gitlab错误：无法通过LDAP授权您，因为尝试通过LDAP / AD登录UI时出现“无效的凭据”

Question

位于/etc/gitlab/gitlab.rb的我的LDAP配置如下：

gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
  main: # 'main' is the GitLab 'provider ID' of this LDAP server
    label: 'LDAP'
    host: '10.3.32.11'
    port: 389
    uid: 'sAMAccountName'
    bind_dn: 'CN=svc gitlab,CN=Users,DC=VPN,DC=Local'
    password: 'PASSWORD'
    encryption: 'plain' # "start_tls" or "simple_tls" or "plain"
    verify_certificates: false
    active_directory: true
    allow_username_or_email_login: true
    lowercase_usernames: true
    block_auto_created_users: false
    base: 'ou=vpnusers,dc=vpn,dc=local'
    user_filter: '(&(objectCategory=user)(memberOf=CN=appGitLab,ou=vpnusers,dc=vpn,dc=local))'
EOS

我在这些配置更改之后先运行了gitlab-ctl reconfigure和gitlab-ctl restart。

编辑： 我的production.log输出如下：

Completed 200 OK in 3ms (Views: 0.4ms | ActiveRecord: 0.0ms | Elasticsearch: 0.0ms)
Started POST "/users/auth/ldapmain/callback" for 10.88.0.189 at 2018-08-21 12:57:56 -0500
Processing by OmniauthCallbacksController#failure as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "username"=>"aaron.west", "password"=>"[FILTERED]"}
Redirected to http://10.3.18.80/users/sign_in
Completed 302 Found in 279ms (ActiveRecord: 1.8ms | Elasticsearch: 0.0ms)
Started GET "/users/sign_in" for 10.88.0.189 at 2018-08-21 12:57:56 -0500
Processing by SessionsController#new as HTML
Completed 200 OK in 35ms (Views: 18.9ms | ActiveRecord: 2.4ms | Elasticsearch: 0.0ms)
Started GET "/-/metrics" for 127.0.0.1 at 2018-08-21 12:57:58 -0500
Processing by MetricsController#index as HTML
Completed 200 OK in 3ms (Views: 0.4ms | ActiveRecord: 0.0ms | Elasticsearch: 0.0ms)
Started GET "/-/metrics" for 127.0.0.1 at 2018-08-21 12:58:13 -0500
Processing by MetricsController#index as HTML

您知道为什么我在登录LDAP后仍然看到Could not authorize you from LDAP because "Invalid credentials"吗？

Answer 1

有一项任务可以检查您的LDAP配置是否正确，并获取一些可能的LDAP用户的示例：LDAP Rake Tasks

  

LDAP检查Rake任务将测试bind_dn和密码凭据（如果已配置），并将列出LDAP用户的样本。此任务也作为gitlab：check任务的一部分执行，但可以使用以下命令独立运行。

     

Omnibus安装

     

fileprivate func handleVideoSelectedForUrl(_ url: URL) { let filename = UUID().uuidString + ".mov" let uploadTask = Storage.storage().reference().child("message_movies").child(filename).putFile(from: url, metadata: nil, completion: { (metadata, error) in if error != nil { print("Failed upload of video:", error!) return } **if let videoUrl = metadata?.downloadURL()?.absoluteString** { if let thumbnailImage = self.thumbnailImageForFileUrl(url) { **self.uploadToFirebaseStorageUsingImage(thumbnailImage, completion:** { (imageUrl) in let properties: [String: AnyObject] = ["imageUrl": imageUrl as AnyObject, "imageWidth": thumbnailImage.size.width as AnyObject, "imageHeight": thumbnailImage.size.height as AnyObject, "videoUrl": videoUrl as AnyObject] self.sendMessageWithProperties(properties) }) } } }) uploadTask.observe(.progress) { (snapshot) in if let completedUnitCount = snapshot.progress?.completedUnitCount { self.navigationItem.title = String(completedUnitCount) } } uploadTask.observe(.success) { (snapshot) in self.navigationItem.title = self.user?.name } } fileprivate func handleImageSelectedForInfo(info: [String: AnyObject]) { var selectedImageFromPicker: UIImage? if let editedImage = info["UIImagePickerControllerEditedImage"] as? UIImage { selectedImageFromPicker = editedImage } else if let originalImage = info["UIImagePickerControllerOriginalImage"] as? UIImage { selectedImageFromPicker = originalImage } if let selectedImage = selectedImageFromPicker { **uploadToFirebaseStorageUsingImage(selectedImage, completion: {(imageUrl)** in self.sendMessageWithImageUrl(imageUrl, image: selectedImage) }) } }

     

源安装

     

sudo gitlab-rake gitlab:ldap:check

     

默认情况下，该任务将返回100个LDAP用户的样本。通过将数字传递给检查任务来更改此限制：

     

sudo -u git -H bundle exec rake gitlab:ldap:check RAILS_ENV=production