Gitlab 和 LDAP 针对 CommuniGate Pro Server

Gitlab 和 LDAP 针对 CommuniGate Pro Server

我目前正在尝试让我们的 GitLab 向 CommuniGate Pro 服务器提供的 LDAP 进行身份验证。使用命令行测试(如ldapsearch)时,我成功进行了身份验证并获取了信息。但是当我尝试从 GitLab 的 Web 界面执行此操作时,我得到了

由于“凭据无效”,无法从 Ldapmain 对您进行身份验证。

从 LDAP 服务器上的日志中我看到以下内容:

11:39:51.061 4 LDAP-000601([xx.xx.xx.99]:37160) BINDing as '[email protected]'
11:39:51.061 2 LDAP-000601([xx.xx.xx.99]:37160) ACCOUNT([email protected]) connected(CLRTXT) [xx.xx.xx.99]:37160->[xx.xx.xx.251]:636(tls)
11:39:51.062 4 LDAP-000601([xx.xx.xx.99]:37160) Logged in as <master>. authType=0
11:39:51.063 4 LDAP-000601([xx.xx.xx.99]:37160) searching(base) ''
11:39:51.063 4 LDAP-000601([xx.xx.xx.99]:37160) searching where (objectClass=*)
11:39:51.063 4 LDAP-000601([xx.xx.xx.99]:37160) searching for (altServer namingContexts supportedCapabilities...)
11:39:51.064 4 LDAP-000601([xx.xx.xx.99]:37160) '' retrieved
11:39:51.064 2 LDAP-000601([xx.xx.xx.99]:37160) search finished
11:39:51.105 4 LDAP-000601([xx.xx.xx.99]:37160) searching(sub) 'cn=domain.bg'
11:39:51.105 4 LDAP-000601([xx.xx.xx.99]:37160) searching where (uid=f.lastname)
11:39:51.105 4 LDAP-000601([xx.xx.xx.99]:37160) searching for ALL
11:39:51.105 4 LDAP-000601([xx.xx.xx.99]:37160) search paging: n=126, cookie=''
11:39:51.105 4 LDAP-000601([xx.xx.xx.99]:37160) 'uid=f.lastname,cn=domain.bg' retrieved
11:39:51.105 2 LDAP-000601([xx.xx.xx.99]:37160) search finished
11:39:51.121 2 LDAP-000601([xx.xx.xx.99]:37160) ACCOUNT([email protected]) disconnected ([xx.xx.xx.99]:37160)
11:39:51.121 4 LDAP-000601([xx.xx.xx.99]:37160) BINDing as 'uid=f.lastname,cn=domain.bg'
11:39:51.121 1 LDAP-000601([xx.xx.xx.99]:37160) BIND failed. Error Code=incorrect password or account name
11:39:51.122 3 LDAP-000601([xx.xx.xx.99]:37160) request reading failed. Error Code=TLS connection closed by peer
11:39:51.122 4 LDAP-000601([xx.xx.xx.99]:37160) TLS connection is closing
11:39:51.122 2 TLS-576189 closed by LDAP-000601
11:39:51.122 4 LDAP-000601([xx.xx.xx.99]:37160) closing connection
11:39:51.122 4 LDAP-000601([xx.xx.xx.99]:37160) releasing stream

当我尝试时ldapsearch

ldapsearch -x -LLL -H ldaps://mx01.ldap.net -D '[email protected]' -W -b 'cn=domain.bg' "(uid=f.lastname)"

我可以验证:

12:15:51.336 4 LDAP-000612([xx.xx.xx.33]:53142) [xx.xx.xx.251]:636 <- [xx.xx.xx.33]:53142 incoming connection(mx01.ldap.net)
12:15:51.383 2 TLS-578274 created(TLSv1.2,AES256_SHA256) for LDAP-000612
12:15:51.441 4 LDAP-000612([xx.xx.xx.33]:53142) TLS-578274(AES256_SHA256) connection accepted for DOMAIN(mx01.ldap.net)
12:15:51.448 4 LDAP-000612([xx.xx.xx.33]:53142) BINDing as '[email protected]'
12:15:51.448 2 LDAP-000612([xx.xx.xx.33]:53142) ACCOUNT([email protected]) connected(CLRTXT) [xx.xx.xx.33]:53142->[xx.xx.xx.251]:636(tls)
12:15:51.448 4 LDAP-000612([xx.xx.xx.33]:53142) Logged in as uid=f.lastname,domain.bg=domain.bg,cn=domain.bg. authType=0
12:15:51.452 4 LDAP-000612([xx.xx.xx.33]:53142) searching(sub) 'cn=domain.bg'
12:15:51.452 4 LDAP-000612([xx.xx.xx.33]:53142) searching where (uid=f.lastname)
12:15:51.452 4 LDAP-000612([xx.xx.xx.33]:53142) searching for ALL
12:15:51.453 4 LDAP-000612([xx.xx.xx.33]:53142) 'uid=f.lastname,cn=domain.bg' retrieved
12:15:51.453 2 LDAP-000612([xx.xx.xx.33]:53142) search finished
12:15:51.459 4 LDAP-000612([xx.xx.xx.33]:53142) disconnecting
12:15:51.459 2 LDAP-000612([xx.xx.xx.33]:53142) ACCOUNT([email protected]) disconnected ([xx.xx.xx.33]:53142)
12:15:51.459 4 LDAP-000612([xx.xx.xx.33]:53142) TLS connection is closing
12:15:51.459 2 TLS-578274 closed by LDAP-000612
12:15:51.459 4 LDAP-000612([xx.xx.xx.33]:53142) closing connection
12:15:51.459 4 LDAP-000612([xx.xx.xx.33]:53142) releasing stream

我的配置如下:

main:
  label: 'Domain.Bg LDAP'
  host: 'mx01.ldap.net'
  port: 636
  uid: 'uid'
  method: 'ssl'
  bind_dn: '[email protected]'
  password: 'password'
  active_directory: false
  allow_username_or_email_login: true
  base: 'top'
  user_filter: ''

检查RAILS_ENV=production gitlab-rake -v --trace gitlab:ldap:check也成功了。

有没有人遇到过类似的问题?从日志中我看到的内容来看,我认为问题出BINDing as 'uid=f.lastname,cn=domain.bg'在通过 postmaster 进行身份验证之后。有没有办法让用户在通过 postmaster 身份验证后使用 GitLab?BINDing as '[email protected]'

答案1

为了uid=f.lastname,cn=domain.bg与 CommuniGate 绑定,该记录应包含该userPassword属性。可以配置 CommuniGate 中的 LDAP 中央目录以将帐户密码复制到目录记录中。

另一个选项是在 CommuniGate 中启用 LDAP 直接配置选项:在这种情况下,使用指向帐户记录的 DN 的操作将在服务器帐户上下文中运行,而不是在 LDAP 目录记录上下文中运行。

相关内容