Follow-up from "Attempt to link saml users to ldap by email"
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
The following discussion from gitlab-ce!14216 should be addressed:
-
@DouweM started a discussion: (+3 comments) Can we wrap these into a single LDAP search, as suggested in https://gitlab.com/gitlab-org/gitlab-ce/issues/33493:
At a minimum we could add a third lookup so we had first lookup by UID, then DN, then email. Unfortunately, this means up to 3 queries each and everything time a user signs in. This logic is in
Gitlab::OAuth::User#ldap_person. There are a couple of ways I think we can reduce this:- Turn the individual queries into a compound filter query. Instead of
(uid=foo)and then(dn=foo), we could build an OR query like(|(uid=foo)(dn=foo)(email=foo))and take the result. We may need to check if there are multiple values returned and have some order of precedence, but it is probably more performant.
- Turn the individual queries into a compound filter query. Instead of
Edited by 🤖 GitLab Bot 🤖