LDAP CE searches for LDAP group

Summary

I enabled LDAP authent on my Gitlab CE ominbus install

In the gitlab.rb file it shows two settings for group search: group_base and admin-group

According to the documentation groups settings are only meant to function on the EE edition, but if I fill in the details I can see Gitlab making queries (which fail) to the LDAP server.

I assume there are other setting in the EE version that you can use to modify this query.

This should be properly disabled if it cannot be used rather than making pointless calls to the LDAP server.

Steps to reproduce

Add LDAP settings to gitlab.rb Check LDAP server logs and you will see:

SRCH base="ou=Groups,dc=example,dc=com" scope=2 deref=0 filter="(&(cn=owner)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))"

SRCH attr=objectClass cn userPassword gidNumber memberuid modifyTimestamp modifyTimestamp

What is the current bug behavior?

As above

What is the expected correct behavior?

No LDAP group queries

Expand for output related to GitLab environment info 
System information
System:		Devuan 2.0
Current User:	git
Using RVM:	no
Ruby Version:	2.3.7p456
Gem Version:	2.6.14
Bundler Version:1.13.7
Rake Version:	12.3.1
Redis Version:	3.2.11
Git Version:	2.16.4
Sidekiq Version:5.0.5
Go Version:	unknown

GitLab information
Version:	10.8.4
Revision:	2268d0c
Directory:	/opt/gitlab/embedded/service/gitlab-rails
DB Adapter:	postgresql
URL:		https://gitlab-backup.impamark.com:4443
HTTP Clone URL:	https://gitlab-backup.impamark.com:4443/some-group/some-project.git
SSH Clone URL:	git@gitlab-backup.impamark.com:some-group/some-project.git
Using LDAP:	yes
Using Omniauth:	no


GitLab Shell
Version:	7.1.2
Repository storage paths:
  • default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check 
heck GitLab API access: OK
Redis available via internal API: OK


Access to /var/opt/gitlab/.ssh/authorized_keys: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Sidekiq ...


Running? ... yes
Number of Sidekiq processes ... 1


Checking Sidekiq ... Finished


Reply by email is disabled in config/gitlab.yml
Checking LDAP ...


Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)



Checking LDAP ... Finished


Checking GitLab ...


Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
2/1 ... yes
2/2 ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.3.5 ? ... yes (2.3.7)
Git version >= 2.9.5 ? ... yes (2.16.4)
Git user has default SSH configuration? ... yes
Active users: ... 3


Checking GitLab ... Finished

Possible fixes

No idea I'm afraid !