Search code examples
gitlabgitlab-ce

Can't login/enter admin mode with LDAP

Question

How do I bypass the LDAP login and remove the additional authentication for administrative tasks?

Problem

I can't enter admin mode. When I login using regular credentials and try to change some administrative settings, it asks for LDAP credentials to enter admin mode. The problem is that LDAP is too slow and is not working for me (I will fix this later).

Context

I'm configuring gitlab-ce 13.11.3-ce.0 locally as a demonstration. I have some things set up which I don't want to lose with a total reset. The admin user had regular authentication. Since I logged in through LDAP (I used the same username as the LDAP to log in) I cannot enter admin mode anymore, although I can login with the admin user using normal credentials.

I mixed the regular and LDAP credentials for the admin account.

What I tried:

  • I tried to turn off LDAP login using the setting gitlab_rails['ldap_enabled'] = false at /etc/gitlab/gitlab.rb but the form doesn't show up (the LDAP title appears, though).

  • I tried to reset the user password using the gitlab-rails console.

user = User.find_by(email: 'user@example.com')
user.password = 'secret_pass'
user.password_confirmation = 'secret_pass'
user.save!
user.skip_reconfirmation!
  • I'm trying to fix the LDAP authentication also but for now it is more important that I have access to the administrator settings.
Solution

  • As stated by the documentation, this authentication can be disabled easily using the following command:

    gitlab-rails runner '::Gitlab::CurrentSettings.update!(admin_mode: false)'

    When I found the above code I had solved the problem using the method below:

    Having access to the server I created another admin user with regular authentication in Gitlab using gitlab-rails runner.

    at /path/to/bypassldap.rb:

    username = "bypassldap"
user = User.new(
    username: username,
    name: username,
    email: "#{username}@gitlab.allowed.domain",
    notification_email: "#{username}@gitlab.allowed.domain",
    password: username,
    password_confirmation: username,
    admin: true
)
user.skip_confirmation!
user.save!

    then ran:

    gitlab-rails runner /path/to/bypassldap.rb

    I logged in successfully with the created user, then unset the option Require additional authentication for administrative tasks under Admin area > Settings > General > expand the Sign-in restrictions section.

    See the documentation for more details.