From 6a5891185c6edde0a300adee30e936d44b6180e0 Mon Sep 17 00:00:00 2001 From: Drew Blessing Date: Tue, 15 Nov 2016 15:03:44 -0600 Subject: [PATCH] Clarify LDAP troubleshooting ldap_search example [ci skip] A customer noted an error/lack of clarity in the LDAP documentation with the `ldap_search` example. Previously, if taken literally, the customer may have expected the `$` variables to be automatically replaced or if they paste the exact `user_filter` contents the parentheses would have been incorrect. Let's just simply the filter and use exactly what's in the configuration. --- doc/administration/auth/ldap.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/doc/administration/auth/ldap.md b/doc/administration/auth/ldap.md index fd23047f027..d3f216fb3bf 100644 --- a/doc/administration/auth/ldap.md +++ b/doc/administration/auth/ldap.md @@ -257,6 +257,24 @@ the LDAP server's SSL certificate is performed. ## Troubleshooting +### Debug LDAP user filter with ldapsearch + +This example uses ldapsearch and assumes you are using ActiveDirectory. The +following query returns the login names of the users that will be allowed to +log in to GitLab if you configure your own user_filter. + +``` +ldapsearch -H ldaps://$host:$port -D "$bind_dn" -y bind_dn_password.txt -b "$base" "$user_filter" sAMAccountName +``` + +- Variables beginning with a `$` refer to a variable from the LDAP section of + your configuration file. +- Replace ldaps:// with ldap:// if you are using the plain authentication method. + Port `389` is the default `ldap://` port and `636` is the default `ldaps://` + port. +- We are assuming the password for the bind_dn user is in bind_dn_password.txt. + + ### Invalid credentials when logging in - Make sure the user you are binding with has enough permissions to read the user's