Gitlab:LDAP“无效的凭据",但凭据是正确的 [英] Gitlab: LDAP "Invalid credentials", but credentials are right
问题描述
以下 ldapsearch 命令完美运行.
The following ldapsearch command works, flawlessly.
ldapsearch -LLL -s sub -P 3 -D "CN=,OU=IT,OU=Non-Users,OU=Users,OU=UserAccount,DC=,DC=com" -H ldaps://.com: -w '' -v -b 'OU=Users,OU=UserAccount,DC=,DC=com' '(&(objectClass=person)(sAMAccountName=))'
ldapsearch -LLL -s sub -P 3 -D "CN=,OU=IT,OU=Non-Users,OU=Users,OU=UserAccount,DC=,DC=com" -H ldaps://.com: -w '' -v -b 'OU=Users,OU=UserAccount,DC=,DC=com' '(&(objectClass=person)(sAMAccountName=))'
但是,无论我仔细检查了多少正确键入的值,在 gitlab.yml 中配置的这个都没有.
But, regardless, of how much I double-check the values are typed correctly, this, configured in gitlab.yml, does not.
ldap:
启用:真
主机:'.com'
港口:
uid: 'sAMAccountName'
方法:'ssl'
bind_dn: 'CN=,OU=IT,OU=非用户,OU=用户,OU=UserAccount,DC=,DC=com'
密码:''
allow_username_or_email_login: true
base: 'OU=Users,OU=UserAccount,DC=,DC=com'
用户过滤器:''
group_base: ''
ldap:
enabled: true
host: '.com'
port:
uid: 'sAMAccountName'
method: 'ssl'
bind_dn: 'CN=,OU=IT,OU=Non-Users,OU=Users,OU=UserAccount,DC=,DC=com'
password: ''
allow_username_or_email_login: true
base: 'OU=Users,OU=UserAccount,DC=,DC=com'
user_filter: ''
group_base: ''
是的,BindDN 与其他用户位于不同的位置,但位于其南部,因此查询库有效.
Yes, the BindDN is at a different location than the other users, but it is south of it, so the query base is valid.
所有尝试都会在屏幕上抛出此错误:
All attempts throw this error on the screen:
无法从 LDAP 授权您,因为凭据无效"
Could not authorize you from LDAP because "Invalid credentials"
production.log 表示以下内容:
production.log indicates the following:
于 2014-07-18 08:13:17 -0400 开始 GET "/users/sign_in" 获取 127.0.0.1
由 Devise::SessionsController#new 处理为 HTML
在 21 毫秒内完成 200 次 OK(查看次数:12.8 毫秒 | ActiveRecord:0.0 毫秒)
2014-07-18 08:13:25 -0400 开始为 127.0.0.1 发布/users/auth/ldap/callback"
由 OmniauthCallbacksController#failure 处理为 HTML
参数:{"utf8"=>"✓", "authenticity_token"=>"", "username"=>"", "password"=>"[FILTERED]"}
重定向到 http:///users/sign_in
Completed 302 Found in 3ms (ActiveRecord: 0.0ms)
2014-07-18 08:13:56 -0400 开始为 127.0.0.1 获取/users/sign_in"
由 Devise::SessionsController#new 处理为 HTML
在 10 毫秒内完成 200 次 OK(查看次数:5.9 毫秒 | ActiveRecord:0.0 毫秒)
于 2014-07-18 08:20:03 -0400 开始为 127.0.0.1 发布/users/auth/ldap/callback"
Started GET "/users/sign_in" for 127.0.0.1 at 2014-07-18 08:13:17 -0400
Processing by Devise::SessionsController#new as HTML
Completed 200 OK in 21ms (Views: 12.8ms | ActiveRecord: 0.0ms)
Started POST "/users/auth/ldap/callback" for 127.0.0.1 at 2014-07-18 08:13:25 -0400
Processing by OmniauthCallbacksController#failure as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"", "username"=>"", "password"=>"[FILTERED]"}
Redirected to http:///users/sign_in
Completed 302 Found in 3ms (ActiveRecord: 0.0ms)
Started GET "/users/sign_in" for 127.0.0.1 at 2014-07-18 08:13:56 -0400
Processing by Devise::SessionsController#new as HTML
Completed 200 OK in 10ms (Views: 5.9ms | ActiveRecord: 0.0ms)
Started POST "/users/auth/ldap/callback" for 127.0.0.1 at 2014-07-18 08:20:03 -0400
有问题的 LDAP 是 Active Directory,虽然我无法访问服务器以查询日志,但每次尝试 Web 登录时badPwdCount"都会增加,我不明白如何,或者为什么.
The LDAP in question is Active Directory, and while I don't have access to the server natively in order to query the logs, the "badPwdCount" is incremented for each attempt at a web login, and I don't understand how, or why.
我知道最终用户的危险以及他们坚持正确输入用户名和密码的要求,但我已经检查、三次检查、八次检查我的声明中没有任何拼写错误,并且我找不到任何其他具有相同错误组合的事件.我知道这里的语法是正确的.
I know the perils of end users and their insistence that they're typing their usernames and passwords in correctly, but I've checked, triple-checked, octuple-checked that there aren't any typos in my declarations, and I can't find any other incident with this same error combination. I know that the syntax here is correct.
可能是什么问题?
推荐答案
这是我的 LDAP 工作 AD 设置.
Here is my working AD settings for LDAP.
#########################################
ldap:
enabled: true
host: '16.184.18.88'
port: 636
uid: 'sAMAccountName' #userPrincipalName
method: 'ssl' # "tls" or "ssl" or "plain"
bind_dn: 'CN=Gitlab Git,CN=Users,DC=mydomain,DC=net'
password: 'My_Password'
allow_username_or_email_login: false
base: 'CN=Users,DC=mydomain,DC=net'
user_filter: '(memberOf=CN=Developers,OU=GitLabHQ,DC=mydomain,DC=net)'
group_base: 'OU=GitLabHQ,DC=mydomain,DC=net'
admin_group: GitLabAdmins
########################################
这篇关于Gitlab:LDAP“无效的凭据",但凭据是正确的的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!