LDAP bind_dn without password breaks GroupSync
Zendesk ticket (internal link): https://gitlab.zendesk.com/agent/tickets/95203
The solution found was to give the bind_dn
user a password.
A customer is attempting to setup GroupSync. His current configuration is as follows:
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'LDAP'
host: 'LDAP'
port: 389
uid: 'uid'
bind_dn: 'ou=people,dc=xxxxxxx,dc=com'
password: ''
encryption: 'start_tls' # "start_tls" or "simple_tls" or "plain"
verify_certificates: true
ca_file: '/etc/xxx/xxx/xxx/ldap-ca-bundle.pem'
active_directory: false
allow_username_or_email_login: false
lowercase_usernames: true
block_auto_created_users: false
base: 'ou=people,dc=xxxxxxx,dc=com'
#user_filter: ''
## EE only
group_base: 'ou=groups,dc=xxxxxxx,dc=com'
admin_group: 'gitlab_admin'
#sync_ssh_keys: false
EOS
The users correctly sync and they're able to login. The admin_group
also correctly sync the admins, which the customer confirmed in the UI and I confirmed by running LdapAllGroupsSyncWorker.new.perform
in the rails console. However, this same group, gitlab_admin
, is NOT found in the UI, at /groups/<group>/-/ldap_group_links
. No groups are found here, even though they exist on the LDAP server and are not nested.
Additionally, attempting to find the group in the rails console gives the following error:
irb(main):001:0> adapter = Gitlab::LDAP::Adapter.new('ldapmain')
=> #<Gitlab::LDAP::Adapter:0x00007f6be8ee9908 @provider="ldapmain", @ldap=*******#*******<*******N*******e*******t*******:*******:*******L*******D*******A*******P*******:*******0*******x*******0*******0*******0*******0*******7*******f*******6*******b*******e*******8*******e*******e*******9*******4*******a*******8******* *******@*******h*******o*******s*******t*******=*******"*******L*******D*******A*******P*******"*******,******* *******@*******p*******o*******r*******t*******=*******3*******8*******9*******,******* *******@*******h*******o*******s*******t*******s*******=*******n*******i*******l*******,******* *******@*******v*******e*******r*******b*******o*******s*******e*******=*******f*******a*******l*******s*******e*******,******* *******@*******a*******u*******t*******h*******=*******{*******:*******m*******e*******t*******h*******o*******d*******=*******>*******:*******s*******i*******m*******p*******l*******e*******,******* *******:*******u*******s*******e*******r*******n*******a*******m*******e*******=*******>*******...<MORE OF THE SAME, REDACTED FOR THE PUBLIC ISSUE; SEE THE TICKET FOR DETAILS>...*******@*******c*******o*******n*******n*******e*******c*******t*******_*******t*******i*******m*******e*******o*******u*******t*******=*******n*******i*******l*******,******* *******@*******i*******n*******s*******t*******r*******u*******m*******e*******n*******t*******a*******t*******i*******o*******n*******_*******s*******e*******r*******v*******i*******c*******e*******=*******n*******i*******l*******,******* *******@*******o*******p*******e*******n*******_*******c*******o*******n*******n*******e*******c*******t*******i*******o*******n*******=*******n*******i*******l*******>*******>
irb(main):002:0> ldap_group = EE::Gitlab::LDAP::Group.find_by_cn('gitlab_admin', adapter)
LDAP search error: Unwilling to perform
=> nil
No GitLab code was changed. The customer even upgraded from 10.5.5-ee and 10.7.1-ee while on a call and the problem persisted.
The solution was to give the bind_dn
user a password. With a password, the adapter
output normalizes and GroupSync works again. In that case, this is a bug that has to be fixed.