Account management bug for admin and user self management when account made with LDAP but then LDAP disabled.
📖 GLOSSARY OF TERMS
-
Group
🅰 - This is the group that had the identity for the account deleted while the LDAP was still enabled and working fine.
- The admin can go to these user's identity tab.
- There is nothing there but it does not cause an error like Group
🅱 does for the same action - These users are able to see the password menu item on profile settings.
- There is nothing there but it does not cause an error like Group
-
Group
🅱 - This is the group that was created the same as group
🅰 but the identities were not deleted before the LDAP integration was disabled. - This group still lists LDAP identity string values, even though LDAP is disabled
- this group had their password manually changed by the admin
- the admin asked the users to change their own password to what they want
- the password menu item does not show for these users because the LDAP string is likely triggering the UI to hide the password menu for LDAP users.
- if the admin tries to go to these user's identity tab, they get a 500 error.
- if the user tries to manually go to http:///profile/password/edit, they get a page not found error.
- If the admin reenables the LDAP to then try to delete the identities to make these users act the same as Group
🅰 users, the same 500 error occurs on the identities tab for a user profile.
- This is the group that was created the same as group
▶ HOW TO REPRODUCE
-
1️⃣ integrate GitLab with LDAP -
2️⃣ Create user accounts by logging in with valid LDAP credentials -
3️⃣ Manage accounts- On some accounts, delete the identity. We'll call this Group
🅰 - On other accounts, do not delete identities.
- On some accounts, delete the identity. We'll call this Group
-
4️⃣ Disable LDAP integration -
5️⃣ Manually reset all users in both groups' passwords. -
6️⃣ Experience errors- Log in as users for each Group and try to change your password
- Group
🅰 users will have no error - Group
🅱 users can work fine but they cannot change their password
- Group
- Log in as admin and try to delete identities for Group
🅱 . You will get error.
- Log in as users for each Group and try to change your password
▶ BACKSTORY
I enabled LDAP integration. Our current LDAP isn't setup correctly. I was able to get people to log in but our LDAP has no email information. We are going to deploy a new LDAP. So, I already had people create accounts. So I just converted them to local authentication. I removed some of the identities first but not all. Then did the pw reset and disabled the LDAP. I think I disabled the LDAP before resetting PWs. But now all of the Group
💡 OP's RECOMMENDATION
- Don't auto delete LDAP string on users if LDAP is disabled. Keep that functionality the same.
- Alter logic that hides PW menu to check if the LDAP flag is set to true as well. If the LDAP flag is set to false, ignore any identites and LDAP string information.
- Or come up with some other way to be able to convert accounts easier.
ℹ SCREENSHOT LEGEND
- Private information redaction color codes:
- Redacted personal info with grey boxes
- Redacted privately hosted domain with red box (gitlab.example.com)
📷 Admin Identity Management Error for a Group 🅱 user:
📷 Missing Password Navigation Menu and Email Read Only for LDAP For a Group 🅱 user
📷 Manual Attempt
