Signing in with ldap connector with @ character in samaccountname not possible

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Summary

It is not possible to sign in with a user from ldap which contains @ character. When searching in ldap via rake console the user is found.

Steps to reproduce

1. Define ldap auth to a directory with user where uid/samaccountname contains @ character
2. Login with a username wich contains @ character

Example Project

What is the current bug behavior?

Error message: Could not authenticate you from Ldapmain because "Invalid credentials for test@test.com".

What is the expected correct behavior?

Successful Login

Relevant logs and/or screenshots

production.log

Started POST "/users/auth/ldapmain/callback" for ::9 at 2023-02-03 17:29:42 +0100
Processing by SessionsController#new as HTML
  Rendered layout layouts/devise.html.haml (Duration: 17.1ms | Allocations: 10118)
Completed 200 OK in 34ms (Views: 17.0ms | ActiveRecord: 2.0ms | Elasticsearch: 0.0ms | Allocations: 15023)
Processing by OmniauthCallbacksController#failure as HTML
  Parameters: {"authenticity_token"=>"[FILTERED]", "username"=>"test@test.com", "password"=>"[FILTERED]"}

Rake console troubleshooting ldap

root@gitextern:~# sudo gitlab-rails console
--------------------------------------------------------------------------------
 Ruby:         ruby 2.7.7p221 (2022-11-24 revision 168ec2b1e5) [x86_64-linux]
 GitLab:       15.8.1 (383efe57adf) FOSS
 GitLab Shell: 14.15.0
 PostgreSQL:   12.12
------------------------------------------------------------[ booted in 24.51s ]
Loading production environment (Rails 6.1.6.1)
irb(main):003:0> adapter = Gitlab::Auth::Ldap::Adapter.new('ldapmain')
=> #:simple...

irb(main):009:0> Gitlab::Auth::Ldap::Person.find_by_uid('test@test.com', adapter)
=> #["uid=test@test.com,ou=user,dc=external,dc=test,dc=com"], :mail=>["test@test.com"], :samaccountname=>["test@test.com"], :cn=>["Ext Test User"]}>, @provider="ldapmain">

Our ldap logs

Feb  3 16:51:53 ldapproxy-ext1 slapd[134660]: conn=107613 op=2 SRCH base="dc=test,dc=com" scope=2 deref=0 filter="(&(?SAMACCOUNTNAME=test)(|(?MEMBEROF=cn=gitExtern,dc=win,dc=test,dc=com)(?MEMBEROF=cn=git-external,ou=group,dc=external,dc=test,dc=com)))"

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info

sudo gitlab-rake gitlab:env:info

System information
System:		Debian 11
Current User:	git
Using RVM:	no
Ruby Version:	2.7.7p221
Gem Version:	3.1.6
Bundler Version:2.3.15
Rake Version:	13.0.6
Redis Version:	6.2.8
Sidekiq Version:6.5.7
Go Version:	unknown

GitLab information
Version:	15.8.1
Revision:	383efe57adf
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	PostgreSQL
DB Version:	12.12
URL:		https://gitextern.test.com
HTTP Clone URL:	https://gitextern.test.com/some-group/some-project.git
SSH Clone URL:	git@gitextern.test.com:some-group/some-project.git
Using LDAP:	yes
Using Omniauth:	yes
Omniauth Providers: openid_connect

GitLab Shell
Version:	14.15.0
Repository storages:
- default: 	unix:/var/opt/gitlab/gitaly/gitaly.socket
GitLab Shell path:		/opt/gitlab/embedded/service/gitlab-shell

Results of GitLab application Check

Expand for output related to the GitLab application check

sudo gitlab-rake gitlab:check SANITIZE=true
Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 14.15.0 ? ... OK (14.15.0)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes
Number of Sidekiq processes (cluster/worker) ... 1/1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
User output sanitized. Found 100 users of 100 limit.
Checking LDAP ... Finished
Checking GitLab App ...
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Cable config exists? ... yes
Resque config exists? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units)
Projects have namespace: ...
12/1 ... yes
12/2 ... yes
15/6 ... yes
19/7 ... yes
19/8 ... yes
19/9 ... yes
19/10 ... yes
15/11 ... yes
15/12 ... yes
15/13 ... yes
15/14 ... yes
12/17 ... yes
26/18 ... yes
26/19 ... yes
26/20 ... yes
36/21 ... yes
49/28 ... yes
49/29 ... yes
49/30 ... yes
49/31 ... yes
49/32 ... yes
49/33 ... yes
49/34 ... yes
49/35 ... yes
49/36 ... yes
49/37 ... yes
49/39 ... yes
49/40 ... yes
49/41 ... yes
49/42 ... yes
49/43 ... yes
49/44 ... yes
49/45 ... yes
46/46 ... yes
46/47 ... yes
46/48 ... yes
46/49 ... yes
46/50 ... yes
46/51 ... yes
46/52 ... yes
46/53 ... yes
46/54 ... yes
46/55 ... yes
46/56 ... yes
46/57 ... yes
52/60 ... yes
52/61 ... yes
52/62 ... yes
52/63 ... yes
52/64 ... yes
52/65 ... yes
52/66 ... yes
52/67 ... yes
52/68 ... yes
49/69 ... yes
48/70 ... yes
48/71 ... yes
48/72 ... yes
46/73 ... yes
49/74 ... yes
53/75 ... yes
62/77 ... yes
62/79 ... yes
53/80 ... yes
62/81 ... yes
74/83 ... yes
69/84 ... yes
65/85 ... yes
49/86 ... yes
53/87 ... yes
74/88 ... yes
46/89 ... yes
49/90 ... yes
78/91 ... yes
80/92 ... yes
87/93 ... yes
62/94 ... yes
62/95 ... yes
46/96 ... yes
97/97 ... yes
73/98 ... yes
101/100 ... yes
101/101 ... yes
101/102 ... yes
101/103 ... yes
101/104 ... yes
101/105 ... yes
102/106 ... yes
103/107 ... yes
103/108 ... yes
103/109 ... yes
103/110 ... yes
103/111 ... yes
103/112 ... yes
103/113 ... yes
103/114 ... yes
103/115 ... yes
103/116 ... yes
104/117 ... yes
104/118 ... yes
102/119 ... yes
101/120 ... yes
110/121 ... yes
116/122 ... yes
115/125 ... yes
115/126 ... yes
115/127 ... yes
115/128 ... yes
115/129 ... yes
114/130 ... yes
113/131 ... yes
113/132 ... yes
113/133 ... yes
110/134 ... yes
110/135 ... yes
118/137 ... yes
118/139 ... yes
119/140 ... yes
119/141 ... yes
119/142 ... yes
117/143 ... yes
117/144 ... yes
100/145 ... yes
46/146 ... yes
49/148 ... yes
87/150 ... yes
87/151 ... yes
74/152 ... yes
46/153 ... yes
43/154 ... yes
128/155 ... yes
130/156 ... yes
49/166 ... yes
138/171 ... yes
26/172 ... yes
157/174 ... yes
127/175 ... yes
152/176 ... yes
155/178 ... yes
157/180 ... yes
157/181 ... yes
73/182 ... yes
115/183 ... yes
158/184 ... yes
159/186 ... yes
157/187 ... yes
162/188 ... yes
97/189 ... yes
49/191 ... yes
127/192 ... yes
158/193 ... yes
174/194 ... yes
19/195 ... yes
131/198 ... yes
160/199 ... yes
160/200 ... yes
97/201 ... yes
178/202 ... yes
100/203 ... yes
178/204 ... yes
178/205 ... yes
182/210 ... yes
182/211 ... yes
183/214 ... yes
183/215 ... yes
184/218 ... yes
184/221 ... yes
97/222 ... yes
118/223 ... yes
127/224 ... yes
127/225 ... yes
97/226 ... yes
19/227 ... yes
97/245 ... yes
158/246 ... yes
183/248 ... yes
183/249 ... yes
195/255 ... yes
44/261 ... yes
19/263 ... yes
127/266 ... yes
201/267 ... yes
201/268 ... yes
182/269 ... yes
183/271 ... yes
182/274 ... yes
182/275 ... yes
182/276 ... yes
97/277 ... yes
102/280 ... yes
182/282 ... yes
183/283 ... yes
183/284 ... yes
195/285 ... yes
213/286 ... yes
218/289 ... yes
218/290 ... yes
218/291 ... yes
218/292 ... yes
218/293 ... yes
127/294 ... yes
87/297 ... yes
232/298 ... yes
174/299 ... yes
234/302 ... yes
236/304 ... yes
238/306 ... yes
237/307 ... yes
235/308 ... yes
241/314 ... yes
240/315 ... yes
183/317 ... yes
246/318 ... yes
245/319 ... yes
247/321 ... yes
127/323 ... yes
127/324 ... yes
252/326 ... yes
252/327 ... yes
79/328 ... yes
79/329 ... yes
184/331 ... yes
251/333 ... yes
251/334 ... yes
233/337 ... yes
175/340 ... yes
175/343 ... yes
251/356 ... yes
78/357 ... yes
127/358 ... yes
73/359 ... yes
232/360 ... yes
73/361 ... yes
73/362 ... yes
251/366 ... yes
251/371 ... yes
269/372 ... yes
100/373 ... yes
278/374 ... yes
100/376 ... yes
280/377 ... yes
183/388 ... yes
292/390 ... yes
102/391 ... yes
269/393 ... yes
127/394 ... yes
247/397 ... yes
218/398 ... yes
298/400 ... yes
19/401 ... yes
247/403 ... yes
247/404 ... yes
247/405 ... yes
247/406 ... yes
122/410 ... yes
298/415 ... yes
218/416 ... yes
178/417 ... yes
318/418 ... yes
183/419 ... yes
320/420 ... yes
73/422 ... yes
183/424 ... yes
318/426 ... yes
318/427 ... yes
326/428 ... yes
78/429 ... yes
73/430 ... yes
305/431 ... yes
330/432 ... yes
335/433 ... yes
178/434 ... yes
183/436 ... yes
330/437 ... yes
326/438 ... yes
125/440 ... yes
348/441 ... yes
342/442 ... yes
331/443 ... yes
350/444 ... yes
280/445 ... yes
247/446 ... yes
183/448 ... yes
102/451 ... yes
247/452 ... yes
712/453 ... yes
326/456 ... yes
326/457 ... yes
78/458 ... yes
659/459 ... yes
663/460 ... yes
218/461 ... yes
247/462 ... yes
247/463 ... yes
127/464 ... yes
318/465 ... yes
25/466 ... yes
87/467 ... yes
280/468 ... yes
290/469 ... yes
346/470 ... yes
686/471 ... yes
290/472 ... yes
251/473 ... yes
247/474 ... yes
100/475 ... yes
699/476 ... yes
699/477 ... yes
699/478 ... yes
699/479 ... yes
699/480 ... yes
699/482 ... yes
699/483 ... yes
183/484 ... yes
298/485 ... yes
326/486 ... yes
699/487 ... yes
699/488 ... yes
280/489 ... yes
721/490 ... yes
675/491 ... yes
298/492 ... yes
298/493 ... yes
734/495 ... yes
290/500 ... yes
326/501 ... yes
748/502 ... yes
748/503 ... yes
748/504 ... yes
748/505 ... yes
748/506 ... yes
748/507 ... yes
656/508 ... yes
656/509 ... yes
100/510 ... yes
326/511 ... yes
Redis version >= 6.0.0? ... yes
Ruby version >= 2.7.2 ? ... yes (2.7.7)
Git user has default SSH configuration? ... yes
Active users: ... 260
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished

Possible fixes