Debugging LDAP

Support Engineering workflow describing how to debug LDAP problems
Notes

This assumes an omnibus installation.


See LDAP troubleshooting in docs - View Docs

Testing the LDAP server

  1. Install ldapsearch
# Ubuntu
apt-get install ldap-utils
# CentOS
yum install openldap-clients
  1. Check LDAP settings

Edit the following values to match the LDAP configuration in gitlab.rb

Example LDAP configuration

# cat /etc/gitlab/gitlab.rb | grep -A 24 ldap_servers
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
   main: # 'main' is the GitLab 'provider ID' of this LDAP server
     label: 'LDAP'
     host: '127.0.0.1'
     port: 389
     uid: 'uid'
     method: 'plain' # "tls" or "ssl" or "plain"
     bind_dn: 'cn=admin,dc=ldap-testing,dc=mrchris,dc=me'
     password: 'Password1'
     active_directory: true
     allow_username_or_email_login: false
     block_auto_created_users: false
     base: 'dc=ldap-testing,dc=mrchris,dc=me'
     user_filter: ''
     attributes:
       username: ['uid', 'userid', 'sAMAccountName']
       email:    ['mail', 'email', 'userPrincipalName']
       name:       'cn'
       first_name: 'givenName'
       last_name:  'sn'
     group_base: 'ou=groups,dc=ldap-testing,dc=mrchris,dc=me'
     admin_group: 'gitlab_admin'
EOS

LDAP search switches

  • -D = Bind DN

    • GitLab config value: bind_dn: 'cn=admin,dc=ldap-testing,dc=mrchris,dc=me'
  • -b = Search base

    • GitLab config value: base: 'dc=ldap-testing,dc=mrchris,dc=me'
  • -w = Password

    • GitLab config value: password: 'Password1'
  • -w = Port & -h = Host

    • GitLab config value: port: 389
    • GitLab config value: host: 127.0.0.1
  • -s = Search scope

    • GitLab config value: None
    • Default is sub
    • Using sub "(objectclass=*) will return “all” objects

Get all LDAP objects for baseDN

ldapsearch -D "cn=admin,dc=ldap-testing,dc=mrchris,dc=me" \
-w Password -p 389 -h 127.0.0.1 \
-b "dc=ldap-testing,dc=mrchris,dc=me" -s sub "(objectclass=*)"

LDAP Error messages (production.log)

Could not find member DNs for LDAP group
Could not find member DNs for LDAP group #<Net::LDAP::Entry:0x00000007220388

This usually indicates an issue with the uid configuration value in gitlab.rb

When running ldapsearch you can see what attribute is used for the LDAP username. In the below case the username attribute is uid. Ensure uid: 'uid' in the configuration. The default Microsoft Active Directory username value is sAMAccountName

dn: cn=user test,ou=people,dc=ldap-testing,dc=mrchris,dc=me
sn: test
givenName: user
uid: test
cn: user test
Cannot find LDAP group with CN ‘GROUP_NAME’. Skipping

This indicates the admin_group name was not found admin_group: 'gitlab_admin'. Ensure the group exists in AD and is under the group_base

LDAP search error: Invalid DN Syntax

This indicates a syntax error with one of the configured DNs. Check the following values, ensure they’re the full DN.

  • group_base
  • bind_dn
  • base

Testing LDAP - valid for 8.10 >

  1. Launch the rails console

    gitlab-rails c
    
  2. Update the logger level

    Rails.logger.level = 0
    
  3. Perform a group sync

    LdapGroupSyncWorker.new.perform
    
  4. Perform a user sync

    LdapSyncWorker.new.perform
    
  5. All commands:

    gitlab-rails c
    Rails.logger.level = 0
    LdapGroupSyncWorker.new.perform
    LdapSyncWorker.new.perform
    
  6. Check the console for sync output

Removing exclusive lease - Testing (valid for 8.6 to 8.9)

This is used to force an instant sync of LDAP for testing purposes.

  1. Edit any LDAP settings required
  2. Edit vi /opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/ldap/group_sync.rb
  3. Comment out the exclusive lease section (lines may differ in releases) - View code
  4. Run a reconfigure sudo gitlab-ctl reconfigure This will restart GitLab
  5. Launch GitLab Rails console gitlab-rails console
  6. Execute Gitlab::LDAP::GroupSync.execute
  7. LDAP sync will now run
  8. Revert changes to the group_sync.rb file when finished /opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/ldap/group_sync.rb

Additional testing

  1. Start the rails console

    sudo gitlab-rails console
    
  2. Create a new adapter instance

    adapter = ::Gitlab::Auth::LDAP::Adapter.new('ldapmain')
    
  3. Find a group by common name. Replace UsersLDAPGroup with the common name to search.

    1. GitLab 8.11 >

      group =  EE::Gitlab::Auth:Ldap::Group.find_by_cn('UsersLDAPGroup', adapter)
      
    2. GitLab < 8.10

      group =  Gitlab::LDAP::Group.find_by_cn('UsersLDAPGroup', adapter)
      
  4. Check member_dns

    group.member_dns
    
Last modified May 11, 2024: Update markdownlint to match (3c222108)