Develop Reference

Gitlab LDAP (Active Directory) Authentication without Server Side Access

I am using GitLab Omnibus 7.10.0 on RHEL 6.6. I have enabled LDAP using the following configuration:
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'FOO COM Active Directory (LDAP)'
host: 'ad.server.foo.com'
port: 3268
uid: 'someuser'
method: 'plain' # "tls" or "ssl" or "plain"
bind_dn: 'CN=My Whole. Name,OU=Some Users,DC=ad,DC=server,DC=foo,DC=com'
password: 'thepassword'
active_directory: true
allow_username_or_email_login: false
block_auto_created_users: false
base: 'DC=ad,DC=server,DC=foo,DC=com'
user_filter: ''
# ## EE only
# group_base: ''
# admin_group: ''
# sync_ssh_keys: false
#
# secondary: # NOT FILLED OUT
EOS
My problem is that I can't get users to authenticate via LDAP. I'm not sure if the configuration is wrong, or I need to do something on the server side (which I have no direct access to). When I run
gitlab-rake gitlab:ldap:check RAILS_ENV=production
I get this
Checking LDAP ...
LDAP users with access to your GitLab server (only showing the first 100 results)
Server: ldapmain
Checking LDAP ... Finished
I can search for individual users using java with this account (my personal account) or another account for a different application, but can't get AD working with gitlab. I got the bind_dn "My Whole. Name" by running this command on a Windows box.
gpresult -r
I have also tried a bind_dn of:
uid=myADaccountname,OU=Some Users,DC=ad,DC=server,DC=foo,DC=com
and
myADaccountname#ad.server.foo.com
but I still have the same problem.

For Active Directory, the uid should be:
uid: 'sAMAccountName'
Gitlab should connect using the user specified in the bind_dn, with the given password.

Since GitLab 9.5.1 the uid now requires [ ]
See this issue: https://gitlab.com/gitlab-org/gitlab-ce/issues/37120
This might just be a bug which will be fixed.
I had to update the value for Active Directory from the answer above to:
uid: ['sAMAccountName']

GitLab LDAP scondary strategy

I'm using GitLab CE Omnibus package (gitlab_7.7.2-omnibus.5.4.2.ci-1_amd64) on a clean Debian (debian-7.8.0-amd64) installation.
I followed the installation process on https://about.gitlab.com/downloads/ and everything works fine.
I modified /etc/gitlab/gitlab.rb to use a single LDAP server for authentification.
Which worked also as expected.
But when I tried to use a secondary LDAP connection "gitlab-ctl reconfigure" gives me the output:
---- Begin output of /opt/gitlab/bin/gitlab-rake cache:clear ----
STDOUT:
STDERR: rake aborted!
Devise::OmniAuth::StrategyNotFound: Could not find a strategy with name `Ldapsecondary'. Please ensure it is required or explicitly set it using the :strategy_class option .
Tasks: TOP => cache:clear => environment
(See full trace by running task with --trace)
---- End output of /opt/gitlab/bin/gitlab-rake cache:clear ----
So, the problem is that I can use the LDAP connection 'main' but I cannot use the connection 'secondary'.
Is there any possibility to use two different LDAP connection in the CE edition at once?
I'm new to ruby [on rails]. I found something in /opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/ldap/config.rb but I'm not able to debug anything.
Here are my settings in /etc/gitlab/gitlab.rb
gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-EOS # remember to close this block with 'EOS' below
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'First Company'
host: '192.168.100.1'
port: 389
uid: 'sAMAccountName'
method: 'tls' # "tls" or "ssl" or "plain"
bind_dn: 'debian#firstcompany.local'
password: 'Passw0rd'
active_directory: true
allow_username_or_email_login: false
base: 'dc=firstcompany,dc=local'
user_filter: '(&(objectClass=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'
## EE only
group_base: ''
admin_group: ''
sync_ssh_keys: false
secondary: # 'secondary' is the GitLab 'provider ID' of second LDAP server
label: 'Second Company'
host: '192.168.200.1'
port: 389
uid: 'sAMAccountName'
method: 'tls' # "tls" or "ssl" or "plain"
bind_dn: 'debian#secondcompany.local'
password: 'Passw0rd'
active_directory: true
allow_username_or_email_login: false
base: 'dc=secondcompany,dc=local'
user_filter: '(&(objectClass=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'
## EE only
group_base: ''
admin_group: ''
sync_ssh_keys: false
EOS
Thank you very much!

Multiple LDAP servers is an EE feature so setting the config in CE won't do anything. You can see the feature in GitLab documentation.

With GitLab 14.7 (January 2022, seven years later), this is now possible! (for hosted instances)
LDAP failover support
You can now specify multiple hosts (using hosts) in your GitLab LDAP configuration.
GitLab will use the first reachable host. This ensures continuity of access to GitLab should one of your LDAP hosts become unresponsive.
Thanks to Mathieu Parent for the contribution!
See Documentation and Issue.

foreman not getting environment variables

I'm using foreman for the environment variables in a rails app. On my config/enviroments/development.rb I have the following code:
config.action_mailer.smtp_settings = {
address: "smtp.gmail.com",
port: "587",
domain: "gmail.com",
authentication: "plain",
enable_starttls_auto: true,
user_name: ENV['GMAIL_USERNAME'],
password: ENV['GMAIL_PASSWORD']
#user_name: "user#gmail.com",
#password: "password"
}
and my .env file is as follows:
GMAIL_USERNAME=user#gmail.com
GMAIL_PASSWORD=password
and my Procfile is:
web: bundle exec rvmsudo rails s -p 80
So if I run "foreman start", I get the following message:
Net::SMTPAuthenticationError in Devise::ConfirmationsController#create
530-5.5.1 Authentication Required
However if I comment the lines that concern the environment variables and uncomment the ones that are commented right now at development.rb, everything works fine.
So I imagine the problem is that foreman is not getting the environment variables correctly.
I'm using git with branches, and ignoring both Procfile and .env
Is there anything wrong with my code?

Looks like the environment variables are not being set. Which method are you using to do that?
Here's an article that explains several methods.
Try setting them manually on the command line thus:
export GMAIL_USERNAME="user#gmail.com"
export GMAIL_PASSWORD="password"
Then type env at the command prompt to verify they are set. Then give it a whirl.

Gitlab API Access Connection timed out

I just installed Gitlab and I have an error during the gitlab-shell self check.
The command returns :
root#git:/home/git/gitlab# sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production
Checking Environment ...
Git configured for git user? ... yes
Checking Environment ... Finished
Checking GitLab Shell ...
GitLab Shell version >= 1.9.3 ? ... OK (1.9.3)
Repo base directory exists? ... yes
Repo base directory is a symlink? ... no
Repo base owned by git:git? ... yes
Repo base access is drwxrws---? ... yes
Satellites access is drwxr-x---? ... yes
update hook up-to-date? ... yes
update hooks in repos are links: ...
Thibaud / thibaud-dauce ... repository is empty
Running /home/git/gitlab-shell/bin/check
Check GitLab API access: /usr/local/lib/ruby/2.0.0/net/http.rb:878:in `initialize': Connection timed out - connect(2) (Errno::ETIMEDOUT)
from /usr/local/lib/ruby/2.0.0/net/http.rb:878:in `open'
from /usr/local/lib/ruby/2.0.0/net/http.rb:878:in `block in connect'
from /usr/local/lib/ruby/2.0.0/timeout.rb:52:in `timeout'
from /usr/local/lib/ruby/2.0.0/net/http.rb:877:in `connect'
from /usr/local/lib/ruby/2.0.0/net/http.rb:862:in `do_start'
from /usr/local/lib/ruby/2.0.0/net/http.rb:851:in `start'
from /home/git/gitlab-shell/lib/gitlab_net.rb:76:in `get'
from /home/git/gitlab-shell/lib/gitlab_net.rb:43:in `check'
from /home/git/gitlab-shell/bin/check:11:in `<main>'
gitlab-shell self-check failed
Try fixing it:
Make sure GitLab is running;
Check the gitlab-shell configuration file:
sudo -u git -H editor /home/git/gitlab-shell/config.yml
Please fix the error above and rerun the checks.
Checking GitLab Shell ... Finished
Checking Sidekiq ...
Running? ... yes
Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking LDAP ...
LDAP is disabled in config/gitlab.yml
Checking LDAP ... Finished
Checking GitLab ...
Database config exists? ... yes
Database is SQLite ... no
All migrations up? ... yes
Database contains orphaned UsersGroups? ... no
GitLab config exists? ... yes
GitLab config outdated? ... no
Log directory writable? ... yes
Tmp directory writable? ... yes
Init script exists? ... yes
Init script up-to-date? ... yes
projects have namespace: ...
Thibaud / thibaud-dauce ... yes
Projects have satellites? ...
Thibaud / thibaud-dauce ... can't create, repository is empty
Redis version >= 2.0.0? ... yes
Your git bin path is "/usr/bin/git"
Git version >= 1.7.10 ? ... yes (1.7.10)
Checking GitLab ... Finished
Of course, Gitlab is running :
root#git:/home/git/gitlab# service gitlab status
The GitLab Unicorn web server with pid 1543 is running.
The GitLab Sidekiq job dispatcher with pid 1736 is running.
GitLab and all its components are up and running.
And my config file :
root#git:/home/git/gitlab# sudo -u git -H cat /home/git/gitlab-shell/config.yml
# GitLab user. git by default
user: git
# Url to gitlab instance. Used for api calls. Should end with a slash.
gitlab_url: "http://git.thibaud-dauce.fr/"
http_settings:
# user: someone
# password: somepass
# ca_file: /etc/ssl/cert.pem
# ca_path: /etc/pki/tls/certs
self_signed_cert: false
# Repositories path
# Give the canonicalized absolute pathname,
# REPOS_PATH MUST NOT CONTAIN ANY SYMLINK!!!
# Check twice that none of the components is a symlink, including "/home".
repos_path: "/home/git/repositories"
# File used as authorized_keys for gitlab user
auth_file: "/home/git/.ssh/authorized_keys"
# Redis settings used for pushing commit notices to gitlab
redis:
bin: /usr/bin/redis-cli
host: 89.234.146.59
port: 6379
# socket: /tmp/redis.socket # Only define this if you want to use sockets
namespace: resque:gitlab
# Log file.
# Default is gitlab-shell.log in the root directory.
# log_file: "/home/git/gitlab-shell/gitlab-shell.log"
# Log level. INFO by default
log_level: INFO
# Audit usernames.
# Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but
# incurs an extra API call on every gitlab-shell command.
audit_usernames: false
I already try to replace in Redis conf host: 127.0.0.1 to host: 89.234.146.59
I also try to add 89.234.146.59 git.thibaud-dauce.fr in /etc/hosts
I have a server running Debian 7 32bits with a container LXC for Gitlab, Ruby is version 2.0.0. I have the same error when I try to push a repo (but I can create one online with the web app)
Do you have any idea ? I really look everywhere and found no solution...

GitHub Deploy via Capistrano. Public Repo and SSH works, but Private doesn't

i really need your help. I have a Ruby on Rails Application on my local machine, a Repository at GitHub and an Ubuntu Server, which hosts the application with Nginx.
I had my repo for a lot of time public and the deployment via capistrano worked just fine. Now I converted my repo to a private one and the deployment just doesn't work. When i try to deploy it, i get the following error:
* executing `deploy'
* executing `deploy:update'
** transaction: start
* executing `deploy:update_code'
updating the cached checkout on all servers
executing locally: "git ls-remote git://github.com/GIT_USER/APPLICATION.git master"
fatal: The remote end hung up unexpectedly
*** [deploy:update_code] rolling back
* executing "rm -rf /var/www/APPLICATION/releases/DATE_OF_DEPLOY; true"
servers: ["DOMAIN"]
[DOMAIN] executing command
command finished in 424ms
So, my guess would be, that the authentication doesn't work, but it does. I copied my public key to GitHub and can even SSH there. I can SSH from the server to GitHub and it says that I am successfully authenticated. I can even see which key works. But "git ls-remote [...]" does not work and I get no info running it with trace, besides the information i already got.
So, my main problem is that i don't no where to look for the error. If you know how to solve this or can point my in any direction that would be nice.
And this is the main part of my deploy.rb:
$:.unshift(File.expand_path('./lib', ENV['rvm_path']))
require "rvm/capistrano"
require 'bundler/capistrano'
default_run_options[:pty] = true
set :user, "DEPLOY_USER"
set :domain, "DOMAIN"
set :application, "APPLICATION"
set :repository, "git#github.com:GIT_USER/APPLICATION.git"
set :deploy_to, "/var/www/#{application}"
set :deploy_via, :remote_cache
set :scm, :git
set :git_account, "GIT_USER"
set :branch, "master"
set :git_shallow_clone, 1
set :scm_verbose, true
set :use_sudo, false
set :rvm_bin_path, "/usr/local/rvm/bin"
set :rvm_ruby_string, '1.9.2'
set :rvm_type, :user # Don't use system-wide RVM
ssh_options[:port] = PORT_NUMBER
set :user, user
ssh_options[:keys] = %w(/home/DEPLOY_USER/.ssh/id_rsa)
set :ssh_options, { :forward_agent => true}
server domain, :app, :web
# Your HTTP server, Apache/etc
role :web, domain
# This may be the same as your `Web` server
role :app, domain
# This is where Rails migrations will run
role :db, domain, :primary => true
Sorry that this thing looks so cluttered, but i tried like a thousand hints, tipps and tutorials.
Thanks for every help!
And by the Way: Yes, all the things written in Capslock are just for privacy reasons and are, of course, not the real settings I use.

I seem to remember having a similar issue with deploying using a private github repo. I don't thinkg we ever quite worked out the cause of the problem but in the end I think we solved the issue using ssh-add to add the github key to ssh-agent - might be worth a try

Since this is now a non-public repo, you should be using git#... address.
I see you have this in your deploy.rb file, but ls-remote is still executed on git://...
The problem may be a cached-copy of the repository you have on a server. Check if you have correct origin address in shared/cached-copy/.git/config file. You should have git#... instead of git://... there

for private repos you have to use the https style:
set :repository, "https://github.com/git_name/repo_name.git"
.. but you have to type in your username and password twice on every deploy!
so I write a little Expect-script to do that for me
have a look at this gist
.. or as a walkthrough:
1 - make a file in your home directory ($ cat > ~/git_cap)
#!/usr/bin/expect -f
# Expect script to supply username/password to cap deploy to git private repository
# This script needs username and password as arguments to connect to git server:
# ------------------------------------------------------------------------
# ./git_cap gituser gitpwd
# -------------------------------------------------------------------------
# set Variables
set g_user [lrange $argv 0 0]
set g_pwd [lrange $argv 1 1]
set timeout -1
spawn cap deploy
match_max 100000
# Look for user prompt
expect "*?sername:*"
send -- "$g_user\r"
send -- "\r"
# Look for passwod prompt
expect "*?assword:*"
send -- "$g_pwd\r"
send -- "\r"
# Look for user prompt
expect "*?sername:*"
send -- "$g_user\r"
send -- "\r"
# Look for passwod prompt
expect "*?assword:*"
send -- "$g_pwd\r"
send -- "\r"
expect eof
2 - make it executable
$ chmod 755 ~/git_cap
$ chmod +x ~/git_cap
3 - add a alias in your .profile / .bashrc .. (optional)
alias gcap='~/git_cap gitname gitpwd'
4 - add your sudo-pwd to deploy.rb or extend the expect-script for sudo-pwd
( for that reason username & password expected 2 times, even if it where possible to use it more times .. but this way you can add a line for password with exp_continue so every next password will send the sudo-pwd and not your git-pwd)
5 - deploy with gcap
rails_root$ gcap