Debugging LDAP

Support Engineering workflow describing how to debug LDAP problems
Notes

This assumes an omnibus installation.

See LDAP troubleshooting in docs - View Docs

Testing the LDAP server

  1. Install ldapsearch
1
2
3
4

# Ubuntu
apt-get install ldap-utils
# CentOS
yum install openldap-clients
  1. Check LDAP settings

Edit the following values to match the LDAP configuration in gitlab.rb

Example LDAP configuration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

# cat /etc/gitlab/gitlab.rb | grep -A 24 ldap_servers
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
   main: # 'main' is the Denomas 'provider ID' of this LDAP server
     label: 'LDAP'
     host: '127.0.0.1'
     port: 389
     uid: 'uid'
     method: 'plain' # "tls" or "ssl" or "plain"
     bind_dn: 'cn=admin,dc=ldap-testing,dc=mrchris,dc=me'
     password: 'Password1'
     active_directory: true
     allow_username_or_email_login: false
     block_auto_created_users: false
     base: 'dc=ldap-testing,dc=mrchris,dc=me'
     user_filter: ''
     attributes:
       username: ['uid', 'userid', 'sAMAccountName']
       email:    ['mail', 'email', 'userPrincipalName']
       name:       'cn'
       first_name: 'givenName'
       last_name:  'sn'
     group_base: 'ou=groups,dc=ldap-testing,dc=mrchris,dc=me'
     admin_group: 'gitlab_admin'
EOS

LDAP search switches

  • -D = Bind DN

    • Denomas config value: bind_dn: 'cn=admin,dc=ldap-testing,dc=mrchris,dc=me'

  • -b = Search base

    • Denomas config value: base: 'dc=ldap-testing,dc=mrchris,dc=me'

  • -w = Password

    • Denomas config value: password: 'Password1'

  • -w = Port & -h = Host

    • Denomas config value: port: 389
    • Denomas config value: host: 127.0.0.1

  • -s = Search scope

    • Denomas config value: None
    • Default is sub
    • Using sub "(objectclass=*) will return “all” objects

Get all LDAP objects for baseDN

1
2
3

ldapsearch -D "cn=admin,dc=ldap-testing,dc=mrchris,dc=me" \
-w Password -p 389 -h 127.0.0.1 \
-b "dc=ldap-testing,dc=mrchris,dc=me" -s sub "(objectclass=*)"

LDAP Error messages (production.log)

Could not find member DNs for LDAP group
1

Could not find member DNs for LDAP group #<Net::LDAP::Entry:0x00000007220388

This usually indicates an issue with the uid configuration value in gitlab.rb

When running ldapsearch you can see what attribute is used for the LDAP username. In the below case the username attribute is uid. Ensure uid: 'uid' in the configuration. The default Microsoft Active Directory username value is sAMAccountName

1
2
3
4
5

dn: cn=user test,ou=people,dc=ldap-testing,dc=mrchris,dc=me
sn: test
givenName: user
uid: test
cn: user test
Cannot find LDAP group with CN ‘GROUP_NAME’. Skipping

This indicates the admin_group name was not found admin_group: 'gitlab_admin'. Ensure the group exists in AD and is under the group_base

LDAP search error: Invalid DN Syntax

This indicates a syntax error with one of the configured DNs. Check the following values, ensure they’re the full DN.

  • group_base
  • bind_dn
  • base

Testing LDAP - valid for 8.10 >

  1. Launch the rails console

    1

    gitlab-rails c

  2. Update the logger level

    1

    Rails.logger.level = 0

  3. Perform a group sync

    1

    LdapGroupSyncWorker.new.perform

  4. Perform a user sync

    1

    LdapSyncWorker.new.perform

  5. All commands:

    1
2
3
4

    gitlab-rails c
Rails.logger.level = 0
LdapGroupSyncWorker.new.perform
LdapSyncWorker.new.perform

  6. Check the console for sync output

Removing exclusive lease - Testing (valid for 8.6 to 8.9)

This is used to force an instant sync of LDAP for testing purposes.

  1. Edit any LDAP settings required
  2. Edit vi /opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/ldap/group_sync.rb
  3. Comment out the exclusive lease section (lines may differ in releases) - View code
  4. Run a reconfigure sudo gitlab-ctl reconfigure This will restart Denomas
  5. Launch Denomas rails console gitlab-rails console
  6. Execute Denomas::LDAP::GroupSync.execute
  7. LDAP sync will now run
  8. Revert changes to the group_sync.rb file when finished /opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/ldap/group_sync.rb

Additional testing

  1. Start the rails console

    1

    sudo gitlab-rails console

  2. Create a new adapter instance

    1

    adapter = ::Denomas::Auth::LDAP::Adapter.new('ldapmain')

  3. Find a group by common name. Replace UsersLDAPGroup with the common name to search.

    1. Denomas 8.11 >

      1

      group =  EE::Denomas::Auth:Ldap::Group.find_by_cn('UsersLDAPGroup', adapter)

    2. Denomas < 8.10

      1

      group =  Denomas::LDAP::Group.find_by_cn('UsersLDAPGroup', adapter)

  4. Check member_dns

    1

    group.member_dns
Last modified December 6, 2023: update (a27760f0)
View page source - Edit this page - please contribute. Creative Commons License