--- layout: handbook-page-toc title: Debugging LDAP category: Self-managed --- ## On this page {:.no_toc .hidden-md .hidden-lg} - TOC {:toc .hidden-md .hidden-lg} ##### Notes: This assumes an omnibus installation. ______________ See LDAP troubleshooting in docs - [View Docs](http://docs.gitlab.com/ee/administration/auth/ldap.html#troubleshooting) **Testing the LDAP server** 1. Install `ldapsearch` ```bash # Ubuntu apt-get install ldap-utils # CentOS yum install openldap-clients ``` 2. Check LDAP settings Edit the following values to match the LDAP configuration in `gitlab.rb` **Example LDAP configuration** ```bash # cat /etc/gitlab/gitlab.rb | grep -A 24 ldap_servers gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below main: # 'main' is the GitLab 'provider ID' of this LDAP server label: 'LDAP' host: '127.0.0.1' port: 389 uid: 'uid' method: 'plain' # "tls" or "ssl" or "plain" bind_dn: 'cn=admin,dc=ldap-testing,dc=mrchris,dc=me' password: 'Password1' active_directory: true allow_username_or_email_login: false block_auto_created_users: false base: 'dc=ldap-testing,dc=mrchris,dc=me' user_filter: '' attributes: username: ['uid', 'userid', 'sAMAccountName'] email: ['mail', 'email', 'userPrincipalName'] name: 'cn' first_name: 'givenName' last_name: 'sn' group_base: 'ou=groups,dc=ldap-testing,dc=mrchris,dc=me' admin_group: 'gitlab_admin' EOS ``` **LDAP search switches** + **-D** = Bind DN + GitLab config value: `bind_dn: 'cn=admin,dc=ldap-testing,dc=mrchris,dc=me'` + **-b** = Search base + GitLab config value: `base: 'dc=ldap-testing,dc=mrchris,dc=me'` + **-w** = Password + GitLab config value: `password: 'Password1'` + **-w** = Port & **-h** = Host + GitLab config value: `port: 389` + GitLab config value: `host: 127.0.0.1` + **-s** = Search scope + GitLab config value: None + Default is **sub** + Using `sub "(objectclass=*)` will return "all" objects **Get all LDAP objects for baseDN** ```bash ldapsearch -D "cn=admin,dc=ldap-testing,dc=mrchris,dc=me" \ -w Password -p 389 -h 127.0.0.1 \ -b "dc=ldap-testing,dc=mrchris,dc=me" -s sub "(objectclass=*)" ``` #### LDAP Error messages (`production.log`) ##### Could not find member DNs for LDAP group ``` Could not find member DNs for LDAP group # 1. Launch the rails console ```ruby gitlab-rails c ``` 1. Update the logger level ```ruby Rails.logger.level = 0 ``` 1. Perform a group sync ```ruby LdapGroupSyncWorker.new.perform ``` 1. Perform a user sync ```ruby LdapSyncWorker.new.perform ``` 1. All commands: ```ruby gitlab-rails c Rails.logger.level = 0 LdapGroupSyncWorker.new.perform LdapSyncWorker.new.perform ``` 1. Check the console for sync output **Removing exclusive lease** - Testing (valid for 8.6 to 8.9) This is used to force an instant sync of LDAP for testing purposes. 1. Edit any LDAP settings required 1. Edit `vi /opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/ldap/group_sync.rb` 1. Comment out the exclusive lease section *(lines may differ in releases)* - [View code](https://gitlab.com/gitlab-org/gitlab-ee/blob/5c8b211c7b8746ec6d5697e495ddb68f2ac08dd7/lib/gitlab/ldap/group_sync.rb#L70-73) 1. Run a reconfigure `sudo gitlab-ctl reconfigure` **This will restart GitLab** 1. Launch GitLab rails console `gitlab-rails console` 1. Execute `Gitlab::LDAP::GroupSync.execute` 1. LDAP sync will now run 1. **Revert changes to the `group_sync.rb` file when finished** `/opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/ldap/group_sync.rb` **Additional testing** 1. Start the rails console sudo gitlab-rails console 2. Create a new adapter instance ```ruby adapter = ::Gitlab::Auth::LDAP::Adapter.new('ldapmain') ``` 3. Find a group by common name. Replace **UsersLDAPGroup** with the common name to search. 1. **GitLab 8.11 >** ```ruby group = EE::Gitlab::LDAP::Group.find_by_cn('UsersLDAPGroup', adapter) ``` 1. **GitLab < 8.10** ```ruby group = Gitlab::LDAP::Group.find_by_cn('UsersLDAPGroup', adapter) ``` 4. Check `member_dns` ```ruby group.member_dns ```