Debugging LDAP
Notes
This assumes an omnibus installation.
See LDAP troubleshooting in docs - View Docs
Testing the LDAP server
- Install
ldapsearch
|
|
- Check LDAP settings
Edit the following values to match the LDAP configuration in gitlab.rb
Example LDAP configuration
|
|
LDAP search switches
-
-D = Bind DN
- GitLab config value:
bind_dn: 'cn=admin,dc=ldap-testing,dc=mrchris,dc=me'
- GitLab config value:
-
-b = Search base
- GitLab config value:
base: 'dc=ldap-testing,dc=mrchris,dc=me'
- GitLab config value:
-
-w = Password
- GitLab config value:
password: 'Password1'
- GitLab config value:
-
-w = Port & -h = Host
- GitLab config value:
port: 389
- GitLab config value:
host: 127.0.0.1
- GitLab config value:
-
-s = Search scope
- GitLab config value: None
- Default is sub
- Using
sub "(objectclass=*)
will return “all” objects
Get all LDAP objects for baseDN
|
|
LDAP Error messages (production.log
)
Could not find member DNs for LDAP group
|
|
This usually indicates an issue with the uid
configuration value in gitlab.rb
When running ldapsearch
you can see what attribute is used for the LDAP username. In the below case the username attribute is uid
. Ensure uid: 'uid'
in the configuration. The default Microsoft Active Directory username value is sAMAccountName
|
|
Cannot find LDAP group with CN ‘GROUP_NAME’. Skipping
This indicates the admin_group name was not found admin_group: 'gitlab_admin'
. Ensure the group exists in AD and is under the group_base
LDAP search error: Invalid DN Syntax
This indicates a syntax error with one of the configured DNs. Check the following values, ensure they’re the full DN.
group_base
bind_dn
base
Testing LDAP - valid for 8.10 >
-
Launch the rails console
1
gitlab-rails c
-
Update the logger level
1
Rails.logger.level = 0
-
Perform a group sync
1
LdapGroupSyncWorker.new.perform
-
Perform a user sync
1
LdapSyncWorker.new.perform
-
All commands:
1 2 3 4
gitlab-rails c Rails.logger.level = 0 LdapGroupSyncWorker.new.perform LdapSyncWorker.new.perform
-
Check the console for sync output
Removing exclusive lease - Testing (valid for 8.6 to 8.9)
This is used to force an instant sync of LDAP for testing purposes.
- Edit any LDAP settings required
- Edit
vi /opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/ldap/group_sync.rb
- Comment out the exclusive lease section (lines may differ in releases) - View code
- Run a reconfigure
sudo gitlab-ctl reconfigure
This will restart GitLab - Launch GitLab rails console
gitlab-rails console
- Execute
Gitlab::LDAP::GroupSync.execute
- LDAP sync will now run
- Revert changes to the
group_sync.rb
file when finished/opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/ldap/group_sync.rb
Additional testing
-
Start the rails console
1
sudo gitlab-rails console
-
Create a new adapter instance
1
adapter = ::Gitlab::Auth::LDAP::Adapter.new('ldapmain')
-
Find a group by common name. Replace UsersLDAPGroup with the common name to search.
-
GitLab 8.11 >
1
group = EE::Gitlab::Auth:Ldap::Group.find_by_cn('UsersLDAPGroup', adapter)
-
GitLab < 8.10
1
group = Gitlab::LDAP::Group.find_by_cn('UsersLDAPGroup', adapter)
-
-
Check
member_dns
1
group.member_dns
e0b3a519
)