summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDrew Blessing <drew@gitlab.com>2016-11-15 15:03:44 -0600
committerDrew Blessing <drew@gitlab.com>2016-11-15 15:06:04 -0600
commit6a5891185c6edde0a300adee30e936d44b6180e0 (patch)
tree05a7b0249389ec68d63ab1a048418b876a324e1f
parentfb952df93e4944bc681baa119249ad31c3943a70 (diff)
downloadgitlab-ce-6a5891185c6edde0a300adee30e936d44b6180e0.tar.gz
Clarify LDAP troubleshooting ldap_search example [ci skip]
A customer noted an error/lack of clarity in the LDAP documentation with the `ldap_search` example. Previously, if taken literally, the customer may have expected the `$` variables to be automatically replaced or if they paste the exact `user_filter` contents the parentheses would have been incorrect. Let's just simply the filter and use exactly what's in the configuration.
-rw-r--r--doc/administration/auth/ldap.md18
1 files changed, 18 insertions, 0 deletions
diff --git a/doc/administration/auth/ldap.md b/doc/administration/auth/ldap.md
index fd23047f027..d3f216fb3bf 100644
--- a/doc/administration/auth/ldap.md
+++ b/doc/administration/auth/ldap.md
@@ -257,6 +257,24 @@ the LDAP server's SSL certificate is performed.
## Troubleshooting
+### Debug LDAP user filter with ldapsearch
+
+This example uses ldapsearch and assumes you are using ActiveDirectory. The
+following query returns the login names of the users that will be allowed to
+log in to GitLab if you configure your own user_filter.
+
+```
+ldapsearch -H ldaps://$host:$port -D "$bind_dn" -y bind_dn_password.txt -b "$base" "$user_filter" sAMAccountName
+```
+
+- Variables beginning with a `$` refer to a variable from the LDAP section of
+ your configuration file.
+- Replace ldaps:// with ldap:// if you are using the plain authentication method.
+ Port `389` is the default `ldap://` port and `636` is the default `ldaps://`
+ port.
+- We are assuming the password for the bind_dn user is in bind_dn_password.txt.
+
+
### Invalid credentials when logging in
- Make sure the user you are binding with has enough permissions to read the user's