LDAP API security change caused regression in LDAP group sync
Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/41827
In 10.4.3 (and backports to 10.3 and 10.2) we released a change restricting the LDAP API to admins only. However, some LDAP API endpoints are used by JS to facilitate autocomplete/choosing an LDAP group for LDAP group synchronization. After this security change, group owners are no longer able to configure LDAP group sync due to a 403 forbidden JS error.
Steps to reproduce
- Setup LDAP with group base.
- Create a new group as a non-admin.
- Go to Settings -> LDAP synchronizations
- Attempt to search for an LDAP group.
- Observe no results found. JS console shows 403 errors.
The specific endpoint this form uses is /api/v4/ldap/ldapmain/groups.json
.
cc/ @stanhu Looks like you were involved with the security release so probably have some background here. Thoughts?
Edited by Drew Blessing