我正在尝试使用
GitLab设置LDAP身份验证(在VM上运行Ubuntu 14.04 amd64上的版本7.12.2,Omnibus设置).我编辑了我的gitlab.rb文件,如下所示:
gitlab_rails['ldap_enabled'] = true gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below main: # 'main' is the GitLab 'provider ID' of this LDAP server label: 'LDAP' host: '********' port: 389 uid: 'sAMAccountName' method: 'plain' # "tls" or "ssl" or "plain" bind_dn: 'CN=********,OU=********,DC=********,DC=***' password: '********' active_directory: true allow_username_or_email_login: false block_auto_created_users: false base: 'DC=********,DC=***' user_filter: '' EOS
这导致可怕的“无法从Ldapmain授权您,因为”凭据无效“.”错误.我试过用户名(在bind_dn变量中):“johnsmith@example.com”(基于用户名的电子邮件),“John Smith”(全名)和“johnsmith”(用户名).结果总是一样的.我的密码中有一个@ -sign.我不确定我是否需要逃避它,或者如何逃避它.
日志显示:
Started POST "/users/auth/ldapmain/callback" for 127.0.0.1 at 2015-07-22 17:15:01 -0400 Processing by OmniauthCallbacksController#failure as HTML Parameters: {"utf8"=>"✓","authenticity_token"=>"[FILTERED]","username"=>"********","password"=>"[FILTERED]"} Redirected to http://192.168.56.102/users/sign_in Completed 302 Found in 14ms (ActiveRecord: 3.6ms) Started GET "/users/sign_in" for 127.0.0.1 at 2015-07-22 17:15:01 -0400 Processing by SessionsController#new as HTML Completed 200 OK in 20ms (Views: 8.3ms | ActiveRecord: 2.9ms)
和gitlab-rake gitlab:ldap:check显示:
Checking LDAP ... LDAP users with access to your GitLab server (only showing the first 100 results) Server: ldapmain Checking LDAP ... Finished
但是,当我从Ubuntu VM使用ldapsearch(所以相同的环境)时,我得到了一堆结果:
ldapsearch -x -h ******** -D "********@********.***" -W -b "OU=********,DC=***" -s sub "(cn=*)" cn mail sn dn
奇怪的是,结果中的DN看起来像这样:
dn: CN=John Smith,DC=***
也就是说,那里有一个额外的OU.我也看到ldapsearch命令有-s sub,我相信这意味着搜索子组.我不熟悉LDAP或Active Directory的细节.
所以我相信我错过了我的基础,但我不确定是什么.它也可能是用户过滤器的问题.我已经完成了必要的谷歌搜索,这让我走得很远,但现在我已经没有想法和解决方案了.
经过多次尝试,我能够解决这个问题.几点说明:
>确保除第一行之外的所有行都有一个缩进空格.第一行是“main:”,并且根本没有缩进.
> bind_dn不是绑定用户的完整LDAP路径,而只是用户名.就我而言,它是“xxx@example.com”.
>基础需要是Active Directory组或DN或包含所有用户的任何调用.
这是最终的YAML:
main: # 'main' is the GitLab 'provider ID' of this LDAP server label: 'Active Directory' host: 'ad-server.example.com' port: 389 uid: 'sAMAccountName' method: 'plain' # "tls" or "ssl" or "plain" bind_dn: 'user@example.com' password: 'password' active_directory: true allow_username_or_email_login: false block_auto_created_users: false base: 'OU=ABC,OU=XYZ,DC=example,DC=com' user_filter: ''