无法通过Ldapmain对您进行身份验证,因为“用户名无效的凭据" [英] Could not authenticate you from Ldapmain because "Invalid credentials for user.name"

查看:11790
本文介绍了无法通过Ldapmain对您进行身份验证,因为“用户名无效的凭据"的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我用

  • debian 9
  • gitlab-ce 11.10.4-ce.0
  • 通过apt安装Omnibus
  • openldap 2.4.44

ldap配置

已配置/etc/ldap/ldap.conf:

BASE    dc=serverX,dc=lan
URI     ldap://serverX.lan
TLS_CACERT  /etc/ssl/certs/ca-certificates.crt

已配置/etc/gitlab/gitlab.rb:

gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-EOS
  label: 'Gitlab LDAP'
  host: '10.0.0.1'
  port: 389
  uid: 'sAMAccountName'
  method: 'plain' # "tls" or "ssl" or "plain"
  bind_dn: 'cn=admin,ou=users,dc=serverX,dc=lan'
  password: 'xxxx'
  encryption: 'plain'
  active_directory: false
  allow_username_or_email_login: true
  block_auto_created_users: false
  base: 'ou=users,dc=serverX,dc=lan'
EOS

gitlab-rake gitlab:ldap:check的输出正常:

# gitlab-rake gitlab:ldap:check
Checking LDAP ...

LDAP: ... Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)

Checking LDAP ... Finished

通过:

搜索了大量的Web资源,但是我不知道创建LDAP用户或使用现有用户的方法.

Searched tons of web ressources, but I can't figure out the way to create LDAP users or use existing ones.

我不知道问题是什么以及为什么得到Invalid credentials for user.name的原因:我通过phpladmin编辑了Password属性(md5),并在LDAP Gitlab登录页面中键入了相同的内容:

I don't know what is the issue and why I get Invalid credentials for user.name : I edited via phpladmin the Password attribute (md5) and I type the same one in the LDAP Gitlab login page :

Gitlab日志:

==> /var/log/gitlab/gitlab-rails/production.log <==
Started POST "/users/auth/ldapmain/callback" for 10.0.0.1 at 2019-05-16 07:56:16 +0200
Processing by OmniauthCallbacksController#failure as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "username"=>"user.name", "password"=>"[FILTERED]"}
Redirected to http://domainX.lan/users/sign_in
Completed 302 Found in 411ms (ActiveRecord: 23.1ms)
Started GET "/users/sign_in" for 10.0.0.1 at 2019-05-16 07:56:17 +0200
Processing by SessionsController#new as HTML
Completed 200 OK in 119ms (Views: 104.6ms | ActiveRecord: 7.5ms)

==> /var/log/gitlab/unicorn/unicorn_stdout.log <==
I, [2019-05-16T07:56:16.907169 #3996]  INFO -- omniauth: (ldapmain) Callback phase initiated.
E, [2019-05-16T07:56:16.917884 #3996] ERROR -- omniauth: (ldapmain) Authentication failure! invalid_credentials: OmniAuth::Strategies::LDAP::InvalidCredentialsError, Invalid credentials for user.name

以目标用户登录的slapcat输出:

The slapcat output with targeted user to login :

dn: uuid=gquenot,ou=users,dc=serverX,dc=lan
cn:: abcdef123456789==
sn: Foo Bar
objectClass: inetOrgPerson
objectClass: top
structuralObjectClass: inetOrgPerson
entryUUID: 5133fc-0be-2039-9825-cd7
creatorsName: cn=admin,dc=serverX,dc=lan
createTimestamp: 20190516045340Z
userPassword:: xxxxxxxx
mail: me@example.com
entryCSN: 20190516101837.136599Z#000000#000#000000
modifiersName: cn=admin,dc=serverX,dc=lan
modifyTimestamp: 20190516101837Z

有人知道怎么了吗?

也许有人可以给我一个示例ldiff和一个有效的配置?

Maybe someone can give me a sample ldiff and a working configuration ?

slapadd通过slapadd -f file.ldiff尝试使用此ldiff:

dn: cn=admin,dc=serverX,dc=lan
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Firstname Lastname
givenName: Gilles
sn: Quenot
uid: gquenot
mail: me@example.com
userPassword: {MD5}xxxxxxxxxxxxxx

错误:

5cdd8fe4 slapcat_so.txt: line 1: unknown directive <dn:> outside backend info and database definitions.
slapadd: bad configuration file!

Edit2

已修复:

 Edit2

Fixed with :

ldapadd -x -H ldap://serverX:389 -D 'cn=admin,dc=serverX,dc=lan' -W -f stuff.ldiff

并在phpldapadmin

推荐答案

在使用OpenLDAP验证用户身份时,您的Gitlab配置以Active Directory为目标,因此首先要做的是在/etc/gitlab/gitlab.rb中修复以下参数:

Your Gitlab configuration targets Active Directory while you are using OpenLDAP to authenticate users, so the first thing to do is fixing the following parameters in /etc/gitlab/gitlab.rb:

uid: 'uid'
active_directory: false

在身份验证的上下文中,我不知道attributes的目的是什么(attributes用于将用户数据从ldap同步到其Gitlab帐户,对于身份验证本身并不重要).

I don't know what is the purpose of attributes in the context of an authentication (edit: attributes are used to synchronize user data from ldap to its Gitlab account, it shouldn't matter for the authentication itself).

如果您不知道使用uid,也许还有其他问题,例如用户的uid不是'user.name',或者基数太窄(user.name条目可能不在ou=people下). base dn作为基本搜索,或者通过运行带有/不带有"ou"部分的搜索来检查:

Maybe there are other issues like the user's uid not being 'user.name', or the base being too narrow for example (user.name entry may not be under ou=people), if you don't know use the base dn as base search, or check by running a search with/without the 'ou' part :

ldapsearch -H ldap://10.0.0.1:389 -D cn=admin,dc=serverX,dc=lan -W -b ou=people,dc=serverX,dc=lan uid=user.name \*

我还将直接针对ldap检查凭证本身,即.而不是通过Gitlab,通过执行大致相同的查询,但使用 user.name 绑定,在这里,我们实际上测试了他是否可以绑定并读取其自己的条目:

I'd also check the credentials themselves directly against ldap , ie. not through Gitlab, by performing roughly the same query but using user.name bindings, here we actually tests that he can bind and read its own entry :

ldapsearch -H ldap://10.0.0.1:389 -D <user.name dn> -W -b <user.name dn> -s base \*

GitLab文档还坚持认为 LDAP用户必须设置一个电子邮件地址,无论是否用于登录.

Also GitLab documentation insists on the fact that LDAP users must have an email address set, regardless of whether it is used to log in.

一个典型的ldif文件,其中包含要使用ldapadd -f创建的user.name条目(前提是存在以其专有名称提及的ou和dc):

A typical ldif file containing user.name entry to be created using ldapadd -f (provided that the ou and dc's mentioned in its distinguished name exists) would look like this :

# user.name entry 
dn: uid=user.name,ou=users,dc=serverX,dc=lan
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Firstname Lastname
givenName: Firstname
sn: Lastname
uid: user.name
mail: user.name@domain.com
userPassword: {MD5}<base64EncodedHash>

我不知道GitLab是否/如何知道密码加密方案(似乎对此没有配置,或者我错过了).

I don't know though if/how GitLab is aware of the password encryption scheme (seems there is no config for this or I missed it).

您可以创建一个测试案例条目:

You can create a test case entry :

  • <base64EncodedHash>替换为{MD5}CY9rzUYh03PK3k6DJie09g==(它表示密码test,如果需要,我需要一个脚本来生成它们).
  • 也不要忘记用dn中的真实DC替换DC
  • 请注意ldif文件中的空行和\ t,因为它可能会破坏ldap的添加/修改操作.
  • 运行ldapadd -x -H ldap://10.0.0.1:389 -D cn=admin,dc=serverX,dc=lan -W -f ldifFilename以创建用户条目.
  • 运行上面的第一个ldapsearch cmd,您应该看到该新条目的结果.
  • 运行第二个,绑定用户凭证"test"并搜索其自己的条目(因此,-b基本参数指向自己,以避免搜索期间的权限问题),您应该再次看到相同的结果.
  • replace the <base64EncodedHash> with {MD5}CY9rzUYh03PK3k6DJie09g== (it represents the password test, if you need I have a script to generate them).
  • don't forget also to replace the dc's with the real ones in the dn
  • beware of empty lines and \t in the ldif file as it can break your ldap add/modify operations.
  • run ldapadd -x -H ldap://10.0.0.1:389 -D cn=admin,dc=serverX,dc=lan -W -f ldifFilename to create the user entry.
  • running the 1st ldapsearch cmd above, you should see a result for that new entry.
  • running the second one, binding with the user credentials 'test' and searching for its own entry (hence the -b base parameter pointing to himself to avoid permission issues during search), you should again see the same result.

在gitlab.rb中:

In gitlab.rb :

gitlab_rails['ldap_servers'] = YAML.load <<-EOS
  label: 'Gitlab LDAP'
  host: '10.0.0.1'
  port: 389
  uid: 'uid'
  bind_dn: 'cn=admin,ou=users,dc=serverX,dc=lan'
  password: 'xxxx'
  encryption: 'plain'
  active_directory: false
  allow_username_or_email_login: false
  block_auto_created_users: false
  base: 'ou=users,dc=serverX,dc=lan'

如果您可以与此用户绑定但不能通过gitlab ui绑定,则可能意味着它不处理{MD5}身份验证方案.

If you can bind with this user but not through gitlab ui, that could mean it does not handle the {MD5} authentication scheme.

这篇关于无法通过Ldapmain对您进行身份验证,因为“用户名无效的凭据"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆