无法通过Ldapmain对您进行身份验证,因为“用户名无效的凭据" [英] Could not authenticate you from Ldapmain because "Invalid credentials for user.name"
问题描述
我用
- debian 9
- gitlab-ce 11.10.4-ce.0
- 通过apt安装Omnibus
- openldap 2.4.44
ldap
配置
已配置/etc/ldap/ldap.conf
:
BASE dc=serverX,dc=lan
URI ldap://serverX.lan
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
已配置/etc/gitlab/gitlab.rb
:
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-EOS
label: 'Gitlab LDAP'
host: '10.0.0.1'
port: 389
uid: 'sAMAccountName'
method: 'plain' # "tls" or "ssl" or "plain"
bind_dn: 'cn=admin,ou=users,dc=serverX,dc=lan'
password: 'xxxx'
encryption: 'plain'
active_directory: false
allow_username_or_email_login: true
block_auto_created_users: false
base: 'ou=users,dc=serverX,dc=lan'
EOS
gitlab-rake gitlab:ldap:check
的输出正常:
# gitlab-rake gitlab:ldap:check
Checking LDAP ...
LDAP: ... Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
Checking LDAP ... Finished
通过phpldapadmin :
搜索了大量的Web资源,但是我不知道创建LDAP用户或使用现有用户的方法.
Searched tons of web ressources, but I can't figure out the way to create LDAP users or use existing ones.
我不知道问题是什么以及为什么得到Invalid credentials for user.name
的原因:我通过phpladmin
编辑了Password
属性(md5
),并在LDAP Gitlab登录页面中键入了相同的内容:
I don't know what is the issue and why I get Invalid credentials for user.name
: I edited via phpladmin
the Password
attribute (md5
) and I type the same one in the LDAP Gitlab login page :
Gitlab日志:
==> /var/log/gitlab/gitlab-rails/production.log <==
Started POST "/users/auth/ldapmain/callback" for 10.0.0.1 at 2019-05-16 07:56:16 +0200
Processing by OmniauthCallbacksController#failure as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "username"=>"user.name", "password"=>"[FILTERED]"}
Redirected to http://domainX.lan/users/sign_in
Completed 302 Found in 411ms (ActiveRecord: 23.1ms)
Started GET "/users/sign_in" for 10.0.0.1 at 2019-05-16 07:56:17 +0200
Processing by SessionsController#new as HTML
Completed 200 OK in 119ms (Views: 104.6ms | ActiveRecord: 7.5ms)
==> /var/log/gitlab/unicorn/unicorn_stdout.log <==
I, [2019-05-16T07:56:16.907169 #3996] INFO -- omniauth: (ldapmain) Callback phase initiated.
E, [2019-05-16T07:56:16.917884 #3996] ERROR -- omniauth: (ldapmain) Authentication failure! invalid_credentials: OmniAuth::Strategies::LDAP::InvalidCredentialsError, Invalid credentials for user.name
以目标用户登录的slapcat
输出:
The slapcat
output with targeted user to login :
dn: uuid=gquenot,ou=users,dc=serverX,dc=lan
cn:: abcdef123456789==
sn: Foo Bar
objectClass: inetOrgPerson
objectClass: top
structuralObjectClass: inetOrgPerson
entryUUID: 5133fc-0be-2039-9825-cd7
creatorsName: cn=admin,dc=serverX,dc=lan
createTimestamp: 20190516045340Z
userPassword:: xxxxxxxx
mail: me@example.com
entryCSN: 20190516101837.136599Z#000000#000#000000
modifiersName: cn=admin,dc=serverX,dc=lan
modifyTimestamp: 20190516101837Z
有人知道怎么了吗?
也许有人可以给我一个示例ldiff
和一个有效的配置?
Maybe someone can give me a sample ldiff
and a working configuration ?
slapadd
通过slapadd -f file.ldiff
尝试使用此ldiff
:
dn: cn=admin,dc=serverX,dc=lan
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Firstname Lastname
givenName: Gilles
sn: Quenot
uid: gquenot
mail: me@example.com
userPassword: {MD5}xxxxxxxxxxxxxx
错误:
5cdd8fe4 slapcat_so.txt: line 1: unknown directive <dn:> outside backend info and database definitions.
slapadd: bad configuration file!
Edit2
已修复:
Edit2
Fixed with :
ldapadd -x -H ldap://serverX:389 -D 'cn=admin,dc=serverX,dc=lan' -W -f stuff.ldiff
并在phpldapadmin
推荐答案
在使用OpenLDAP验证用户身份时,您的Gitlab配置以Active Directory为目标,因此首先要做的是在/etc/gitlab/gitlab.rb
中修复以下参数:>
Your Gitlab configuration targets Active Directory while you are using OpenLDAP to authenticate users, so the first thing to do is fixing the following parameters in /etc/gitlab/gitlab.rb
:
uid: 'uid'
active_directory: false
在身份验证的上下文中,我不知道attributes
的目的是什么(attributes
用于将用户数据从ldap同步到其Gitlab帐户,对于身份验证本身并不重要).
I don't know what is the purpose of attributes
in the context of an authentication (edit: attributes
are used to synchronize user data from ldap to its Gitlab account, it shouldn't matter for the authentication itself).
如果您不知道使用uid,也许还有其他问题,例如用户的uid不是'user.name',或者基数太窄(user.name条目可能不在ou=people
下). base dn作为基本搜索,或者通过运行带有/不带有"ou"部分的搜索来检查:
Maybe there are other issues like the user's uid not being 'user.name', or the base being too narrow for example (user.name entry may not be under ou=people
), if you don't know use the base dn as base search, or check by running a search with/without the 'ou' part :
ldapsearch -H ldap://10.0.0.1:389 -D cn=admin,dc=serverX,dc=lan -W -b ou=people,dc=serverX,dc=lan uid=user.name \*
我还将直接针对ldap检查凭证本身,即.而不是通过Gitlab,通过执行大致相同的查询,但使用 user.name 绑定,在这里,我们实际上测试了他是否可以绑定并读取其自己的条目:
I'd also check the credentials themselves directly against ldap , ie. not through Gitlab, by performing roughly the same query but using user.name bindings, here we actually tests that he can bind and read its own entry :
ldapsearch -H ldap://10.0.0.1:389 -D <user.name dn> -W -b <user.name dn> -s base \*
GitLab文档还坚持认为 LDAP用户必须设置一个电子邮件地址,无论是否用于登录.
Also GitLab documentation insists on the fact that LDAP users must have an email address set, regardless of whether it is used to log in.
一个典型的ldif文件,其中包含要使用ldapadd -f
创建的user.name条目(前提是存在以其专有名称提及的ou和dc):
A typical ldif file containing user.name entry to be created using ldapadd -f
(provided that the ou and dc's mentioned in its distinguished name exists) would look like this :
# user.name entry
dn: uid=user.name,ou=users,dc=serverX,dc=lan
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Firstname Lastname
givenName: Firstname
sn: Lastname
uid: user.name
mail: user.name@domain.com
userPassword: {MD5}<base64EncodedHash>
我不知道GitLab是否/如何知道密码加密方案(似乎对此没有配置,或者我错过了).
I don't know though if/how GitLab is aware of the password encryption scheme (seems there is no config for this or I missed it).
您可以创建一个测试案例条目:
You can create a test case entry :
- 将
<base64EncodedHash>
替换为{MD5}CY9rzUYh03PK3k6DJie09g==
(它表示密码test
,如果需要,我需要一个脚本来生成它们). - 也不要忘记用dn中的真实DC替换DC
- 请注意ldif文件中的空行和\ t,因为它可能会破坏ldap的添加/修改操作.
- 运行
ldapadd -x -H ldap://10.0.0.1:389 -D cn=admin,dc=serverX,dc=lan -W -f ldifFilename
以创建用户条目. - 运行上面的第一个ldapsearch cmd,您应该看到该新条目的结果.
- 运行第二个,绑定用户凭证"test"并搜索其自己的条目(因此,-b基本参数指向自己,以避免搜索期间的权限问题),您应该再次看到相同的结果.
- replace the
<base64EncodedHash>
with{MD5}CY9rzUYh03PK3k6DJie09g==
(it represents the passwordtest
, if you need I have a script to generate them). - don't forget also to replace the dc's with the real ones in the dn
- beware of empty lines and \t in the ldif file as it can break your ldap add/modify operations.
- run
ldapadd -x -H ldap://10.0.0.1:389 -D cn=admin,dc=serverX,dc=lan -W -f ldifFilename
to create the user entry. - running the 1st ldapsearch cmd above, you should see a result for that new entry.
- running the second one, binding with the user credentials 'test' and searching for its own entry (hence the -b base parameter pointing to himself to avoid permission issues during search), you should again see the same result.
在gitlab.rb中:
In gitlab.rb :
gitlab_rails['ldap_servers'] = YAML.load <<-EOS
label: 'Gitlab LDAP'
host: '10.0.0.1'
port: 389
uid: 'uid'
bind_dn: 'cn=admin,ou=users,dc=serverX,dc=lan'
password: 'xxxx'
encryption: 'plain'
active_directory: false
allow_username_or_email_login: false
block_auto_created_users: false
base: 'ou=users,dc=serverX,dc=lan'
如果您可以与此用户绑定但不能通过gitlab ui绑定,则可能意味着它不处理{MD5}身份验证方案.
If you can bind with this user but not through gitlab ui, that could mean it does not handle the {MD5} authentication scheme.
这篇关于无法通过Ldapmain对您进行身份验证,因为“用户名无效的凭据"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!