Check LDAP external users at sign in
External users in GitLab have restricted permissions and must be explicitly added to a project/group for access - https://docs.gitlab.com/ee/user/permissions.html#external-users
The LDAP group sync option
external_users offers the ability to specify a group that contains "external users". By default an
ldap_group_sync_worker is run every hour. This will mark any already created users as external.
- Alice adds Bob to the GitLab LDAP
- Alice also immediately adds Bob to the GitLab LDAP
- Bob signs into GitLab and is not an external users.
- Bob is able to access all internal projects
- After 1 hour (or less) the
ldap_group_sync_workermarks Bob as an external user
The problem is that the user (Bob) will have access to internal projects until he is marked as an external user via the sync.
Check the users
DN on login and compare it against the