Skip to content

`Gitlab::LDAP::Person` should use LDAP attribute list

Summary

In gitlab.yml we allow users to set an LDAP attributes hash to specify which attributes will be tried when pulling in LDAP users. There are several issues, though.

  1. Gitlab::LDAP::Person does not use this attribute list. For example, #email only looks for the mail attribute even though LDAP may return only userPrincipalName. This led to the problem we saw with a customer in https://gitlab.zendesk.com/agent/tickets/54667
  2. omniauth-ldap doesn't support custom attributes. The custom attributes support was introduced in https://gitlab.com/gitlab-org/gitlab-ce/commit/c915e2c8237ddcae57ec48e700badd9d5bfd8c8c (easiest way to see all the moving parts). However, omniauth-ldap hard-coded the attributes hash at https://github.com/intridea/omniauth-ldap/blob/master/lib/omniauth/strategies/ldap.rb#L7. As I understand this, the custom attribute support we have in GitLab will only work if it matches on of the values in the hash in omniauth.

Two things need to happen. The first is in context for this issue and the second is out of context because it involves changes in omniauth-ldap.

Gitlab::LDAP::Person should use this attribute list. For example, #email should try each attribute in turn and return the first one it finds.

cc/ @MrChrisW