Gitlab:LDAP“无效的凭据"，但凭据是正确的 [英] Gitlab: LDAP "Invalid credentials", but credentials are right

问题描述

以下 ldapsearch 命令完美运行.

The following ldapsearch command works, flawlessly.

ldapsearch -LLL -s sub -P 3 -D "CN=,OU=IT,OU=Non-Users,OU=Users,OU=UserAccount,DC=,DC=com" -H ldaps://.com: -w '' -v -b 'OU=Users,OU=UserAccount,DC=,DC=com' '(&(objectClass=person)(sAMAccountName=))'

ldapsearch -LLL -s sub -P 3 -D "CN=,OU=IT,OU=Non-Users,OU=Users,OU=UserAccount,DC=,DC=com" -H ldaps://.com: -w '' -v -b 'OU=Users,OU=UserAccount,DC=,DC=com' '(&(objectClass=person)(sAMAccountName=))'

但是，无论我仔细检查了多少正确键入的值，在 gitlab.yml 中配置的这个都没有.

But, regardless, of how much I double-check the values are typed correctly, this, configured in gitlab.yml, does not.

ldap:
启用:真
主机:'.com'
港口:
uid: 'sAMAccountName'
方法:'ssl'
bind_dn: 'CN=,OU=IT,OU=非用户,OU=用户,OU=UserAccount,DC=,DC=com'
密码:''
allow_username_or_email_login: true
base: 'OU=Users,OU=UserAccount,DC=,DC=com'
用户过滤器:''
group_base: ''

ldap:
enabled: true
host: '.com'
port:
uid: 'sAMAccountName'
method: 'ssl'
bind_dn: 'CN=,OU=IT,OU=Non-Users,OU=Users,OU=UserAccount,DC=,DC=com'
password: ''
allow_username_or_email_login: true
base: 'OU=Users,OU=UserAccount,DC=,DC=com'
user_filter: ''
group_base: ''

是的，BindDN 与其他用户位于不同的位置，但位于其南部，因此查询库有效.

Yes, the BindDN is at a different location than the other users, but it is south of it, so the query base is valid.

所有尝试都会在屏幕上抛出此错误:

All attempts throw this error on the screen:

无法从 LDAP 授权您，因为凭据无效"

Could not authorize you from LDAP because "Invalid credentials"

production.log 表示以下内容:

production.log indicates the following:

于 2014-07-18 08:13:17 -0400 开始 GET "/users/sign_in" 获取 127.0.0.1
由 Devise::SessionsController#new 处理为 HTML
在 21 毫秒内完成 200 次 OK(查看次数:12.8 毫秒 | ActiveRecord:0.0 毫秒)
2014-07-18 08:13:25 -0400 开始为 127.0.0.1 发布/users/auth/ldap/callback"
由 OmniauthCallbacksController#failure 处理为 HTML
参数:{"utf8"=>"✓", "authenticity_token"=>"", "username"=>"", "password"=>"[FILTERED]"}
重定向到 http:///users/sign_in
Completed 302 Found in 3ms (ActiveRecord: 0.0ms)
2014-07-18 08:13:56 -0400 开始为 127.0.0.1 获取/users/sign_in"
由 Devise::SessionsController#new 处理为 HTML
在 10 毫秒内完成 200 次 OK(查看次数:5.9 毫秒 | ActiveRecord:0.0 毫秒)
于 2014-07-18 08:20:03 -0400 开始为 127.0.0.1 发布/users/auth/ldap/callback"

Started GET "/users/sign_in" for 127.0.0.1 at 2014-07-18 08:13:17 -0400
Processing by Devise::SessionsController#new as HTML
Completed 200 OK in 21ms (Views: 12.8ms | ActiveRecord: 0.0ms)
Started POST "/users/auth/ldap/callback" for 127.0.0.1 at 2014-07-18 08:13:25 -0400
Processing by OmniauthCallbacksController#failure as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"", "username"=>"", "password"=>"[FILTERED]"}
Redirected to http:///users/sign_in
Completed 302 Found in 3ms (ActiveRecord: 0.0ms)
Started GET "/users/sign_in" for 127.0.0.1 at 2014-07-18 08:13:56 -0400
Processing by Devise::SessionsController#new as HTML
Completed 200 OK in 10ms (Views: 5.9ms | ActiveRecord: 0.0ms)
Started POST "/users/auth/ldap/callback" for 127.0.0.1 at 2014-07-18 08:20:03 -0400

有问题的 LDAP 是 Active Directory，虽然我无法访问服务器以查询日志，但每次尝试 Web 登录时badPwdCount"都会增加，我不明白如何，或者为什么.

The LDAP in question is Active Directory, and while I don't have access to the server natively in order to query the logs, the "badPwdCount" is incremented for each attempt at a web login, and I don't understand how, or why.

我知道最终用户的危险以及他们坚持正确输入用户名和密码的要求，但我已经检查、三次检查、八次检查我的声明中没有任何拼写错误，并且我找不到任何其他具有相同错误组合的事件.我知道这里的语法是正确的.

I know the perils of end users and their insistence that they're typing their usernames and passwords in correctly, but I've checked, triple-checked, octuple-checked that there aren't any typos in my declarations, and I can't find any other incident with this same error combination. I know that the syntax here is correct.

可能是什么问题?

推荐答案

这是我的 LDAP 工作 AD 设置.

Here is my working AD settings for LDAP.

#########################################
ldap:  
    enabled: true  
    host: '16.184.18.88'  
    port: 636  
    uid: 'sAMAccountName'   #userPrincipalName  
    method: 'ssl' # "tls" or "ssl" or "plain"  
    bind_dn: 'CN=Gitlab Git,CN=Users,DC=mydomain,DC=net'  
    password: 'My_Password'  
    allow_username_or_email_login: false  
    base: 'CN=Users,DC=mydomain,DC=net'  
    user_filter: '(memberOf=CN=Developers,OU=GitLabHQ,DC=mydomain,DC=net)'  
    group_base: 'OU=GitLabHQ,DC=mydomain,DC=net'  
    admin_group: GitLabAdmins
########################################

这篇关于Gitlab:LDAP“无效的凭据"，但凭据是正确的的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！