Gitlab hero border pattern left svg Gitlab hero border pattern right svg

Debugging LDAP


This assumes an omnibus installation.

See LDAP troubleshooting in docs - View Docs

Testing the LDAP server

  1. Install ldapsearch
# Ubuntu
apt-get install ldap-utils
# CentOS
yum install openldap-clients
  1. Check LDAP settings

Edit the following values to match the LDAP configuration in gitlab.rb

Example LDAP configuration

# cat /etc/gitlab/gitlab.rb | grep -A 24 ldap_servers
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
   main: # 'main' is the GitLab 'provider ID' of this LDAP server
     label: 'LDAP'
     host: ''
     port: 389
     uid: 'uid'
     method: 'plain' # "tls" or "ssl" or "plain"
     bind_dn: 'cn=admin,dc=ldap-testing,dc=mrchris,dc=me'
     password: 'Password1'
     active_directory: true
     allow_username_or_email_login: false
     block_auto_created_users: false
     base: 'dc=ldap-testing,dc=mrchris,dc=me'
     user_filter: ''
       username: ['uid', 'userid', 'sAMAccountName']
       email:    ['mail', 'email', 'userPrincipalName']
       name:       'cn'
       first_name: 'givenName'
       last_name:  'sn'
     group_base: 'ou=groups,dc=ldap-testing,dc=mrchris,dc=me'
     admin_group: 'gitlab_admin'

LDAP search switches

Get all LDAP objects for baseDN

ldapsearch -D "cn=admin,dc=ldap-testing,dc=mrchris,dc=me" \
-w Password -p 389 -h \
-b "dc=ldap-testing,dc=mrchris,dc=me" -s sub "(objectclass=*)"

LDAP Error messages (production.log)

Could not find member DNs for LDAP group
Could not find member DNs for LDAP group #<Net::LDAP::Entry:0x00000007220388 

This usually indicates an issue with the uid configuration value in gitlab.rb

When running ldapsearch you can see what attribute is used for the LDAP username. In the below case the username attribute is uid. Ensure uid: 'uid' in the configuration. The default Microsoft Active Directory username value is sAMAccountName

dn: cn=user test,ou=people,dc=ldap-testing,dc=mrchris,dc=me
sn: test
givenName: user
uid: test
cn: user test
Cannot find LDAP group with CN 'GROUP_NAME'. Skipping

This indicates the admin_group name was not found admin_group: 'gitlab_admin'. Ensure the group exists in AD and is under the group_base

LDAP search error: Invalid DN Syntax

This indicates a syntax error with one of the configured DNs. Check the following values, ensure they're the full DN.

Testing LDAP - valid for 8.10 >

  1. Launch the rails console
     gitlab-rails c
  2. Update the logger level
     Rails.logger.level = 0
  3. Perform a group sync
  4. Perform a user sync
  5. All commands:
     gitlab-rails c
     Rails.logger.level = 0
  6. Check the console for sync output

Removing exclusive lease - Testing (valid for 8.6 to 8.9)

This is used to force an instant sync of LDAP for testing purposes.

  1. Edit any LDAP settings required
  2. Edit vi /opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/ldap/group_sync.rb
  3. Comment out the exclusive lease section (lines may differ in releases) - View code
  4. Run a reconfigure sudo gitlab-ctl reconfigure This will restart GitLab
  5. Launch GitLab rails console gitlab-rails console
  6. Execute Gitlab::LDAP::GroupSync.execute
  7. LDAP sync will now run
  8. Revert changes to the group_sync.rb file when finished /opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/ldap/group_sync.rb

Additional testing

  1. Start the rails console

     sudo gitlab-rails console
  2. Create a new adapter instance

     adapter ='ldapmain')
  3. Find a group by common name. Replace UsersLDAPGroup with the common name to search.

    1. GitLab 8.11 >

        group =  EE::Gitlab::LDAP::Group.find_by_cn('UsersLDAPGroup', adapter)
    2. GitLab < 8.10

        group =  Gitlab::LDAP::Group.find_by_cn('UsersLDAPGroup', adapter)
  4. Check member_dns