Ldap新增用户无法登录GitLab排查

2019-09-19 12:53:48
1
2
3
4
问题背景,Gitlab通过ldap方式认证,今天想新增加一个新用户cibot,用于jenkins拉取代码. 通过工具复制了一个用户,修改uid,登录的时候发现用户无法登录.
报错信息如下:
Undefined method `provider' for nil:nilclass
通过搜索发现大部分人都碰到过这个错误,有的是邮箱地址没填写,有的是版本过低,也有说是gitlab bug的

首先,登录 GitLab 所在服务器,发现正常输出

1
2
3
4
5
6
sudo gitlab-rake gitlab:ldap:check
Checking LDAP ...

LDAP: ... Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)

由于GitLab 使用 PostgreSQL 数据库存储用户等相关数据,查看一下 GitLab 数据库 PostgreSQL 的配置文件,看下相关的配置信息,一般来说,GitLab 服务会专门创建一个系统用户来管理该数据库服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[root@bogon ~]# cat /var/opt/gitlab/gitlab-rails/etc/database.yml
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.

production:
adapter: postgresql
encoding: unicode
collation:
database: gitlabhq_production
pool: 10
username: "gitlab"
password:
host: "/var/opt/gitlab/postgresql"
port: 5432
socket:
sslmode:
sslcompression: 0
sslrootcert:
sslca:
load_balancing: {"hosts":[]}
prepared_statements: false
statements_limit: 1000
fdw:

看到 username: “gitlab,那么查看下当前系统有哪些跟 gitlab 相关的用户

1
2
3
4
5
[root@bogon ~]# cat /etc/passwd | grep 'gitlab-'
gitlab-www:x:996:993::/var/opt/gitlab/nginx:/bin/false
gitlab-redis:x:994:991::/var/opt/gitlab/redis:/bin/false
gitlab-psql:x:993:990::/var/opt/gitlab/postgresql:/bin/sh
gitlab-prometheus:x:992:989::/var/opt/gitlab/prometheus:/bin/sh

看到 gitlab-psql 账户就是我们要使用的用户,接下来就切换到该用户,并连接到 gitlabhq_production 数据库

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
[root@bogon ~]#  su - gitlab-psql
Last login: Thu Sep 19 10:53:57 CST 2019 on pts/0
-sh-4.2$ psql -h /var/opt/gitlab/postgresql -d gitlabhq_production
psql (9.6.11)
Type "help" for help.

gitlabhq_production=# \h
Available help:
ABORT COMMENT DECLARE EXECUTE
ALTER AGGREGATE COMMIT DELETE EXPLAIN
ALTER COLLATION COMMIT PREPARED DISCARD FETCH
ALTER CONVERSION COPY DO GRANT
ALTER DATABASE CREATE ACCESS METHOD DROP ACCESS METHOD IMPORT FOREIGN SCHEMA
ALTER DEFAULT PRIVILEGES CREATE AGGREGATE DROP AGGREGATE INSERT
ALTER DOMAIN CREATE CAST DROP CAST LISTEN

# \l 列举所有的数据库列表,相当于 mysql 的 show databases
# 因为连接时指定了 -d gitlabhq_production,默认进去的就是 gitlabhq_production 数据库,不需要切换。
gitlabhq_production=# \l
List of databases
Name | Owner | Encoding | Collate | Ctype | Access privileges
---------------------+-------------+----------+-------------+-------------+---------------------------------
gitlabhq_production | gitlab | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
postgres | gitlab-psql | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
template0 | gitlab-psql | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/"gitlab-psql" +
| | | | | "gitlab-psql"=CTc/"gitlab-psql"
template1 | gitlab-psql | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =c/"gitlab-psql" +
| | | | | "gitlab-psql"=CTc/"gitlab-psql"
(4 rows)
# 列举当前数据库所有表,相当于 mysql 的 show tables
gitlabhq_production=# \dt
List of relations
Schema | Name | Type | Owner
--------+------------------------------------------+-------+--------
public | abuse_reports | table | gitlab
public | appearances | table | gitlab
public | application_setting_terms | table | gitlab
public | application_settings | table | gitlab
public | ar_internal_metadata | table | gitlab
public | audit_events | table | gitlab
public | award_emoji | table | gitlab
public | badges | table | gitlab
public | board_group_recent_visits | table | gitlab
public | board_project_recent_visits | table | gitlab
public | boards | table | gitlab
public | broadcast_messages | table | gitlab
......

# 查看单表结构,相当于 desc tblname, show columns from tbname
gitlabhq_production=# \d users
Table "public.users"
Column | Type | Modifiers
----------------------------------------------+-----------------------------+----------------------------------------------------
id | integer | not null default nextval('users_id_seq'::regclass)
email | character varying | not null default ''::character varying
encrypted_password | character varying | not null default ''::character varying
reset_password_token | character varying |
reset_password_sent_at | timestamp without time zone |
remember_created_at | timestamp without time zone |
sign_in_count | integer | default 0
current_sign_in_at | timestamp without time zone |
last_sign_in_at | timestamp without time zone |
current_sign_in_ip | character varying |
last_sign_in_ip | character varying |
created_at | timestamp without time zone |
updated_at | timestamp without time zone |
.....

看下 users 表,这里面存储的就是所有的用户信息,接下来,我们可以查看验证一下新增用户信息:
# users 表查看用户信息
gitlabhq_production=# SELECT id,email,name,username FROM users WHERE username='cibot';
id | email | name | username
----+-------+------+----------
(0 rows)

发现cibot用户信息为空,说明数据库中还为存储用户信息.在/var/log/gitlab/gitlab-rails/application.log日志里看到错误信息
September 19, 2019 11:02: (LDAP) Error saving user uid=cibot,ou=user,dc=company,dc=com,dc=cn (cibot@company.com.cn): [“Email has already been taken”]

仔细查看新增用户信息,发现使用的邮箱地址是同一地址,gitlab认为已经使用,无法登录.
通过工具修改email地址,登录成功