Hello all, *We have the following issue.*
We have gitlab working fine, as admin I can create, import and manege project , repositories etc. I linked our FreeIPA and it seems to work, as much as users can log in using their ldap password. However we hit a problem; the LDAP email is not read by GitLab, and a a temp one is assigned. Firs thing I tried was to, as admin, update manually the e-mail field for each user. But at next login, the e-mail, and avatar are deleted and the fixed, read only valued are back there. User s cannot WORK while the temporary password is in place, as they are redirected to the complete profile section every time. Either some logic is broken or we have hugely overlooked something in our deployment. We have followed this for the LDAP section: https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/integration/ldap.md *Configuration:* This is our /etc/gitlab/gitlab.rb: main: label: 'LDAP Authentication' host: 'host.domain.com' port: 389 uid: 'uid' method: 'plain' bind_dn: 'cn=ldapbind,cn=groups,cn=accounts,dc=domain,dc=com' password: 'XXXXXXXXXX' base: 'cn=accounts,dc=domain,dc=com' groupbase: 'cn=git-users,cn=groups,cn=accounts,dc=domain,dc=com' filter: '' allow_username_or_email_login: true attributes: username: ['uid', 'userid', 'sAMAccountName'] email: ['email', 'mail', 'userPrincipalName'] name: 'cn' first_name: 'givenname' last_name: 'sn' EOS *Things I have tried with this configuration already:* - Just empty base. - Just empty group base - filter instead of base - No attributes - mail first instead of email in attributes list - attributes with no list - givenName and givenname produce same result in attributes - We tried with name.surname and name.surn...@domain.com, same reults. The result is always the same, if the combination allows LDAP users to log in (the one above does) they will not get the email filed populated and there is the eternal loop where we can never continue. Just in case it is suggested, no, we will not change IPA for another DS or LDAP solution, it works and integrates very well with many other things. We are actually moving away from SCM manager, where we have this working well. *The LDAP for the objects is like that:* dn: uid=name.surnam,cn=users,cn=accounts,dc=domain,dc=com uid: name.surname givenname: Name sn: Surname cn: Name Surname initials: NS homedirectory: /home/name.surname gecos: Name Surname loginshell: /bin/bash mail: name.surn...@domain.com ... memberof: cn=git-users,cn=groups,cn=accounts,dc=domain,dc=com ... *What Is see in the log:* login: ==> /var/log/gitlab/unicorn/unicorn_stdout.log <== I, [2015-10-08T13:29:56.644683 #29472] INFO -- omniauth: (ldapmain) Callback phase initiated. ==> /var/log/gitlab/gitlab-rails/production.log <== Processing by OmniauthCallbacksController#ldapmain as HTML Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "username"=>"user.name", "password"=>"[FILTERED]"} Redirected to http://gitlab.domain.com/ Completed 302 Found in 3403ms (ActiveRecord: 607.2ms) ==> /var/log/gitlab/nginx/gitlab_access.log <== x.x.x.x - - [08/Oct/2015:13:30:05 +0200] "POST /users/auth/ldapmain/callback HTTP/1.1" 302 110 "http://gitlab.domain.com/users/sign_in"; "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0" ==> /var/log/gitlab/gitlab-rails/production.log <== Started GET "/" for x.x.x.x at 2015-10-08 13:30:06 +0200 Processing by RootController#index as HTML Redirected to http://gitlab.domain.com/profile *Filter chain halted as :require_email rendered or redirected* Completed 302 Found in 75ms (ActiveRecord: 16.0ms) ==> /var/log/gitlab/nginx/gitlab_access.log <== x.x.x.x- - [08/Oct/2015:13:30:06 +0200] "GET / HTTP/1.1" 302 117 "http://gitlab.domain.com/users/sign_in"; "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0" ==> /var/log/gitlab/gitlab-rails/production.log <== Started GET "/profile" for x.x.x.x at 2015-10-08 13:30:06 +0200 Processing by ProfilesController#show as HTML __________ After this, no matter if I delete the account and and a new login is done, the result is the same. Any additional login result in the same: Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "user"=>{"name"=>"Name Surname", "email"=>" *temp-email-for-oauth-name.surname@gitlab.localhost*", "public_email"=>"", "skype"=>"", "linkedin"=>"", "twitter"=>"", "website_url"=>"", "location"=>"", "bio"=>""}} Any ideas or suggestions? Are we doing anything wrong here? Many thanks in advance. -- You received this message because you are subscribed to the Google Groups "GitLab" group. To unsubscribe from this group and stop receiving emails from it, send an email to gitlabhq+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/gitlabhq/aba4d095-d8c9-452a-9fa0-f0fb424d9ada%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
