GithubHelp home page GithubHelp logo

Tooling: Gitlab LDAP email attribute not assigning an email to users on first login with LDAP preventing Web UI use about enablement-framework HOT 1 CLOSED

hfenner avatar hfenner commented on August 19, 2024
Tooling: Gitlab LDAP email attribute not assigning an email to users on first login with LDAP preventing Web UI use

from enablement-framework.

Comments (1)

hfenner avatar hfenner commented on August 19, 2024

TL;DR: Use 'cn=accounts,dc=testdomain,dc=com' rather than 'dc=testdomain,dc=com' as the latter causes Gitlab to not return information.

This appears to be a Gitlab issue around not handling RFC2307 schema responses well (h/t @tylerauerbeck). https://stackoverflow.com/questions/28302774/gitlabs-ldap-login-against-freeipa-server-stuck-in-a-set-email-loop

It appears that FreeIPA systems return two LDAP schemas and Gitlab does not necessarily select the same schema to follow as another LDAP client such as ldapsearch.

It's not entirely clear how Gitlab handles this as troubleshooting with just the base domain suffix seems to return no values whatsoever but prepending the cn=accounts returns values. If attributes are not being populated it's worth checking via the gitlab-rails console to ensure that Gitlab is finding the values you expect to be found.

You can copy and paste most of these commands (modify the oc rsh to reflect the actual running pod) to check. Wait for the gitlab rails console to return the irb prompt before starting as you may get unexpected interactions otherwise. This can take several seconds.

#Remote shell into pod (make sure you're in the pod namespace and select the actual pod, the below pod is specific to this demo)
oc rsh gitlab-ce-1-rsfkq

#Launch Gitlab console
gitlab-rails console

#Bind to LDAP source (change 'ldapmain' if you have multiple LDAP sources)
adapter = Gitlab::Auth::Ldap::Adapter.new('ldapmain')

#Set your search criteria (this search criteria is wildcard and will return everything! You can constrain it by targeting a specific UID
options = {
    # :base is required
    # use .base or .group_base
    base: adapter.config.base,

    # :filter is optional
    # 'cn' looks for all "cn"s under :base
    # '*' is the search string - here, it's a wildcard
    filter: Net::LDAP::Filter.eq('cn', '*'),

    # :attributes is optional
    # the attributes we want to get returned
    attributes: %w(dn cn mail memberuid member submember uniquemember memberof)
}

#Run the search
adapter.ldap_search(options)

from enablement-framework.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.