我们的Linux服务器上有 GitLab Community Edition 9.1.3 (2e4e522)。我们使用AD登录因为我们的公司。政策。
配置文件 gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS' # remember to close this block with 'EOS' below
main: # 'main' is the GitLab 'provider ID' of this LDAP server
label: 'LDAP'
host: '{HOST}'
port: 389
uid: 'sAMAccountName'
method: 'plain'
bind_dn: 'CN=SVCJAVACZ,OU=FUNCTIONAL,OU=Users,OU=CZ,OU=MCC,DC=r3,DC=madm,DC=net'
password: '{PASSWORD}'
active_directory: true
allow_username_or_email_login: false
block_auto_created_users: false
base: 'DC=r3,DC=madm,DC=net'
user_filter: ''
attributes:
username: ['uid', 'userid', 'sAMAccountName']
email: ['mail', 'email', 'userPrincipalName']
name: 'cn'
first_name: 'givenName'
last_name: 'sn'
EOS
application.log我的LDAP登录工作正常。我工作的同事也可以登录,没有任何问题。但是几天前,其中一个用户尝试使用LDAP登录GitLab应用程序并且没有成功(3次 - 总是302次)。从那时起,他似乎在我们的网络中被定期阻止(甚至在VPN上)。
正如GitLab LDAP troubleshooting所述,我打开了production.log,但它是空的,Started POST "/users/auth/ldapmain/callback" for {IP} at 2017-05-28 15:51:55 +0200
Processing by OmniauthCallbacksController#failure as HTML
Parameters: {"utf8"=>"✓", "authenticity_token"=>"{TOKEN}", "username"=>"{USERNAME}", "password"=>"[FILTERED]", "remember_me"=>"1"}
Redirected to {ADDRESS}/users/sign_in
Completed 302 Found in 25ms (ActiveRecord: 2.7ms)
到此状态的信息是:
unicorn_stdout.log来自档案I, [2017-05-28T15:51:55.388593 #14907] INFO -- omniauth: (ldapmain) Callback phase initiated.
E, [2017-05-28T15:51:55.569159 #14907] ERROR -- omniauth: (ldapmain) Authentication failure! invalid_credentials encountered.
:
sudo gitlab-rake gitlab:env:info来自GitLab Maintenance of Tasks System information
System: Ubuntu 16.04
Current User: git
Using RVM: no
Ruby Version: 2.3.3p222
Gem Version: 2.6.6
Bundler Version:1.13.7
Rake Version: 10.5.0
Redis Version: 3.2.5
Git Version: 2.11.1
Sidekiq Version:4.2.7
GitLab information
Version: 9.1.3
Revision: 2e4e522
Directory: /opt/gitlab/embedded/service/gitlab-rails
DB Adapter: postgresql
URL: http://{URL}
HTTP Clone URL: http://{URL}/some-group/some-project.git
SSH Clone URL: git@{URL}:some-group/some-project.git
Using LDAP: yes
Using Omniauth: no
GitLab Shell
Version: 5.0.2
Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories
Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks
Git: /opt/gitlab/embedded/bin/git
中提到的命令:
import java.io.IOException;
import org.javers.common.collections.Optional;
import com.fasterxml.jackson.core.JsonGenerator;
import com.fasterxml.jackson.databind.JsonSerializer;
import com.fasterxml.jackson.databind.SerializerProvider;
import com.fasterxml.jackson.databind.ser.std.StdSerializer;
@SuppressWarnings("rawtypes")
public class JaversOptionalSerializer extends StdSerializer<Optional> {
private static final long serialVersionUID = 8330773428393250826L;
public JaversOptionalSerializer() {
super(Optional.class);
}
@Override
public void serialize(final Optional value, final JsonGenerator gen, final SerializerProvider provider) throws IOException {
if(value.isPresent()){
JsonSerializer<Object> serializer = provider.findValueSerializer(value.get().getClass());
serializer.serialize(value.get(), gen, provider);
} else {
gen.writeNull();
}
}
}
在GitLab中有任何缓存会定期为尝试登录但失败的用户发送阻止命令(因此从那时起就被阻止)?
或者现在要研究什么的建议?有什么想法吗?