Jason Price - Wed, 2021/04/28 - 21:36

Below is the text of the LDAP section of my gitlab.rb file (minus identifying information). Despite having this all configured, LDAP as an authentication method will not enable. It does not show up as enabled in the admin console and when I perform a

sudo gitlab-rake gitlab:ldap:check

it returns

LDAP: ... LDAP is disabled in config/gitlab.yml

a file that does not exist as my understanding of the TurnKey is that it's an Omnibus installation, not a source.

gitlab_rails['ldap_enabled'] = true
gitlab_rails['prevent_ldap_sign_in'] = false
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
main: # 'main' is the GitLab 'provider ID' of this LDAP server
  label: 'LDAP'
  host: 'tf-dc1.placeholder.local'
  port: 389
  uid: 'sAMAccountName'
  bind_dn: 'CN=LDAPAuth,OU=IT,OU=placeholder,DC=placeholder,DC=local'
  password: 'placeholder'
  encryption: 'plain' # "start_tls" or "simple_tls" or "plain"
  verify_certificates: true
  smartcard_auth: false
  active_directory: true
  allow_username_or_email_login: false
  lowercase_usernames: false
  block_auto_created_users: false
  base: 'DC=placeholder,DC=local'
EOS

Also attempted with a more traditional YAML formatting.

gitlab_rails['ldap_enabled'] = true
gitlab_rails['prevent_ldap_sign_in'] = false
gitlab_rails['ldap_servers'] = {
'main' => {
  'label' => 'LDAP',
  'host' => 'tf-dc1.placeholder.local',
  'port' => 389,
  'uid' => 'sAMAccountName',
  'encryption' => 'simple_tls',
  'verify_certificates' => true,
  'bind_dn' => 'CN=LDAPAuth,OU=IT,OU=placeholder,DC=placeholder,DC=local',
  'password' => 'placeholder',
  'encryption' => 'plain',
  'verify_certificates' => true,
  'tls_options' => {
  'ca_file' => '',
  'ssl_version' => '',
  'ciphers' => '',
  'cert' => '',
  'key' => ''
  },
  'timeout' => 10,
  'active_directory' => true,
  'allow_username_or_email_login' => false,
  'block_auto_created_users' => false,
  'base' => 'dc=placeholder,dc=local',
  'user_filter' => '',
  'attributes' => {
    'username' => ['uid', 'userid', 'sAMAccountName'],
    'email' => ['mail', 'email', 'userPrincipalName'],
    'name' => 'cn',
    'first_name' => 'givenName',
    'last_name' => 'sn'
  },
  'lowercase_usernames' => false,

  #EE Only

  'group_base' => '',
  'admin_group' => '',
  'external_groups' => [],
  'sync_ssh_keys' => false
  }

}

Forum: 
Support
Tags: 
gitlab ldap gitlab.rb
Jeremy Davis's picture

Jeremy Davis - Fri, 2021/04/30 - 04:30

As a general rule, most Linux daemons require restart to apply new config. So I would recommend that you try restarting gitlab first and then retry. I.e. (assuming running as root; if not either 'sudo su' first, or prefix each command witth sudo):

gitlab-ctl restart

Then retry the rake (again, no sudo required if/when running as root):

gitlab-rake gitlab:ldap:check

That is all assuming that you are using a relatively new TurnKey GitLab release. You are right that we use the Omnibus package, but earlier releases were source install. To double check, run:

turnkey-version

That will return a string that looks like 'turnkey-APP_NAME-TKL_VERSION-DEBIAN_CODENAME-ARCHITECHTURE'. So if you have v16.0 GitLab (based on Debian 10/Buster x86_64 - i.e. 64bit):

turnkey-gitlab-16.0-buster-amd64

Assuming that you have v15.2 or later (the current latest is v16.0) then you should definitely have the Omnibus install (it sounds like you do have, but best to double-check).

You can also check the GitLab version and available updates via apt:

apt update
apt policy gitlab-ce

So assuming you definitely have an omnibus install and you still get that LDAP error message (after restarting) then I'm a bit stumped. If you haven't already, perhaps try upgrading gitlab (via apt) and try again?! I.e.:

apt update # you can skip this is you ran it as per above
apt install gitlab-ce

If you get any errors from that, please post the message(s) back here.

If all that is ok, but you're still getting the LDAP related errors, then I can only imagine that it's some sort of GitLab bug?! Perhaps a bug in which config file GitLab is checking? Or perhaps a missing dependency (i.e. bug in the omnibus package not including a dependency). So perhaps worth asking them? Perhaps via their forums? If you do ask there, please feel free to cross-post a link here. It's also worth noting that TurnKey v16.x is based on Debian 10/Buster (v15.x based on Debian 9/Stretch).

Let us know how you go regardless.

Jason Price - Wed, 2021/05/05 - 22:54

It was a brand new Turnkey appliance just downloaded and installed last week-ish.... so 16.

Oddly enough the

apt update # you can skip this is you ran it as per above
apt install gitlab-ce

fixed the problem immediately.  There appears to be a glitch in the 16.0 build.  Should I post it as a specific issue?

Thank you for your help.

Jeremy Davis's picture

Jeremy Davis - Fri, 2021/05/07 - 04:28

Ah ok, so it sounds like it is (was) a GitLab bug that exists in the version of GitLab that ships with the current appliance. I'll update the existing issue. I hope to push an updated GitLab appliance soon anyway, but it might save someone else a bit of time mucking around in the meantime...

Add new comment