gitlab-ce-ldap-sync icon indicating copy to clipboard operation
gitlab-ce-ldap-sync copied to clipboard

Published 20 hours ago verified publisher icon Adambean

Group #1 / member #1: No matching user name found for group member attribute "member"

Open d0lb33 opened this issue 3 years ago • 6 comments

When specifying a group DN, it fails to find members of the group. My guess is that the users are not included in the same OU as the GroupDN so it cant find them?

I've removed the groupdn query and it works, but I have a bunch of unwanted groups.

It also works if I specify the group dn to point to an OU with users, and groups that are assigned users.

My config for reference. image

d0lb33 avatar Aug 05 '22 20:08 d0lb33

Are you sure you're using the right attributes for groupMemberAttribute?

I've just checked on my own Active Directory instance. My "sMAAccountName" is "Adam Reece", but looking at the groups I'm in, "member" refers to my user's whole DN -- not just the username. I would expect that "memberUid" is necessary because that would match what I've got for "sAMAccountName" used by userUniqueAttribute.

Adambean avatar Aug 06 '22 13:08 Adambean

image

Is the warning I get.

This is the attribute for members for one of the groups: image

memberUid is blank for the group. and user doesn't have one.

d0lb33 avatar Aug 08 '22 18:08 d0lb33

It likely works for me as I have the "Subsystem for UNIX-based Applications" feature installed, so POSIX attributes such as "uid" and "memberUid" are automatically present in my AD.

The problem you've got here is that your user's "sMAAccountName" and group's "member" attributes simply don't match identically. You can overrule this behaviour with userMatchAttribute. Specifically this part:

For instance, in some Microsoft Active Directory versions, groups possess a "member" attribute that lists the "distinguishedName" attributes of each member of the group. The user name however is a different attribute of each user being attributed to that group. In this case, set userMatchAttribute to "distinguishedName" and userUniqueAttribute to your user name attribute.

Adambean avatar Aug 09 '22 12:08 Adambean

Thanks for the help, I am not too familiar with AD/LDAP so this is all a learning experience.

I've made those changes, and get the same error as before: image image

d0lb33 avatar Aug 09 '22 12:08 d0lb33

Actually, I think it worked.

But, the problem is my group has another group in it.

So I have GitLab Admins (members -> SDMI Admins)...

Is there a way to resolve that group to indiviudal members kind of how I did with my user filter? "memberOf:1.2.840.113556.1.4.1941"

The group with just users synced fine.

d0lb33 avatar Aug 09 '22 12:08 d0lb33

Actually, I think it worked.

But, the problem is my group has another group in it.

So I have GitLab Admins (members -> SDMI Admins)...

Is there a way to resolve that group to indiviudal members kind of how I did with my user filter? "memberOf:1.2.840.113556.1.4.1941"

The group with just users synced fine.

heya, have you been able to find out how to work the nesting out?

Macleykun avatar Jan 13 '23 22:01 Macleykun