Hello again,
Just to reinforce what I see in the log once I edit the user account from
an admin account:
Started PATCH "/admin/users/user.name" for 216.113.160.72 at 2015-10-16
19:37:14 +0200
Processing by Admin::UsersController#update as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]",
"user"=>{"name"=>"User Name", "username"=>"user.name", "email"=>"
*user.n...@domain.com*", "password"=>"[FILTERED]",
"password_confirmation"=>"[FILTERED]", "projects_limit"=>"10",
"can_create_group"=>"1", "admin"=>"0", "skype"=>"", "linkedin"=>"",
"twitter"=>"", "website_url"=>""}, "id"=>"user.name"}
Redirected to http://gitlab.domain.com/admin/users/user.name
Completed 302 Found in 355ms (ActiveRecord: 267.4ms)
So, the e-mail edits correctly, but of course, it is a local edit...
When I log in with the user account:
==> /var/log/gitlab/gitlab-rails/production.log <==
Processing by OmniauthCallbacksController#ldapmain as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]",
"username"=>"user.name", "password"=>"[FILTERED]"}
==> /var/log/gitlab/gitlab-rails/application.log <==
October 16, 2015 20:08: (OAuth) saving user
*temp-email-for-oauth-user.name@gitlab.localhost
from login with extern_uid =>
uid=user.name,cn=users,cn=accounts,dc=domain,dc=com*
Why, GitLab, WHY?
Any ideas?
Thanks!
On Friday, 16 October 2015 10:33:35 UTC-7, Guillem Liarte wrote:
>
>
>
> All,
>
> I have tried the latest gitlab-ce-8.0.5-ce.0.el7, done the update and
> reconfiguration.
>
> Unfortunately I still have the same behavior: the e-mail field is not
> obtained from the account.
>
> I do not see any indication in the logs about what is going wrong here.
> This is preventing us to use gitlab.
>
> Does anybody know if a lower version will work better?
>
> Many thanks in advance...
>
> Guillem
>
> On Thursday, 8 October 2015 04:36:54 UTC-7, Guillem Liarte wrote:
>>
>> Hello all,
>>
>> *We have the following issue.*
>>
>> We have gitlab working fine, as admin I can create, import and manege
>> project , repositories etc. I linked our FreeIPA and it seems to work, as
>> much as users can log in using their ldap password. However we hit a
>> problem; the LDAP email is not read by GitLab, and a a temp one is assigned.
>>
>> Firs thing I tried was to, as admin, update manually the e-mail field for
>> each user. But at next login, the e-mail, and avatar are deleted and the
>> fixed, read only valued are back there. User s cannot WORK while the
>> temporary password is in place, as they are redirected to the complete
>> profile section every time.
>>
>> Either some logic is broken or we have hugely overlooked something in our
>> deployment.
>>
>> We have followed this for the LDAP section:
>> https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/integration/ldap.md
>>
>> *Configuration:*
>>
>>
>> This is our /etc/gitlab/gitlab.rb:
>>
>> main:
>> label: 'LDAP Authentication'
>> host: 'host.domain.com'
>> port: 389
>> uid: 'uid'
>> method: 'plain'
>> bind_dn: 'cn=ldapbind,cn=groups,cn=accounts,dc=domain,dc=com'
>> password: 'XXXXXXXXXX'
>>
>> base: 'cn=accounts,dc=domain,dc=com'
>> groupbase: 'cn=git-users,cn=groups,cn=accounts,dc=domain,dc=com'
>> filter: ''
>>
>> allow_username_or_email_login: true
>>
>> attributes:
>> username: ['uid', 'userid', 'sAMAccountName']
>> email: ['email', 'mail', 'userPrincipalName']
>> name: 'cn'
>> first_name: 'givenname'
>> last_name: 'sn'
>> EOS
>>
>> *Things I have tried with this configuration already:*
>>
>>
>> - Just empty base.
>> - Just empty group base
>> - filter instead of base
>> - No attributes
>> - mail first instead of email in attributes list
>> - attributes with no list
>> - givenName and givenname produce same result in attributes
>> - We tried with name.surname and name.s...@domain.com, same reults.
>>
>>
>> The result is always the same, if the combination allows LDAP users to
>> log in (the one above does) they will not get the email filed populated and
>> there is the eternal loop where we can never continue.
>>
>>
>> Just in case it is suggested, no, we will not change IPA for another DS
>> or LDAP solution, it works and integrates very well with many other things.
>> We are actually moving away from SCM manager, where we have this working
>> well.
>>
>>
>> *The LDAP for the objects is like that:*
>>
>>
>> dn: uid=name.surnam,cn=users,cn=accounts,dc=domain,dc=com
>> uid: name.surname
>> givenname: Name
>> sn: Surname
>> cn: Name Surname
>> initials: NS
>> homedirectory: /home/name.surname
>> gecos: Name Surname
>> loginshell: /bin/bash
>> mail: name.s...@domain.com
>>
>> ...
>>
>> memberof: cn=git-users,cn=groups,cn=accounts,dc=domain,dc=com
>>
>> ...
>>
>>
>>
>> *What Is see in the log:*
>>
>>
>> login:
>>
>>
>> ==> /var/log/gitlab/unicorn/unicorn_stdout.log <==
>> I, [2015-10-08T13:29:56.644683 #29472] INFO -- omniauth: (ldapmain)
>> Callback phase initiated.
>>
>> ==> /var/log/gitlab/gitlab-rails/production.log <==
>> Processing by OmniauthCallbacksController#ldapmain as HTML
>> Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]",
>> "username"=>"user.name", "password"=>"[FILTERED]"}
>> Redirected to http://gitlab.domain.com/
>> Completed 302 Found in 3403ms (ActiveRecord: 607.2ms)
>>
>> ==> /var/log/gitlab/nginx/gitlab_access.log <==
>> x.x.x.x - - [08/Oct/2015:13:30:05 +0200] "POST
>> /users/auth/ldapmain/callback HTTP/1.1" 302 110 "
>> http://gitlab.domain.com/users/sign_in"; "Mozilla/5.0 (Macintosh; Intel
>> Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0"
>>
>> ==> /var/log/gitlab/gitlab-rails/production.log <==
>> Started GET "/" for x.x.x.x at 2015-10-08 13:30:06 +0200
>> Processing by RootController#index as HTML
>> Redirected to http://gitlab.domain.com/profile
>> *Filter chain halted as :require_email rendered or redirected*
>> Completed 302 Found in 75ms (ActiveRecord: 16.0ms)
>>
>> ==> /var/log/gitlab/nginx/gitlab_access.log <==
>> x.x.x.x- - [08/Oct/2015:13:30:06 +0200] "GET / HTTP/1.1" 302 117 "
>> http://gitlab.domain.com/users/sign_in"; "Mozilla/5.0 (Macintosh; Intel
>> Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0"
>>
>> ==> /var/log/gitlab/gitlab-rails/production.log <==
>> Started GET "/profile" for x.x.x.x at 2015-10-08 13:30:06 +0200
>> Processing by ProfilesController#show as HTML
>>
>>
>> __________
>>
>>
>> After this, no matter if I delete the account and and a new login is
>> done, the result is the same. Any additional login result in the same:
>>
>>
>> Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]",
>> "user"=>{"name"=>"Name Surname", "email"=>"
>> *temp-email-for-oauth-name.surname@gitlab.localhost*",
>> "public_email"=>"", "skype"=>"", "linkedin"=>"", "twitter"=>"",
>> "website_url"=>"", "location"=>"", "bio"=>""}}
>>
>>
>> Any ideas or suggestions? Are we doing anything wrong here?
>>
>>
>> Many thanks in advance.
>>
>>
>>
>>
>>
--
You received this message because you are subscribed to the Google Groups
"GitLab" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to gitlabhq+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/gitlabhq/325e2018-3b4a-4892-b03e-082064962ecf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
