OK, Anybody using Windows AD with Gitblit, I figured out my issue. I know i've seen this posted elsewhere in the forum with no resolution so let me recap:
You have Gitblit syncing your users.conf from AD, but your users still cannot authenticate, you see invalid credentials errors.
The root of my issue was that my bindpattern was set to:
realm.ldap.bindpattern = CN=${username},OU=Users,DC=domain,DC=com
However, in our Active Directory domain's DNs, CN is not equal to username, CN is equal to displayname.
This was causing me to have auth issues.
I changed my bindpattern to simply:
realm.ldap.bindpattern = domain\\${username}
My users can not log in. Below for your reference is a complete [sanitized] Gitblit LDAP configuration that is currently working in a Windows AD environment:
realm.ldap.backingUserService = ${baseFolder}/users.conf
realm.authenticationProviders = ldap
realm.passwordStorage = md5
# URL of the LDAP server.
realm.ldap.server = ldap://I.P.Address.Redacted:389
# Login username for LDAP searches.
realm.ldap.username = domain\\adminuser
realm.ldap.password = adminpass
# Bind pattern for Authentication.
realm.ldap.bindpattern = domain\\${username}
# Delegate team membership control to LDAP.
realm.ldap.maintainTeams = true
# Root node for all LDAP users
realm.ldap.accountBase = DC=domain,DC=com
# Filter criteria for LDAP users
# The filter I made will show all accounts that are in the 'employee_users' security group, in the Groups OU, OR
# in the 'admin_users' group in the Admin OU, OR are in the 'contractor_users' or 'intern_users' groups in the Groups OU
# it will additionally only show accounts whose objectClass=user, and will filter out any object with objectClass of computer.
# The last part [(userAccountControl:1.2.840.113556.1.4.803:=2)] will filter out any disabled account.
realm.ldap.accountPattern = (&(|(memberOf=CN=employee_users,OU=Groups,DC=domain,DC=com)(memberOf=CN=admin_users,OU=Admin,DC=domain,DC=com)(memberOf=CN=contractor_users,OU=Groups,DC=domain,DC=com)(memberOf=CN=intern_users,OU=Groups,DC=domain,DC=com))(objectClass=user)(sAMAccountName=${username})(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
# Root node for all LDAP groups to be used as Gitblit Teams
# This is a separate OU I created just for security groups to be used as GitBlit teams
realm.ldap.groupBase = OU=gitblit,DC=domain,DC=com
#Group bind pattern
realm.ldap.groupMemberPattern = (&(objectClass=group)(member=${dn}))
realm.ldap.groupEmptyMemberPattern = (&(objectClass=group)(!(member=*)))
# LDAP users or groups that should be given administrator privileges.
# This is also in my gitblit teams OU
realm.ldap.admins = @gitblit_admins
realm.ldap.displayName = displayName
realm.ldap.email = mail
# Attribute on the USER record that indicate their username to be used in gitblit
# when synchronizing users from LDAP
realm.ldap.uid = sAMAccountName
# Defines whether to synchronize all LDAP users and teams into the user service
realm.ldap.synchronize = true
realm.ldap.syncPeriod = 5 MINUTES
realm.ldap.removeDeletedUsers = true