Gitlab:LDAP“无效凭据"，但凭据正确 [英] Gitlab: LDAP "Invalid credentials", but credentials are right

问题描述

以下ldapsearch命令可以正常运行.

The following ldapsearch command works, flawlessly.

ldapsearch -LLL -s sub -P 3 -D"CN =，OU = IT，OU =非用户，OU =用户，OU = UserAccount，DC =，DC = com" -H ldaps://. com:-w''-v -b'OU = Users，OU = UserAccount，DC =，DC = com''(&(objectClass = person)(sAMAccountName =))'

ldapsearch -LLL -s sub -P 3 -D "CN=,OU=IT,OU=Non-Users,OU=Users,OU=UserAccount,DC=,DC=com" -H ldaps://.com: -w '' -v -b 'OU=Users,OU=UserAccount,DC=,DC=com' '(&(objectClass=person)(sAMAccountName=))'

但是，无论我仔细检查了多少正确键入的值，在gitlab.yml中配置的值都没有.

But, regardless, of how much I double-check the values are typed correctly, this, configured in gitlab.yml, does not.

ldap:
已启用:true
主持人:.com"
港口:
uid:"sAMAccountName"
方法:"ssl"
bind_dn:'CN =，OU = IT，OU =非用户，OU =用户，OU = UserAccount，DC =，DC = com'
密码:"
allow_username_or_email_login:true
base:'OU = Users，OU = UserAccount，DC =，DC = com'
user_filter:"
group_base:"

ldap:
enabled: true
host: '.com'
port:
uid: 'sAMAccountName'
method: 'ssl'
bind_dn: 'CN=,OU=IT,OU=Non-Users,OU=Users,OU=UserAccount,DC=,DC=com'
password: ''
allow_username_or_email_login: true
base: 'OU=Users,OU=UserAccount,DC=,DC=com'
user_filter: ''
group_base: ''

是的，BindDN与其他用户位于不同的位置，但位于其南部，因此查询库有效.

Yes, the BindDN is at a different location than the other users, but it is south of it, so the query base is valid.

所有尝试都会在屏幕上引发此错误:

All attempts throw this error on the screen:

由于凭据无效"而无法从LDAP授权您

Could not authorize you from LDAP because "Invalid credentials"

production.log指示以下内容:

production.log indicates the following:

在2014-07-18 08:13:17 -0400
上为127.0.0.1开始GET"/users/sign_in" 由Devise :: SessionsController#new处理为HTML
在21ms内完成200 OK(查看:12.8ms | ActiveRecord:0.0ms)
在2014-07-18 08:13:25 -0400
为127.0.0.1开始发布POST"/users/auth/ldap/callback" 由OmniauthCallbacksController#failure处理为HTML
参数:{"utf8" =>✓"，"authenticity_token" =>"，用户名" =>"，密码" =>"[已过滤]"}
重定向到http:///users/sign_in
3ms内完成302(ActiveRecord:0.0ms)
在2014-07-18 08:13:56 -0400
上为127.0.0.1启动GET"/users/sign_in" 由Devise :: SessionsController#new处理为HTML
10ms内完成200 OK(查看:5.9ms | ActiveRecord:0.0ms)
在2014-07-18 08:20:03 -0400

Started GET "/users/sign_in" for 127.0.0.1 at 2014-07-18 08:13:17 -0400
Processing by Devise::SessionsController#new as HTML
Completed 200 OK in 21ms (Views: 12.8ms | ActiveRecord: 0.0ms)
Started POST "/users/auth/ldap/callback" for 127.0.0.1 at 2014-07-18 08:13:25 -0400
Processing by OmniauthCallbacksController#failure as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"", "username"=>"", "password"=>"[FILTERED]"}
Redirected to http:///users/sign_in
Completed 302 Found in 3ms (ActiveRecord: 0.0ms)
Started GET "/users/sign_in" for 127.0.0.1 at 2014-07-18 08:13:56 -0400
Processing by Devise::SessionsController#new as HTML
Completed 200 OK in 10ms (Views: 5.9ms | ActiveRecord: 0.0ms)
Started POST "/users/auth/ldap/callback" for 127.0.0.1 at 2014-07-18 08:20:03 -0400

有问题的LDAP是Active Directory，尽管我没有本地权限访问服务器以查询日志，但是每次尝试登录Web时，"badPwdCount"都会增加，我不理解如何或为什么.

The LDAP in question is Active Directory, and while I don't have access to the server natively in order to query the logs, the "badPwdCount" is incremented for each attempt at a web login, and I don't understand how, or why.

我知道最终用户的危险，他们坚持要求他们正确输入用户名和密码，但是我已经检查，三重检查，八重检查，我的声明中没有错别字，并且我找不到与此相同的错误组合的任何其他事件.我知道这里的语法是正确的.

I know the perils of end users and their insistence that they're typing their usernames and passwords in correctly, but I've checked, triple-checked, octuple-checked that there aren't any typos in my declarations, and I can't find any other incident with this same error combination. I know that the syntax here is correct.

可能是什么问题?

推荐答案

这是我对LDAP的有效AD设置.

Here is my working AD settings for LDAP.

#########################################
ldap:  
    enabled: true  
    host: '16.184.18.88'  
    port: 636  
    uid: 'sAMAccountName'   #userPrincipalName  
    method: 'ssl' # "tls" or "ssl" or "plain"  
    bind_dn: 'CN=Gitlab Git,CN=Users,DC=mydomain,DC=net'  
    password: 'My_Password'  
    allow_username_or_email_login: false  
    base: 'CN=Users,DC=mydomain,DC=net'  
    user_filter: '(memberOf=CN=Developers,OU=GitLabHQ,DC=mydomain,DC=net)'  
    group_base: 'OU=GitLabHQ,DC=mydomain,DC=net'  
    admin_group: GitLabAdmins
########################################

这篇关于Gitlab:LDAP“无效凭据"，但凭据正确的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！