New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Web log-in broken #2932
Comments
When you say
was it a mix of both regardless of user types, or differences between local privileged roles and LDAP-bound unprivileged users, or a mix of both account types for all users ? Since LDAP sync doesn't happen all the time, but should be once a day if default configuration is kept (and checked only if authenticating a LDAP user through any authentication provider). As mentioned here : https://docs.gitlab.com/ee/administration/auth/ldap/#security, it may be linked with the It may be a little far-fetched, but couldn't the following have happened:
If not done already, a quick check for this particular attribute through the rails console may yield something. This still wouldn't explain the HTTP auth working, but I'm not knowledgeable enough about their differences in the internals to be sure. Also, since I never tested the case where you disabled LDAP, no idea if I'm just overspeculating, hope this helps in any way. |
Thank you for your feedback, @frenchbeard. To answer your question.
There are two users that were able to login in with their local accounts and their LDAP accounts when the system worked. These users are admins of the Gitlab instance. Then there is a bunch of normal users that only had LDAP accounts, not local ones. The instance is set in a way that the admin of Gitlab had to confirm their (LDAP) account before they could actually use the Gitlab instance. (The process was such that after the first log-in using LDAP credentials, an account was created, but it was immediately blocked. And admin could unblock the account and give the user then access.) Also, I’ve checked the status of the two local (admin) usesrs and it is set to {
"id"=>2,
"email"=>"...",
"encrypted_password"=>"$2a$10$...",
"reset_password_token"=>nil,
"reset_password_sent_at"=>nil,
"remember_created_at"=>Fri, 26 Jan 2024 09:54:46.894155000 CET +01:00,
"sign_in_count"=>604,
"current_sign_in_at"=>Wed, 27 Mar 2024 15:02:01.946820000 CET +01:00,
"last_sign_in_at"=>Wed, 27 Mar 2024 15:01:53.495105000 CET +01:00,
"current_sign_in_ip"=>"....",
"last_sign_in_ip"=>"....",
"created_at"=>Tue, 11 Mar 2014 16:59:03.598136000 CET +01:00,
"updated_at"=>Fri, 26 Apr 2024 10:08:20.440457000 CEST +02:00,
"name"=>"David ...",
"admin"=>true,
"projects_limit"=>99,
"failed_attempts"=>0,
"locked_at"=>nil,
"username"=>"david",
"can_create_group"=>true,
"can_create_team"=>true,
"state"=>"active",
"color_scheme_id"=>3,
"password_expires_at"=>nil,
"created_by_id"=>1,
"avatar"=>"avatar.png",
"confirmation_token"=>".....",
"confirmed_at"=>Tue, 11 Mar 2014 16:59:03.486587000 CET +01:00,
"confirmation_sent_at"=>Wed, 06 Feb 2019 13:41:12.348830000 CET +01:00,
"unconfirmed_email"=>nil,
"hide_no_ssh_key"=>false,
"last_credential_check_at"=>Sun, 04 Feb 2024 22:54:02.095932000 CET +01:00,
"notification_email"=>"....",
"hide_no_password"=>false,
"password_automatically_set"=>false,
"encrypted_otp_secret"=>nil,
"encrypted_otp_secret_iv"=>nil,
"encrypted_otp_secret_salt"=>nil,
"otp_required_for_login"=>false,
"otp_backup_codes"=>nil,
"public_email"=>"",
"dashboard"=>"projects",
"project_view"=>"files",
"consumed_timestep"=>nil,
"layout"=>"fixed",
"hide_project_limit"=>false,
"unlock_token"=>nil,
"otp_grace_period_started_at"=>nil,
"external"=>false,
"incoming_email_token"=>"......",
"require_two_factor_authentication_from_group"=>false,
"two_factor_grace_period"=>48,
"last_activity_on"=>Fri, 26 Apr 2024,
"notified_of_own_activity"=>false,
"preferred_language"=>"en",
"theme_id"=>nil,
"include_private_contributions"=>false,
"feed_token"=>".......",
"accepted_term_id"=>nil,
"private_profile"=>false,
"commit_email"=>nil,
"auditor"=>false,
"admin_email_unsubscribed_at"=>nil,
"group_view"=>nil,
"managing_group_id"=>nil,
"note"=>nil,
"roadmap_layout"=>nil,
"static_object_token"=>nil,
"first_name"=>nil,
"last_name"=>nil,
"role"=>"software_developer",
"user_type"=>"human",
"static_object_token_encrypted"=>nil,
"otp_secret_expires_at"=>nil,
"onboarding_in_progress"=>false,
"color_mode_id"=>1,
"otp_secret"=>nil
} |
I have an issue with web-login. We are using gitlab 16.10.1 and at some point, it has become impossible for users to to log-in via web. (If you believe this is a gitlab issue, please let me know and I'll try my luck upstream.)
Unfortunately, I cannot tell whether the issue began with this version of Gitlab or with some other prior to that.
I am sure, however, that the issue did not manifest at an upgrade, but at a later point. What I mean is that after the upgrade, I immediately checked the instance, and it worked. The issue came about only after existing login credentials expired and the web application required users to perform a fresh log in. Users cannot log in since.
When logging in, Gitlab web app always responds by saying credentials are invalid. However, we are certain the credentials are in fact valid:
The issue seems to be related to the web application itself. I’m looking at the logs, but I cannot see anything useful. (I’ve checked basically every log in
/var/log/gitlab/gitlab/*.log
, but I see no errors.)Some more background:
Any idea will be greatly appreciated. Below I enclose my docker-compose config.
The text was updated successfully, but these errors were encountered: