The issue persists in version 8.1.2 On Thursday, 8 October 2015 13:36:54 UTC+2, Guillem Liarte wrote: > > Hello all, > > *We have the following issue.* > > We have gitlab working fine, as admin I can create, import and manege > project , repositories etc. I linked our FreeIPA and it seems to work, as > much as users can log in using their ldap password. However we hit a > problem; the LDAP email is not read by GitLab, and a a temp one is assigned. > > Firs thing I tried was to, as admin, update manually the e-mail field for > each user. But at next login, the e-mail, and avatar are deleted and the > fixed, read only valued are back there. User s cannot WORK while the > temporary password is in place, as they are redirected to the complete > profile section every time. > > Either some logic is broken or we have hugely overlooked something in our > deployment. > > We have followed this for the LDAP section: > https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/integration/ldap.md > > *Configuration:* > > > This is our /etc/gitlab/gitlab.rb: > > main: > label: 'LDAP Authentication' > host: 'host.domain.com' > port: 389 > uid: 'uid' > method: 'plain' > bind_dn: 'cn=ldapbind,cn=groups,cn=accounts,dc=domain,dc=com' > password: 'XXXXXXXXXX' > > base: 'cn=accounts,dc=domain,dc=com' > groupbase: 'cn=git-users,cn=groups,cn=accounts,dc=domain,dc=com' > filter: '' > > allow_username_or_email_login: true > > attributes: > username: ['uid', 'userid', 'sAMAccountName'] > email: ['email', 'mail', 'userPrincipalName'] > name: 'cn' > first_name: 'givenname' > last_name: 'sn' > EOS > > *Things I have tried with this configuration already:* > > > - Just empty base. > - Just empty group base > - filter instead of base > - No attributes > - mail first instead of email in attributes list > - attributes with no list > - givenName and givenname produce same result in attributes > - We tried with name.surname and name.s...@domain.com <javascript:>, > same reults. > > > The result is always the same, if the combination allows LDAP users to log > in (the one above does) they will not get the email filed populated and > there is the eternal loop where we can never continue. > > > Just in case it is suggested, no, we will not change IPA for another DS or > LDAP solution, it works and integrates very well with many other things. We > are actually moving away from SCM manager, where we have this working well. > > > *The LDAP for the objects is like that:* > > > dn: uid=name.surnam,cn=users,cn=accounts,dc=domain,dc=com > uid: name.surname > givenname: Name > sn: Surname > cn: Name Surname > initials: NS > homedirectory: /home/name.surname > gecos: Name Surname > loginshell: /bin/bash > mail: name.s...@domain.com <javascript:> > > ... > > memberof: cn=git-users,cn=groups,cn=accounts,dc=domain,dc=com > > ... > > > > *What Is see in the log:* > > > login: > > > ==> /var/log/gitlab/unicorn/unicorn_stdout.log <== > I, [2015-10-08T13:29:56.644683 #29472] INFO -- omniauth: (ldapmain) > Callback phase initiated. > > ==> /var/log/gitlab/gitlab-rails/production.log <== > Processing by OmniauthCallbacksController#ldapmain as HTML > Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", > "username"=>"user.name", "password"=>"[FILTERED]"} > Redirected to http://gitlab.domain.com/ > Completed 302 Found in 3403ms (ActiveRecord: 607.2ms) > > ==> /var/log/gitlab/nginx/gitlab_access.log <== > x.x.x.x - - [08/Oct/2015:13:30:05 +0200] "POST > /users/auth/ldapmain/callback HTTP/1.1" 302 110 " > http://gitlab.domain.com/users/sign_in"; "Mozilla/5.0 (Macintosh; Intel > Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0" > > ==> /var/log/gitlab/gitlab-rails/production.log <== > Started GET "/" for x.x.x.x at 2015-10-08 13:30:06 +0200 > Processing by RootController#index as HTML > Redirected to http://gitlab.domain.com/profile > *Filter chain halted as :require_email rendered or redirected* > Completed 302 Found in 75ms (ActiveRecord: 16.0ms) > > ==> /var/log/gitlab/nginx/gitlab_access.log <== > x.x.x.x- - [08/Oct/2015:13:30:06 +0200] "GET / HTTP/1.1" 302 117 " > http://gitlab.domain.com/users/sign_in"; "Mozilla/5.0 (Macintosh; Intel > Mac OS X 10.10; rv:41.0) Gecko/20100101 Firefox/41.0" > > ==> /var/log/gitlab/gitlab-rails/production.log <== > Started GET "/profile" for x.x.x.x at 2015-10-08 13:30:06 +0200 > Processing by ProfilesController#show as HTML > > > __________ > > > After this, no matter if I delete the account and and a new login is > done, the result is the same. Any additional login result in the same: > > > Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", > "user"=>{"name"=>"Name Surname", "email"=>" > *temp-email-for-oauth-name.surname@gitlab.localhost*", > "public_email"=>"", "skype"=>"", "linkedin"=>"", "twitter"=>"", > "website_url"=>"", "location"=>"", "bio"=>""}} > > > Any ideas or suggestions? Are we doing anything wrong here? > > > Many thanks in advance. > > > > >
-- You received this message because you are subscribed to the Google Groups "GitLab" group. To unsubscribe from this group and stop receiving emails from it, send an email to gitlabhq+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/gitlabhq/6ea04c55-b6d5-4da4-8704-9a501997e2ab%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
