我正在尝试使用gitlab配置LDAP身份验证.我的配置有点像:
ldap:
enabled: true
host: 'ldap.example.com'
base: 'ou=People,o=example.com'
port: 636
uid: 'uid'
method: 'ssl' # "ssl" or "plain"
bind_dn: 'cn=gitlab,ou=Apps,o=example.com'
password: 'password'
allow_username_or_email_login: true
我测试了以下内容:
ldapsearch -b "ou=People,o=example.com" -s sub -D "cn=gitlab,ou=Apps,o=example.com" -H ldaps://ldap.example.com:636 -w "password" -x "(uid=myname@example.com)"
上面的行有效,但是当我尝试使用LDAP登录时,我总是得到"无效的凭据".
我该如何解决这个问题并缩小这个问题的根本原因?
编辑26/09:
以下是我在production.log上找到的一些内容:
Started GET "/users/sign_in" for 127.0.0.1 at 2013-09-23 17:42:58 -0300
Processing by Devise::SessionsController#new as HTML
Rendered devise/sessions/_new_ldap.html.haml (1.7ms)
Rendered devise/sessions/_new_base.html.haml (1.8ms)
Rendered devise/sessions/_oauth_providers.html.haml (0.0ms)
Rendered devise/sessions/new.html.haml within layouts/devise (4.2ms)
Rendered layouts/_head.html.haml (1.6ms)
Rendered layouts/_flash.html.haml (0.1ms)
Completed 200 OK in 9ms (Views: 6.9ms | ActiveRecord: 0.0ms)
Started POST "/users/auth/ldap/callback" for 127.0.0.1 at 2013-09-23 17:43:00 -0300
Processing by OmniauthCallbacksController#failure as HTML
Parameters: {"utf8"=>"â", "authenticity_token"=>"AwqZsVHRqOeZr+GLWWeGM7MyOAdk7cFl8/rZgbVRU+8=", "username"=>"name@example.com", "password"=>"[FILTERED]"}
Redirected to http://example.com/users/sign_in
Completed 302 Found in 3ms (ActiveRecord: 0.0ms)
Started GET "/users/sign_in" for 127.0.0.1 at 2013-09-23 17:43:00 -0300
Processing by Devise::SessionsController#new as HTML
Rendered devise/sessions/_new_base.html.haml (2.8ms)
Rendered devise/sessions/_oauth_providers.html.haml (0.1ms)
Rendered devise/sessions/new.html.haml within layouts/devise (3.7ms)
Rendered layouts/_head.html.haml (1.7ms)
Rendered layouts/_flash.html.haml (0.1ms)
Completed 200 OK in 9ms (Views: 6.6ms | ActiveRecord: 0.0ms)
Started GET "/" for 127.0.0.1 at 2013-09-23 18:50:08 -0300
Processing by DashboardController#show as HTML
Completed 401 Unauthorized in 1ms
编辑:我终于得到了答案:设计上的配置在"@"之后剥离了每一个.我不记得确切的名字,但我可以在我访问机器后立即发布.我通过向ldap oauth登录添加日志来发现这一点.
该OP kidbomb 提到:
设计上的配置正在剥离"
@" 之后的所有内容.
我通过向ldap oauth登录添加日志来发现这一点.
检查LDAP服务器是否也可通过ldap(不ldaps://)访问
ldapsearch -b "ou=People,o=example.com" -s sub -D "cn=gitlab,ou=Apps,o=example.com" -H ldap://ldap.example.com:389 -w "password" -x "(uid=myname@example.com)"
如果是,请尝试将gitlab.yml设置文件ldap.method从"ssl" 修改为" plain".
目标是验证用于联系ldap服务器的证书是否是此处的问题.
如果您可以通过ldap://(无证书)联系服务器,那么至少可以为您提供一种解决方法.
如果不是(您必须通过ldaps://),则需要更详细地研究与LDAP服务器关联的证书.
openssl s_client -connect ldap.example.com:636 2>/dev/null < /dev/null
(我没有使用-CAFile或-CAPath在这里,假设CA处于其中提到的默认位置/etc/ssl/openssl.cnf)
如果你在该命令的输出结尾处得到消息:
error:num=21:unable to verify the first certificate
这意味着您需要从发卡行获取证书.
请参阅" 如何从Shell提示符验证SSL证书 ".
| 归档时间: |
|
| 查看次数: |
20052 次 |
| 最近记录: |