Gitlab: LDAP “Invalid credentials”, but credentials are right

Question

The following ldapsearch command works, flawlessly.

ldapsearch -LLL -s sub -P 3 -D \"CN=,OU=IT,OU=Non-Users,OU=Users,OU=UserAccount,DC=,DC=com\" -H l

Answer 1

We had the similar issue, though our settings were all correct as we were getting the user search results by setting up the similar LDAP configuration on different tools like Jenkins, SonarQube; etc.

We resolved the issue by setting the value of DefaultForceNoPage to true in the ldap.rb file located at (the path may vary for different versions of gitlab):

/opt/gitlab/embedded/lib/ruby/gems/2.3.0/gems/net-ldap-0.16.0/lib/net/ldap.rb
                                                                      ^^^^^^^

which is false by default. So, once you have set the value to true, restart the GitLab server using:

gitlab-ctl reconfigure

You can also check if you are getting the results of the users of your organization by:

gitlab-rake gitlab:ldap:check

Note: Most common issues users face while logging into the application using their mail id's, you should put:

uid: 'mail'

Answer 2

Here is my working AD settings for LDAP.

#########################################
ldap:  
    enabled: true  
    host: '16.184.18.88'  
    port: 636  
    uid: 'sAMAccountName'   #userPrincipalName  
    method: 'ssl' # "tls" or "ssl" or "plain"  
    bind_dn: 'CN=Gitlab Git,CN=Users,DC=mydomain,DC=net'  
    password: 'My_Password'  
    allow_username_or_email_login: false  
    base: 'CN=Users,DC=mydomain,DC=net'  
    user_filter: '(memberOf=CN=Developers,OU=GitLabHQ,DC=mydomain,DC=net)'  
    group_base: 'OU=GitLabHQ,DC=mydomain,DC=net'  
    admin_group: GitLabAdmins
########################################

Answer 3

I too have got "invalid credentials" error while trying to configure LDAP in gitlab. The error is absolutely due to the format of ldap query. And gitlab appln looks for a specific format to bind the user to AD.

Here is my working configuration

gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
main: # 'main' is the GitLab 'provider ID' of this LDAP server
  label: 'LDAP'
  host: '<LDAP hostname>'
  port: 389
  uid: 'sAMAccountName'
  method: 'plain' # "tls" or "ssl" or "plain"

  bind_dn: 'CN=<user name>,OU=<ou1>,OU=<ou2>,...,DC=example,DC=com'
  password: 'My_Password'
  active_directory: true
  allow_username_or_email_login: true
  block_auto_created_users: false
  base: 'DC=example,DC=com'

If you are not sure of bind_dn. Use a AD query tool that provides you the complete bind dn of the user.