`Gitlab::LDAP::Person` should use LDAP attribute list
Summary
In gitlab.yml
we allow users to set an LDAP attributes hash to specify which attributes will be tried when pulling in LDAP users. There are several issues, though.
-
Gitlab::LDAP::Person
does not use this attribute list. For example,#email
only looks for themail
attribute even though LDAP may return onlyuserPrincipalName
. This led to the problem we saw with a customer in https://gitlab.zendesk.com/agent/tickets/54667 -
omniauth-ldap
doesn't support custom attributes. The custom attributes support was introduced in https://gitlab.com/gitlab-org/gitlab-ce/commit/c915e2c8237ddcae57ec48e700badd9d5bfd8c8c (easiest way to see all the moving parts). However,omniauth-ldap
hard-coded the attributes hash at https://github.com/intridea/omniauth-ldap/blob/master/lib/omniauth/strategies/ldap.rb#L7. As I understand this, the custom attribute support we have in GitLab will only work if it matches on of the values in the hash in omniauth.
Two things need to happen. The first is in context for this issue and the second is out of context because it involves changes in omniauth-ldap
.
Gitlab::LDAP::Person
should use this attribute list. For example, #email
should try each attribute in turn and return the first one it finds.
cc/ @MrChrisW