LDAP User / Local User Assignment does not work when the LDAP User has multiple E-Mail addresses
I am trying to set up LDAP Authentication on my existing Gitlab installation. However despite of the documentation the local users are not assigned properly to the ldap users even though the E-Mail addresses match up.
The reason is that the LDAP user has multiple E-Mail addresses configured like so:
dn: uid=zem,cn=users,cn=accounts,dc=conesphere,dc=nospam
givenName: Hans
sn: Freitag
uid: zem
cn: Hans Freitag
displayName: Hans Freitag
initials: HF
gecos: Hans Freitag
krbPrincipalName: zem@CONESPHERE.NOSPAM
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/bash
homeDirectory: /home/zem
mail: zem@conesphere.nospam
mail: hans.freitag@conesphere.nospam
mail: hans@conesphere.nospam
mail: freitag@conesphere.nospam
krbCanonicalName: zem@CONESPHERE.NOSPAM
The corresponding user in gitlab has the E-Mail hans.freitag@conesphere.nospam.
The annoying thing is that the assignment does work if I delete zem@conesphere.nospam from the list of email addresses and readd it. The LDIF delivered back by ldapsearch will have a slightly different order then:
mail: hans.freitag@conesphere.nospam
mail: hans@conesphere.nospam
mail: freitag@conesphere.nospam
mail: zem@conesphere.nospam
Gitlab should honour that users probably have multiple e-mail addresses configured and I am not sure if there is any standard in LDAP Protocol to always keep the order of those E-Mail address entries in a query.
My Gitlab version is a recent: 12.8.2 (785e16f105a)