invalid credential errors but nothing like the registered flood.
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Ubuntu 18.04 Current User: git Using RVM: no Ruby Version: 2.7.2p137 Gem Version: 3.1.4 Bundler Version:2.1.4 Rake Version: 13.0.3 Redis Version: 6.0.14 Git Version: 2.32.0 Sidekiq Version:5.2.9 Go Version: unknown GitLab information Version: 14.1.2 Revision: 8c67b499146 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 12.6 URL: https://git.example.de HTTP Clone URL: https://git.example.de/some-group/some-project.git SSH Clone URL: git@git.example.de:some-group/some-project.git Using LDAP: yes Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 13.19.1 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes (cluster/worker) ... 1/1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... Server: ldapmain not verifying SSL hostname of LDAPS server '192.168.X.Y:636' LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) User output sanitized. Found 100 users of 100 limit.
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 4/1 ... yes 4/4 ... yes 4/5 ... yes 4/6 ... yes 5/7 ... yes 2/8 ... yes 4/9 ... yes 3/10 ... yes 3/11 ... yes 14/12 ... yes 3/13 ... yes 13/14 ... yes 18/15 ... yes 19/16 ... yes 19/17 ... yes 19/18 ... yes 19/19 ... yes 19/20 ... yes 19/21 ... yes 3/22 ... yes 19/23 ... yes 19/24 ... yes 19/25 ... yes 13/26 ... yes 19/27 ... yes 23/28 ... yes 32/33 ... yes 13/34 ... yes 13/35 ... yes 36/36 ... yes 31/39 ... yes 41/40 ... yes 46/42 ... yes 47/43 ... yes 51/44 ... yes 36/45 ... yes 47/46 ... yes 42/47 ... yes 52/48 ... yes 38/49 ... yes 35/50 ... yes 56/52 ... yes 56/53 ... yes 2/54 ... yes 13/55 ... yes 60/57 ... yes 32/59 ... yes 58/60 ... yes 44/62 ... yes 34/63 ... yes 13/64 ... yes 13/65 ... yes 13/66 ... yes 13/67 ... yes 66/68 ... yes 66/69 ... yes 68/70 ... yes 13/71 ... yes 73/72 ... yes 13/73 ... yes 13/74 ... yes 75/75 ... yes 60/76 ... yes 59/77 ... yes 79/78 ... yes 66/79 ... yes 46/80 ... yes 42/81 ... yes 81/82 ... yes 66/83 ... yes 126/84 ... yes 13/85 ... yes 88/87 ... yes 2/88 ... yes 88/89 ... yes 66/90 ... yes 49/91 ... yes 49/92 ... yes 33/93 ... yes 88/94 ... yes 42/95 ... yes 49/97 ... yes 98/98 ... yes 42/99 ... yes 100/102 ... yes 101/103 ... yes 60/104 ... yes 98/105 ... yes 41/107 ... yes 107/108 ... yes 109/109 ... yes 107/110 ... yes 24/111 ... yes 88/115 ... yes 100/121 ... yes 59/122 ... yes 87/123 ... yes 107/124 ... yes 98/126 ... yes 29/127 ... yes 122/129 ... yes 124/131 ... yes 114/132 ... yes 123/133 ... yes 36/134 ... yes 109/135 ... yes 125/136 ... yes 29/137 ... yes 126/139 ... yes 113/140 ... yes 113/141 ... yes 126/142 ... yes 134/144 ... yes 134/145 ... yes 126/147 ... yes 121/148 ... yes 36/149 ... yes 121/150 ... yes 128/151 ... yes 36/152 ... yes 42/153 ... yes 114/155 ... yes 46/156 ... yes 115/157 ... yes Redis version >= 5.0.0? ... yes Ruby version >= 2.7.2 ? ... yes (2.7.2) Git version >= 2.31.0 ? ... yes (2.32.0) Git user has default SSH configuration? ... yes Active users: ... 99 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished