gitlab-ce-ldap-sync icon indicating copy to clipboard operation
gitlab-ce-ldap-sync copied to clipboard
verified publisher icon Adambean

Filter by attributes

Open kleyoneo opened this issue 3 years ago • 11 comments

Hi,

Is it possible to use filter with attributes instead objects ? For example userFilter: (&(attrib1=x)(attrib2=y))

In my cas it doesn't work.

Thanks

kleyoneo avatar Mar 21 '22 13:03 kleyoneo

Yes, that should be very possible. userFilter is just passed across, so if you're not getting any results use the very verbose option -vv to potentially see why, or try the same query in another LDAP utility.

If you switch to the master branch instead of a release I've just committed two debug messages to help you with this. Use very very verbose option -vvv to see these and you'll see "Retrieving users" and "Retrieving groups" debug messages showing you the base DN, filter, and attributes used for each query.

Adambean avatar Mar 21 '22 20:03 Adambean

ok thank you. I'm using master branch now. And I found out that the mistake is my fault : In baseDn parameter I added userDn .....

Now retrieving LDAP users is ok, but I've a cURL error : Gitlab failure: cURL error 60: SSL certificate problem: unable to get local issuer certificate

I think it's because of I'm behind a proxy. But even I configure environment variable it doesn't work. any idea ?

kleyoneo avatar Mar 22 '22 14:03 kleyoneo

That sounds like a certificate chain trust issue, which is external to this tool. (This uses trust from your system's cryptographic framework.)

Common causes are self signed certificates untrusted by the system (including self/corporate CAs) or the end entity certificate hasn't been stapled with its parent issuer correctly, meaning the trusted root can't be determined.

Adambean avatar Mar 22 '22 17:03 Adambean

You were right, it's a certificate issue. I don't use a self-signed certificate, but the Certificate Chain File was missing in my configuration.

Now I'm making progress but with another error :-( : [error] Gitlab failure: "public_email" must be an email you have verified

I don't know if I will succeed ! :-(

kleyoneo avatar Mar 23 '22 09:03 kleyoneo

That came from a change to the Gitlab API only allowing us to set the public email address of an account that is already verified, which is quite silly. Related: #21

What message appears before that problem? It'll either be "Creating Gitlab user" or "Updating Gitlab user #".

Adambean avatar Mar 23 '22 20:03 Adambean

Ouch. Silly indeed...

The error appears after "Creating Gitlab user" message.

kleyoneo avatar Mar 24 '22 09:03 kleyoneo

That's an incredibly strange quirk of the Gitlab platform... I'm not in a position to test this right now but you may want to edit src/LdapSyncCommand.php and change "public_email" to "email". As of right now this is line 1213 and looks like this:

!$this->dryRun ? ($gitlabUser = $gitlab->api("users")->create($ldapUserDetails["email"], $gitlabUserPassword, [
    "username"          => $gitlabUserName,
    "reset_password"    => false,
    "name"              => $ldapUserDetails["fullName"],
    "extern_uid"        => $ldapUserDetails["dn"],
    "provider"          => $gitlabConfig["ldapServerName"],
    "public_email"      => $ldapUserDetails["email"],
    "admin"             => $ldapUserDetails["isAdmin"],
    "can_create_group"  => $ldapUserDetails["isAdmin"],
    "skip_confirmation" => true,
    "external"          => $ldapUserDetails["isExternal"],
])) : $this->logger->warning("Operation skipped due to dry run.");

Change "public_email" => $ldapUserDetails["email"], to "email" => $ldapUserDetails["email"],, save, and run again. Gitlab may well throw an error that the account has no public email address though!

!$this->dryRun ? ($gitlabUser = $gitlab->api("users")->create($ldapUserDetails["email"], $gitlabUserPassword, [
    "username"          => $gitlabUserName,
    "reset_password"    => false,
    "name"              => $ldapUserDetails["fullName"],
    "extern_uid"        => $ldapUserDetails["dn"],
    "provider"          => $gitlabConfig["ldapServerName"],
    "email"             => $ldapUserDetails["email"],
    "admin"             => $ldapUserDetails["isAdmin"],
    "can_create_group"  => $ldapUserDetails["isAdmin"],
    "skip_confirmation" => true,
    "external"          => $ldapUserDetails["isExternal"],
])) : $this->logger->warning("Operation skipped due to dry run.");

Adambean avatar Mar 24 '22 09:03 Adambean

ok, it works by changing public_email by email :-)

Once all users have been created, there is this error : Gitlab failure: 403 Forbidden - LDAP blocked users cannot be modified by the API

My token is "full privileges". Is it another gitlab blocking ?

kleyoneo avatar Mar 24 '22 14:03 kleyoneo

That is also external to this tool. Searching for "LDAP blocked users cannot be modified by the API" brings up this which may be of use: https://stackoverflow.com/questions/40990190/how-do-i-unblock-ldap-users-in-gitlab-ce

Adambean avatar Mar 24 '22 15:03 Adambean

Some users was blocked indeed. Unblocking this users remove this error.

Now, all news users are well created. Existing users are updated... until "Gitlab failure: 403 Forbidden"

Forbidden but why ? :-(

kleyoneo avatar Mar 28 '22 09:03 kleyoneo

There's limited knowledge this tool can provide on that as the 403 error is returned by the Gitlab API. You may get more information by increasing verbosity (-vv), otherwise you'd need to check your Gitlab's access log for a more specific reason. The API token you've generated may not have permission to edit users for example.

Adambean avatar Mar 28 '22 10:03 Adambean