Gitlab keeps locking LDAP accounts when using personal access tokens in v14.2.4-ee
Summary
Each docker pull makes a request to gitlab for a personal access token and gitlab authorizes us (response 200), but at the same time goes to LDAP (makes 3 attempts). It gets the docker image, but LDAP responds with Invalid credentials because the request does not use user_ldap_password as a password, but gitlab personal access token.
Similar issue: gitlab-foss#30220 (closed)
Steps to reproduce
Create gitlab user with same username as the LDAP user. Pull docker image with personal access token. You successful get a docker image, but LDAP failed login attempts increase until user gets locked.
What is the current bug behavior?
Pull docker image with personal access token. LDAP failed login attempts increase until user gets locked.
What is the expected correct behavior?
Pull docker image with username and personal access token. No LDAP failed login attempts and user does not get locked.
Relevant logs and/or screenshots
Log from gitlab:
[root@gitlab-server/var/log/gitlab/gitlab-rails]# tail -f production.log | grep username1 -A 3 -B 3
Processing by SessionsController#new as HTML
Rendered layout layouts/devise.html.haml (Duration: 18.7ms | Allocations: 11589)
Completed 200 OK in 28ms (Views: 18.6ms | ActiveRecord: 1.1ms | Elasticsearch: 0.0ms | Allocations: 15776)
Started GET "/jwt/auth?account=username1&scope=repository%3Aaccounts%2Fapi%2Fsingle-sign-on%3Apull&service=container_registry" for 10.10.20.197 at 2022-03-03 17:41:55 +0700
Processing by Gitlab::RequestForgeryProtection::Controller#index as HTML
Completed 200 OK in 0ms (ActiveRecord: 0.0ms | Elasticsearch: 0.0ms | Allocations: 85)
Processing by JwtController#auth as HTML
Parameters: {"account"=>"usernme1", "scope"=>"repository:accounts/api/single-sign-on:pull", "service"=>"container_registry"}
Completed 200 OK in 35ms (Views: 0.2ms | ActiveRecord: 3.9ms | Elasticsearch: 0.0ms | Allocations: 9190)
Started GET "/" for ip-address at 2022-03-03 17:41:56 +0700
Processing by Gitlab::RequestForgeryProtection::Controller#index as HTMLLog from LDAP:
[root@freeipa-01 slapd-company]# tail -f /var/log/dirsrv/slapd-company/access | grep username1 -A 2 -B 2
[03/Mar/2022:16:51:11.473411787 +0700] conn=449832 op=1 SRCH base="" scope=0 filter="(objectClass=*)" attrs="altServer namingContexts supportedcapabilities supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms"
[03/Mar/2022:16:51:11.477143164 +0700] conn=449832 op=1 RESULT err=0 tag=101 nentries=1 etime=0.0003851715
[03/Mar/2022:16:51:11.478239319 +0700] conn=449832 op=2 SRCH base="cn=users,cn=accounts,dc=company,dc=com" scope=2 filter="(&(uid=username1)(memberOf=cn=gitlab-users,cn=groups,cn=accounts,dc=company,dc=com)(objectClass=posixAccount))" attrs=ALL
[03/Mar/2022:16:51:11.486509064 +0700] conn=449832 op=2 RESULT err=0 tag=101 nentries=1 etime=0.0008402171 notes=P pr_idx=0 pr_cookie=-1
[03/Mar/2022:16:51:11.488033867 +0700] conn=449832 op=3 BIND dn="uid=username1,cn=users,cn=accounts,dc=company,dc=com" method=128 version=3
[03/Mar/2022:16:51:11.489691225 +0700] conn=449832 op=3 RESULT err=49 tag=97 nentries=0 etime=0.0001748410 - Invalid credentials
[03/Mar/2022:16:51:11.490324327 +0700] conn=449832 op=-1 fd=737 closed - B1Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 13.19.1 ? ... OK (13.19.1)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes
Number of Sidekiq processes (cluster/worker) ... 1/1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
User output sanitized. Found 36 users of 100 limit.
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
11/8 ... yes 14/11 ... yes 11/12 ... yes 11/13 ... yes 11/14 ... yes 11/16 ... yes 14/19 ... yes 22/20 ... yes 22/21 ... yes 22/22 ... yes 22/23 ... yes 132/24 ... yes 22/25 ... yes 21/26 ... yes 21/27 ... yes 21/28 ... yes 132/29 ... yes 132/30 ... yes 56/120 ... yes 2/122 ... yes 15/123 ... yes 9/124 ... yes 22/128 ... yes 11/129 ... yes 14/130 ... yes 72/131 ... yes 14/133 ... yes 14/136 ... yes 9/137 ... yes 39/138 ... yes 14/139 ... yes 164/140 ... yes 71/141 ... yes 72/142 ... yes 72/144 ... yes 9/145 ... yes 14/147 ... yes 38/149 ... yes 76/153 ... yes 76/154 ... yes 93/157 ... yes 32/162 ... yes 14/163 ... yes 11/165 ... yes 76/166 ... yes 88/167 ... yes 14/168 ... yes 72/169 ... yes 93/171 ... yes 76/265 ... yes 14/381 ... yes 93/382 ... yes 14/384 ... yes 32/385 ... yes 5/392 ... yes 11/393 ... yes 11/395 ... yes 14/396 ... yes 76/398 ... yes 76/399 ... yes 14/401 ... yes 103/403 ... yes 14/404 ... yes 51/405 ... yes 51/406 ... yes 32/409 ... yes 11/410 ... yes 214/411 ... yes 103/412 ... yes 14/414 ... yes 34/418 ... yes 13/420 ... yes 34/424 ... yes 73/425 ... yes 14/469 ... yes 14/680 ... yes11/796 ... yes 118/797 ... yes 321/828 ... yes 14/1188 ... yes 11/1189 ... yes 39/1190 ... yes 119/1191 ... yes 32/1192 ... yes 11/1194 ... yes 32/1295 ... yes 14/1296 ... yes 5/1300 ... yes 72/1301 ... yes 88/1302 ... yes 22/1303 ... yes 11/1304 ... yes 32/1305 ... yes 11/1307 ... yes 32/1308 ... yes 51/1322 ... yes 11/1434 ... yes 2/1435 ... yes 170/1436 ... yes 103/1447 ... yes
Redis vrsion >= 5.0.0? ... yes
Ruby version >= 2.7.2 ? ... yes (2.7.2)
Git version >= 2.31.0 ? ... yes (2.32.0)
Git user has default SSH configuration? ... yes
Active users: ... 34
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... no
Try fixing it:
Please migrate all projects to hashed storage
as legacy storage is deprecated in 13.0 and support will be removed in 14.0.
For more information see:
doc/administration/repository_storage_types.md
Elasticsearch version 7.x (6.4 - 6.x deprecated to be removed in 13.8)? ... yes (6.8.20)
Checking GitLab App ... Finished
Checking GitLab subtasks ... FinishedPossible fixes
Edited by Adil Farrukh