Check LDAP external users at sign in

Overview

External users in GitLab have restricted permissions and must be explicitly added to a project/group for access - https://docs.gitlab.com/ee/user/permissions.html#external-users

The LDAP group sync option external_users offers the ability to specify a group that contains "external users". By default an ldap_group_sync_worker is run every hour. This will mark any already created users as external.

Problem

1. Alice adds Bob to the GitLab LDAP base - dc=example,dc=org
2. Alice also immediately adds Bob to the GitLab LDAP external_groups - cn=external,dc=example,dc=org
3. Bob signs into GitLab and is not an external users.
   1. Bob is able to access all internal projects
4. After 1 hour (or less) the ldap_group_sync_worker marks Bob as an external user

The problem is that the user (Bob) will have access to internal projects until he is marked as an external user via the sync.

Possible Solution

Check the users DN on login and compare it against the external_groups + group_base value

Links

• https://gitlab.zendesk.com/agent/tickets/76859