Improvement to LDAP error handling (LDAP search error: Invalid DN Syntax) when user_filter doesn't match
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Summary
When SAML Authentication is successful but blocked by LDAP user_filter the app throws a DN error:
LDAP search error: Invalid DN Syntax
However the error should return something like:
LDAP search error: User blocked by user filter $USER_FILTER
As noted by customer:
Users (and myself) found the 422 page and error confusing. Is that the expected behavior?
I’m guessing it is because they are allowed through SAML, but then blocked in the AD lookup, but it looks in the logs like there is a DN error, when in fact they are blocked by the user_filter.
Note that this error resulted in a lengthy support investigation that would have been easily resolved by the customer if correct error had of been displayed.
Steps to reproduce
In an LDAP enabled environment, log on to application as a user that is blocked by the user_filter in LDAP. Note 422 error that is returned.
Possible fixes
If the filter is blocking the user we fail, instead of failing with the correct error message.
https://gitlab.com/gitlab-org/gitlab-ee/blob/v9.2.0-ee/lib/gitlab/ldap/adapter.rb#L63