Uberleet

Linux Systems Articles for better insights

Discovered major Issues with Gitlab LDAP Functionality


It seems like Gitlab has a pretty critical bug regarding LDAP accounts. The issue is brought up with Gitlab lots, but the issues seem to sit idle for now. It is impossible to start your organization on Gitlab with local users, and then switch to LDAP when your company matures. It is also impossible to rebuild your LDAP/FreeIPA/ActiveDirectory instance and use the same accounts ever again through gitlab.

It looks like the Gitlab DB schema leaves behind artifacts from an existing user and makes it impossible for a new LDAP entry to map in by some sort of race condition.

This bug impacts gitlab-ce-10.3.3-ce.0.el7.x86_64 omnibus installation.

Steps to reproduce

  • Create user jon with email test@example.com
  • Setup a FreeIPA 4.5.0 LDAP with the same username and password.
  • Rename jon to jonold in gitlab CE admin and change his e-mail address to fixme@example.com

Try to login as 'jon' using LDAP and you will get

Could not authenticate you from Ldapmain because "Undefined method `provider' for nil:nilclass".

You can even check the users table to make sure local account has no conflicts with your LDAP user.

select * from users where id = '2'x\g\x
-[ RECORD 2 ]--------------------------------+-------------------------------------------------------------
username                                     | jonold
id                                           | 2
email                                        | fixme@example.com
encrypted_password                           | xxxx
reset_password_token                         | 
reset_password_sent_at                       | 
remember_created_at                          | 
sign_in_count                                | 8
current_sign_in_at                           | 2018-01-26 22:12:33.258934
last_sign_in_at                              | 2018-01-26 18:02:28.898503
current_sign_in_ip                           | 71.40.108.253
last_sign_in_ip                              | 71.40.108.253
created_at                                   | 2018-01-10 22:14:20.374668
updated_at                                   | 2018-01-26 22:13:41.275444
name                                         | Administrator
admin                                        | t
projects_limit                               | 100000
notification_email                           | fixme@example.com

However, try to log in as your fresh new LDAP user and you will get these error messages on the Web UI:

/var/log/gitlab/gitlab-rails/application.log will quickly tell you: January 26, 2018 16:27: (LDAP) Error saving user uid=jon.k,cn=users,cn=accounts,dc=gvoperations,dc=com (jon.k@gvocom.com): ["Email has already been taken"]

What to do about it?

I'm still researching a solution, but it seems like Gitlab just has poor support until some code changes are done. There are no tools in their framework, and it's likely an E-Mail in some table somewhere which needs to be fixed.

There are these Gitlab bug reports which are 2+ year old about the issue:

  • https://gitlab.com/gitlab-org/gitlab-ce/issues/3134
  • https://forum.gitlab.com/t/could-not-authenticate-you-from-ldapmain-because-undefined-method-provider-for-nil-nilclass/2583
  • https://gitlab.com/gitlab-org/gitlab-ce/issues/1660

Solutions?

I'm going to try to get some time this weekend to look at the Ruby code and might have a patch available to work around this issue.