Google Secure LDAP No implicit conversion of openssl::pkey::rsa into string
Summary
After upgrading to Gitlab v16.0.1 Google Secure LDAP started to throw:
Could not authenticate you from Ldapmain because "No implicit conversion of openssl::pkey::rsa into string".
Steps to reproduce
Configure Google Secure LDAP according to the doc Configuring GitLab.
What is the current bug behavior?
Could not authenticate you from Ldapmain because "No implicit conversion of openssl::pkey::rsa into string".
when trying to login.
What is the expected correct behavior?
It should be possible to login using Google Secure LDAP.
Relevant logs and/or screenshots
Error message from the logs:
TypeError (no implicit conversion of OpenSSL::PKey::RSA into String):
/opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/auth/ldap/config.rb:280:in `read'
/opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/auth/ldap/config.rb:280:in `custom_tls_options'
/opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/auth/ldap/config.rb:258:in `tls_options'
/opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/auth/ldap/config.rb:233:in `encryption_options'
/opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/auth/ldap/config.rb:85:in `adapter_options'
/opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/auth/ldap/adapter.rb:13:in `open'
/opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/auth/ldap/access.rb:14:in `open'
/opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/auth/ldap/access.rb:20:in `allowed?'
/opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/user_access.rb:38:in `allowed?'
/opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/git_access.rb:220:in `check_active_user!'
/opt/gitlab/embedded/service/gitlab-rails/ee/lib/ee/gitlab/git_access.rb:110:in `check_active_user!'
/opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/git_access.rb:76:in `check'
/opt/gitlab/embedded/service/gitlab-rails/ee/lib/ee/gitlab/git_access.rb:18:in `check'
/opt/gitlab/embedded/service/gitlab-rails/lib/api/internal/base.rb:117:in `access_check!'
/opt/gitlab/embedded/service/gitlab-rails/lib/api/internal/base.rb:63:in `block in check_allowed'
/opt/gitlab/embedded/service/gitlab-rails/lib/api/internal/base.rb:141:in `with_admin_mode_bypass!'
/opt/gitlab/embedded/service/gitlab-rails/lib/api/internal/base.rb:62:in `check_allowed'
/opt/gitlab/embedded/service/gitlab-rails/ee/lib/ee/api/internal/base.rb:22:in `block in check_allowed'
/opt/gitlab/embedded/service/gitlab-rails/ee/lib/gitlab/ip_address_state.rb:10:in `with'
/opt/gitlab/embedded/service/gitlab-rails/ee/lib/ee/api/internal/base.rb:21:in `check_allowed'
/opt/gitlab/embedded/service/gitlab-rails/lib/api/internal/base.rb:165:in `block (2 levels) in <class:Base>'
/opt/gitlab/embedded/lib/ruby/gems/3.0.0/gems/grape-1.5.2/lib/grape/endpoint.rb:59:in `call'
/opt/gitlab/embedded/lib/ruby/gems/3.0.0/gems/grape-1.5.2/lib/grape/endpoint.rb:59:in `block (2 levels) in generate_api_method'
/opt/gitlab/embedded/lib/ruby/gems/3.0.0/gems/activesupport-6.1.7.2/lib/active_support/notifications.rb:205:in `instrument'
/opt/gitlab/embedded/lib/ruby/gems/3.0.0/gems/grape-1.5.2/lib/grape/endpoint.rb:58:in `block in generate_api_method'
/opt/gitlab/embedded/lib/ruby/gems/3.0.0/gems/grape-1.5.2/lib/grape/endpoint.rb:341:in `execute'
gitlab.rb LDAP configuration:
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load
main:
label: 'Google Secure LDAP'
host: 'ldap.google.com'
port: 636
uid: 'uid'
bind_dn: 'XXXX'
password: 'XXXXX'
encryption: 'simple_tls'
verify_certificates: false
retry_empty_result_with_codes: [80]
base: "DC=XX,DC=XX"
tls_options:
cert: |
-----BEGIN CERTIFICATE-----
XXXX
-----END CERTIFICATE-----
key: |
-----BEGIN PRIVATE KEY-----
XXXXX
-----END PRIVATE KEY-----
EOS
gitlab-rake gitlab:ldap:check
Checking LDAP ...
LDAP: ... Server: ldapmain
Exception: no implicit conversion of OpenSSL::PKey::RSA into String
Checking LDAP ... Finished
Possible fixes
In GitLab 15.11.x, we could access cert and key via Gitlab::config.ldap.servers.main.tls_options.cert
and Gitlab::config.ldap.servers.main.tls_options.key
. In GitLab 16.0.1, both commands give `nil. See this comment for more details.