Gitlabs ldap login against FreeIPA server stuck in a set email loop

Question

I've installed Gitlabs community edition v7.6.2 and am trying to use a FreeIPA server as the ldap solution for its user management. Basically it looks like it's working fine and I manage to login with an account provided by my ldap server. However when I login I get stuck on a user edit page. On this page I can't alter email but it looks like Gitlabs is expecting a proper replacement for its auto-generated email.

I've created and user called bob on FreeIPA with the mail adress bob@testdomain.com.

ldapsearch -x -h localhost uid=bob

dn: uid=bob,cn=users,cn=accounts,dc=testdomain,dc=com
displayName: bob bob
cn: bob bob
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
sn: bob
gecos: bob bob
homeDirectory: /home/bob
krbPwdPolicyReference: cn=global_policy,cn=TESTDOMAIN.COM,cn=kerberos,dc=testdomain,dc=com
mail: bob@testdomain.com 
krbPrincipalName: bob@TESTDOMAIN.COM
givenName: bob
uid: bob
initials: bb
ipaUniqueID: d7c3d5bc-abb3-11e4-a1d6-080027079e3d
uidNumber: 497600001
gidNumber: 497600001
krbPasswordExpiration: 20150203144923Z
krbLastPwdChange: 20150203144923Z
krbExtraData:: AALz39BUcm9vdC9hZG1pbkBBTUJBUkkuQVBBQ0hFLk9SRwA=
mepManagedEntry: cn=bob,cn=groups,cn=accounts,dc=testdomain,dc=com

And edited /etc/gitlab/gitlab.rb to talk to my ldap directory without a bind user:

gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_host'] = 'ldap.testdomain.com'
gitlab_rails['ldap_port'] = 389
gitlab_rails['ldap_uid'] = 'uid'
gitlab_rails['ldap_method'] = 'plain'
gitlab_rails['ldap_allow_username_or_email_login'] = true
gitlab_rails['ldap_base'] = 'dc=testdomain,dc=com'

If I try to login at this point it kind of works. It accepts the password for bob. However instead of showing the usual landing page the Profile settings page is shown with a very ambiguous message.

So I have to change the email address, the only field completely unchangeable in this dialog. I assume this is due to Gitlab relying on ldap to provide a mail address. My ldap does provide this field according to the ldapsearch command however Gitlab doesn't seem to be able to pick up on this. Every link I follow within this page will do a redirect to this page. So essentially I created a brick.

To be complete this is in my /var/log/gitlab/gitlab-rails/application.log:

# Logfile created on 2015-02-03 10:53:07 +0000 by logger.rb/44203
February 03, 2015 10:53: User "Administrator" (admin@example.com) was created
February 03, 2015 15:22: User "bob bob" (temp-email-for-oauth-bob@gitlab.localhost) was created
February 03, 2015 15:22: (OAuth) saving user temp-email-for-oauth-bob@gitlab.localhost from login with extern_uid => uid=bob,cn=users,cn=compat,dc=testdomain,dc=com

Does anyone have any idea how to fix this? Much appreciated!

Answer 1

Change your base dn ('ldap_base' in gitlab speak) to 'cn=accounts,dc=testdomain,dc=com'

I think gitlab gets confused by the entry returned over the compat tree -- FreeIPA has support for exposing users and groups via RFC2307 schema. If you use $SUFFIX ('dc=testdomain,dc=com'), both primary and compat entries would get matched and gitlab will pick one that is returned first, usually a compat tree entry. Compat entry is for identity mapping for old UNIX clients (nss_ldap, Solaris or a like), so it has only RFC2307 attributes and no mail attribute.

Also, make sure you are using authenticated bind. With FreeIPA 4.x preventing information disclosure over anonymous binds for majority of attributes, 'mail' is one of the attributes that are only accessible to authenticated binds.