Allow Kerberos to auto link LDAP users
Zendesk: https://gitlab.zendesk.com/agent/tickets/50239 and https://gitlab.zendesk.com/agent/tickets/56351
It currently seems that it's impossible for us to auto link an LDAP user when a user signs in via Kerberos. In https://gitlab.com/gitlab-org/gitlab-ee/blob/master/lib/gitlab/o_auth/user.rb#L98 we currently try two methods to link LDAP users - find by UID and find by DN, both utilizing auth_hash.uid. In the case of Kerberos, auth_hash.uid will be something like john@ORG.DOMAIN.COM. It's important to note that often the Kerberos realm is NOT the same as the email domain so we cannot look up by email, either. Additionally, LDAP often does not have an attribute that directly corresponds to the full Kerberos principal. In https://gitlab.com/gitlab-org/gitlab-ee/blob/master/lib/ee/gitlab/ldap/person.rb#L15 we derive an LDAP user's Kerberos principal using the username + DN.
Example Auth Hash:
<Gitlab::OAuth::AuthHash:0x007f4d2cdec0a8 @auth_hash=#<OmniAuth::AuthHash credentials=#<OmniAuth::AuthHash> extra=#<OmniAuth::AuthHash> info=#<OmniAuth::AuthHash::InfoHash email="john@kerberos.gitlap.com" username="john"> provider="kerberos" uid="john@KERBEROS.GITLAP.COM">, @provider="kerberos", @uid="john@KERBEROS.GITLAP.COM">I suggest we put another try before https://gitlab.com/gitlab-org/gitlab-ee/blob/master/lib/gitlab/o_auth/user.rb#L107 that says something like:
if auth_hash.provider == 'kerberos'
person = Gitlab::LDAP::Person.find_by_uid(auth_hash.info['username'], adapter)
@ldap_person ||= person if person.kerberos_principal.downcase == auth_hash.uid.downcase
endThe @ldap_person line's conditional may not be necessary, but I wondered if we needed some additional comparison to 'prove' this is the right user to link, rather than just going on username. Is username enough?