Ldap
Gitlab 和 LDAP 針對 CommuniGate Pro 伺服器
我目前正在嘗試讓我們的 GitLab 對 CommuniGate Pro 伺服器提供的 LDAP 進行身份驗證。使用命令行測試(如
ldapsearch
)時,我成功地進行了身份驗證並獲取了資訊。但是當我嘗試從 GitLab 的 Web 界面執行此操作時,我得到了無法從 Ldapmain 對您進行身份驗證,因為“憑據無效”。
從 LDAP 伺服器上的日誌中,我看到以下內容:
11:39:51.061 4 LDAP-000601([xx.xx.xx.99]:37160) BINDing as 'postmaster@mx01.ldap.net' 11:39:51.061 2 LDAP-000601([xx.xx.xx.99]:37160) ACCOUNT(postmaster@mx01.ldap.net) connected(CLRTXT) [xx.xx.xx.99]:37160->[xx.xx.xx.251]:636(tls) 11:39:51.062 4 LDAP-000601([xx.xx.xx.99]:37160) Logged in as <master>. authType=0 11:39:51.063 4 LDAP-000601([xx.xx.xx.99]:37160) searching(base) '' 11:39:51.063 4 LDAP-000601([xx.xx.xx.99]:37160) searching where (objectClass=*) 11:39:51.063 4 LDAP-000601([xx.xx.xx.99]:37160) searching for (altServer namingContexts supportedCapabilities...) 11:39:51.064 4 LDAP-000601([xx.xx.xx.99]:37160) '' retrieved 11:39:51.064 2 LDAP-000601([xx.xx.xx.99]:37160) search finished 11:39:51.105 4 LDAP-000601([xx.xx.xx.99]:37160) searching(sub) 'cn=domain.bg' 11:39:51.105 4 LDAP-000601([xx.xx.xx.99]:37160) searching where (uid=f.lastname) 11:39:51.105 4 LDAP-000601([xx.xx.xx.99]:37160) searching for ALL 11:39:51.105 4 LDAP-000601([xx.xx.xx.99]:37160) search paging: n=126, cookie='' 11:39:51.105 4 LDAP-000601([xx.xx.xx.99]:37160) 'uid=f.lastname,cn=domain.bg' retrieved 11:39:51.105 2 LDAP-000601([xx.xx.xx.99]:37160) search finished 11:39:51.121 2 LDAP-000601([xx.xx.xx.99]:37160) ACCOUNT(postmaster@mx01.ldap.net) disconnected ([xx.xx.xx.99]:37160) 11:39:51.121 4 LDAP-000601([xx.xx.xx.99]:37160) BINDing as 'uid=f.lastname,cn=domain.bg' 11:39:51.121 1 LDAP-000601([xx.xx.xx.99]:37160) BIND failed. Error Code=incorrect password or account name 11:39:51.122 3 LDAP-000601([xx.xx.xx.99]:37160) request reading failed. Error Code=TLS connection closed by peer 11:39:51.122 4 LDAP-000601([xx.xx.xx.99]:37160) TLS connection is closing 11:39:51.122 2 TLS-576189 closed by LDAP-000601 11:39:51.122 4 LDAP-000601([xx.xx.xx.99]:37160) closing connection 11:39:51.122 4 LDAP-000601([xx.xx.xx.99]:37160) releasing stream
當我嘗試
ldapsearch
:ldapsearch -x -LLL -H ldaps://mx01.ldap.net -D 'mail=f.lastname@domain.bg' -W -b 'cn=domain.bg' "(uid=f.lastname)"
我能夠驗證:
12:15:51.336 4 LDAP-000612([xx.xx.xx.33]:53142) [xx.xx.xx.251]:636 <- [xx.xx.xx.33]:53142 incoming connection(mx01.ldap.net) 12:15:51.383 2 TLS-578274 created(TLSv1.2,AES256_SHA256) for LDAP-000612 12:15:51.441 4 LDAP-000612([xx.xx.xx.33]:53142) TLS-578274(AES256_SHA256) connection accepted for DOMAIN(mx01.ldap.net) 12:15:51.448 4 LDAP-000612([xx.xx.xx.33]:53142) BINDing as 'f.lastname@domain.bg' 12:15:51.448 2 LDAP-000612([xx.xx.xx.33]:53142) ACCOUNT(f.lastname@domain.bg) connected(CLRTXT) [xx.xx.xx.33]:53142->[xx.xx.xx.251]:636(tls) 12:15:51.448 4 LDAP-000612([xx.xx.xx.33]:53142) Logged in as uid=f.lastname,domain.bg=domain.bg,cn=domain.bg. authType=0 12:15:51.452 4 LDAP-000612([xx.xx.xx.33]:53142) searching(sub) 'cn=domain.bg' 12:15:51.452 4 LDAP-000612([xx.xx.xx.33]:53142) searching where (uid=f.lastname) 12:15:51.452 4 LDAP-000612([xx.xx.xx.33]:53142) searching for ALL 12:15:51.453 4 LDAP-000612([xx.xx.xx.33]:53142) 'uid=f.lastname,cn=domain.bg' retrieved 12:15:51.453 2 LDAP-000612([xx.xx.xx.33]:53142) search finished 12:15:51.459 4 LDAP-000612([xx.xx.xx.33]:53142) disconnecting 12:15:51.459 2 LDAP-000612([xx.xx.xx.33]:53142) ACCOUNT(f.lastname@domain.bg) disconnected ([xx.xx.xx.33]:53142) 12:15:51.459 4 LDAP-000612([xx.xx.xx.33]:53142) TLS connection is closing 12:15:51.459 2 TLS-578274 closed by LDAP-000612 12:15:51.459 4 LDAP-000612([xx.xx.xx.33]:53142) closing connection 12:15:51.459 4 LDAP-000612([xx.xx.xx.33]:53142) releasing stream
我的配置如下:
main: label: 'Domain.Bg LDAP' host: 'mx01.ldap.net' port: 636 uid: 'uid' method: 'ssl' bind_dn: 'mail=postmaster@mx01.ldap.net' password: 'password' active_directory: false allow_username_or_email_login: true base: 'top' user_filter: ''
RAILS_ENV=production gitlab-rake -v --trace gitlab:ldap:check
檢查也成功。有類似問題的人嗎?從我在日誌中看到的內容來看,我認為問題出在
BINDing as 'uid=f.lastname,cn=domain.bg'
與 postmaster 進行身份驗證後。BINDing as 'f.lastname@domain.bg'
在對 postmaster 進行身份驗證後,有沒有辦法讓 GitLab 為使用者使用?
對於
uid=f.lastname,cn=domain.bg
與 CommuniGate 一起使用的綁定,該記錄應包含該userPassword
屬性。CommuniGate 中的 LDAP 中央目錄可以配置為將帳戶密碼複製到目錄記錄。另一個選項是在 CommuniGate 中啟用 LDAP 直接供應選項:在這種情況下,使用 DN 指向帳戶記錄的操作將在伺服器帳戶上下文中執行,而不是在 LDAP 目錄記錄的上下文中執行。