"Username or password is incorrect." with LDAPS (via BindDN) authentication

[maksym-dilanian]

Gitea Version

1.15.6

Git Version

2.20.1

Operating System

Debian 10 Buster

How are you running Gitea?

Gitea was installed from Debian package (https://gitlab.com/packaging/gitea) on Debian 10 Buster VM as Microsoft Hyper-V Guest. The service is run from systemd.

Database

psql (PostgreSQL) 13.4

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Description

Added authentication source LDAP (via BindDN), user account is created, but user cannot login with his AD credentials: "Username or password is incorrect." Users created as "Local" can login.

Steps to reproduce

In Active Directory:

1. Create user account svc.gitea with given name Gitea Service at Service Accounts OU
2. Create user account visitor
3. Create universal group Gitea Users at Domain-Users OU
4. Add user visitor to Gitea Users group

In Gitea:

1. Add Authentication source LDAP (via BindDN) with security protocol LDAPS on port 636 as described in docs

   Authentication Source: LDAP (via BindDN) Security Protocol: LDAPS Host: akz.local Port: 636 Bind DN: CN=Gitea Service,OU=Service Accounts,DC=AKZ,DC=LOCAL Bind Password: User Search Base: OU=Domain-Users,DC=AKZ,DC=LOCAL User Filter: (&(objectCategory=Person)(memberOf=CN=Gitea Users,OU=Domain-Users,DC=AKZ,DC=LOCAL)(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) Admin Filter: (memberOf=CN=Gitea Administrators,OU=Domain-Users,DC=AKZ,DC=LOCAL) Restricted filter: empty Username Attribute: sAMAccountName First Name Attribute: givenName Surname Attribute: sn Email Attribute: mail Public SSH Key Attribute: empty

   • [ ] Verify group membership in LDAP
   • [ ] Use Paged Search
   • [ ] Fetch Attributes in Bind DN Context
   • [ ] Allow an empty search result to deactivate all users
   • [x] Skip TLS Verify
   • [x] Enable User Synchronization
   • [x] This Authentication Source is Activated

2. Navigate to Monitoring, click Synchronize external user data button
3. Navigate to User Accounts, confirm that user is created
4. Navigates to gitea URL
5. Provide visitor credentials at log in page:

Username or Email Address: visitor Password: visitor user AD password

6. Click "Sign In"

Actual result

Error displayed: "Username or password is incorrect."

Expected result

User logs in.

Environment

Microsoft Windows AD is running Windows Server 2019 (version 1809, 17763.2300). Domain controller functionality: Windows Server 2012 R2

What I`ve done

🆗 LDAPS on port 636 is working 🆗 Users accounts can connect to AD

Checked with ldp.exe that LDAPS on port 636 is working and both users visitor and svc.gitea can navigate AD.

ldp.exe log:

ld = ldap_sslinit("akz.local", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits
Established connection to akz.local.
Retrieving base DSA information...
Getting 1 entries:
**Dn: (RootDSE)**
[...]
defaultNamingContext: DC=AKZ,DC=LOCAL; 
[...]
isGlobalCatalogReady: TRUE; 
isSynchronized: TRUE; 

Successfull authentication for both users:

0 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
    {NtAuthIdentity: User='svc.gitea'; Pwd=<unavailable>; domain = 'AKZ.LOCAL'}
Authenticated as: 'AKZ\svc.gitea'.

🆗 Authentication source is working When I navigate to Monitoring -> Synchronize external user data, new user account visitor is created and activated. When I remove user from AD group, and Synchronize user data -> account deactivates.

❓ Gitea Access log:

<my local ip>:6971 - - [19/Nov/2021:14:44:19 &#43;0200] "POST /user/login HTTP/2.0" 200 8818 "\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.

Some data from SQL DB:

id: 22
lower_name: visitor
name: visitor
full_name: Посетитель
passwd: 
passwd_hash_algo: 
must_change_password: false
login_type: 2
login_source: 1
login_name: visitor
type: 0
is_active: true
is_admin: false
is_restricted: false

Screenshots

No response

[devent]

I have the same issue with Gitea Version: 1.16.5. The weird thing is that LDAP definitely worked before. I had an admin user and a developer in LDAP and could login. I have created an extra user 'jenkins' in LDAP but I can't login in Gitea with the new user.

Now LDAP is not even connected to. The log is just:

2022/03/27 07:11:38 Started POST /user/login for 10.0.1.202:58826
2022/03/27 07:11:38 ...odels/auth/oauth2.go:549:GetActiveOAuth2ProviderSources() [I] [SQL] SELECT "id", "type", "name", "is_active", "is_sync_enabled", "cfg", "created_unix", "updated_unix" FROM "login_source" WHERE (is_active = $1 and type = $2) [true OAuth2] - 1.974142ms
2022/03/27 07:11:38 ...odels/auth/source.go:269:ActiveSources() [I] [SQL] SELECT "id", "type", "name", "is_active", "is_sync_enabled", "cfg", "created_unix", "updated_unix" FROM "login_source" WHERE (is_active = $1 and type = $2) [true SPNEGO with SSPI] - 1.27096ms
2022/03/27 07:11:38 ...orm@v1.2.5/engine.go:1139:Get() [I] [SQL] SELECT "id", "lower_name", "name", "full_name", "email", "keep_email_private", "email_notifications_preference", "passwd", "passwd_hash_algo", "must_change_password", "login_type", "login_source", "login_name", "type", "location", "website", "rands", "salt", "language", "description", "created_unix", "updated_unix", "last_login_unix", "last_repo_visibility", "max_repo_creation", "is_active", "is_admin", "is_restricted", "allow_git_hook", "allow_import_local", "allow_create_organization", "prohibit_login", "avatar", "avatar_email", "use_custom_avatar", "num_followers", "num_following", "num_stars", "num_repos", "num_teams", "num_members", "visibility", "repo_admin_change_team_access", "diff_view_style", "theme", "keep_activity_private" FROM "user" WHERE "lower_name"=$1 LIMIT 1 [jenkins] - 1.582113ms
2022/03/27 07:11:38 ...s/context/context.go:204:HTML() [D] Template: user/auth/signin
2022/03/27 07:11:38 ...ers/web/auth/auth.go:200:SignInPost() [I] Failed authentication attempt for jenkins from 10.0.1.202:58826: user does not exist [uid: 12, name: jenkins, keyid: 0]
2022/03/27 07:11:38 Completed POST /user/login 200 OK in 8.200321ms

There is no LDAP connect. My LDAP settings are:

I just did "Synchronize External Users" now my admin account have this error: Sign In Prohibited Your account is prohibited to sign in, please contact your site administrator. All users became deactivated.

Edit:

If I try to create a jenkins user it says: The username is already taken. But there is no 'jenkins' user in the list of users. I guess because 'jenkins' is already in LDAP? No, I just deleted 'jenkins' from LDAP, same error.

[devent]

If I lookup the users in the database then only 'gitea' is there.

gitea=> select * from user;
 user
-------
 gitea
(1 row)

Which should be correct because the users are in LDAP. Why can't it then lookup the user 'jenkins'?

[devent]

Update: interesting. I had an organization in Gitea named jenkins. After deleting the org the jenkins user can login. Aren't organizations and users different in Gitea?

[johnnybubonic]

A year later, but just answering so you can close this out, @devent -

Orgs and users ARE different, but it'd cause a namespace clash- just like with e.g. github.

For example, if you have a user foo and a repo bar, the URLs is likely something like this:

https://domain.tld/foo/bar
git+ssh://gitea@domain.tld:foo/bar.git

Now, if you have a repo bar owned by org foo, note that the URLs are the exact same:

https://domain.tld/foo/bar
git+ssh://gitea@domain.tld:foo/bar.git

So it's not so much that orgs are treated the same as users, but moreso that an org and a user with the same name would collide on various namespaces.

Make sense?

[KalvinVilla]

~~Hello, sorry to up this old issue, but i've got the same problems. Ldap users appear correctly in user accounts but when I log in with the user's username and password (active directory) I get Username or password is incorrect~~

was due to a misconfiguration