Skip to content
GitLab Next
Closed
Created by Blair Lunceford@blunceford🐳Contributor

Cannot change user name via user sync when LDAP is enabled

Summary

In 12.8, a read-only state was added for LDAP attributes. Looking at the MR for this feature, the feature is enabled by default, and when LDAP is enabled, the email and name are set as read-only in the User model.

This feature is also enabled by default in the user update service, which causes the read-only attributes, email and name, to be removed from the update parameters. This prevents updating user names, even via LDAP user sync.

This feature's purpose wasn't to block changes via LDAP user sync. From the feature proposal description, it should allow the sync to update information, but just prevent updates via the GitLab UI. It is currently blocking

Steps to reproduce

  1. Enable LDAP on a test instance running 12.8 and sync users
  2. Try to change a user's name in LDAP, and run a user sync, it doesn't change in GitLab

What is the current bug behavior?

User information can't be updated in GitLab when LDAP is enabled, even through LDAP user sync.

What is the expected correct behavior?

The ldap_readonly_attributes feature should only effect edits in the GitLab UI. It should still allow changes via the LDAP User Sync (keeping LDAP the single source of truth).

Output of checks - I ran in GDK

Results of GitLab environment info

Expand for output related to GitLab environment info 
System information
System:
Proxy:		rvm_proxy:
Current User:	blairlunceford
Using RVM:	yes
RVM Version:	1.29.9
Ruby Version:	2.6.5p114
Gem Version:	3.0.6
Bundler Version:1.17.3
Rake Version:	12.3.3
Redis Version:	5.0.7
Git Version:	2.25.0
Sidekiq Version:5.2.7
Go Version:	go1.13.6 darwin/amd64


GitLab information
Version:	12.9.0-pre
Revision:	206bdcc7a2d
Directory:	/Users/blairlunceford/gitlab-development/gitlab-development-kit/gitlab
DB Adapter:	PostgreSQL
DB Version:	10.11
URL:		http://127.0.0.1:3000
HTTP Clone URL:	http://127.0.0.1:3000/some-group/some-project.git
SSH Clone URL:	ssh://blairlunceford@127.0.0.1:2222/some-group/some-project.git
Elasticsearch:	no
Geo:		no
Using LDAP:	yes
Using Omniauth:	yes
Omniauth Providers: google_oauth2


GitLab Shell
Version:	12.0.0
Repository storage paths:
  • default: / GitLab Shell path: /Users/blairlunceford/gitlab-development/gitlab-development-kit/gitlab-shell Git: /usr/local/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check 
Checking GitLab subtasks ...


Checking GitLab Shell ...


GitLab Shell: ... GitLab Shell version >= 12.0.0 ? ... OK (12.0.0)
Running /Users/blairlunceford/gitlab-development/gitlab-development-kit/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Gitaly ...


Gitaly: ... default ... OK


Checking Gitaly ... Finished


Checking Sidekiq ...


Sidekiq: ... Running? ... yes
Number of Sidekiq processes ... 1


Checking Sidekiq ... Finished


Checking Incoming Email ...


Incoming Email: ... Reply by email is disabled in config/gitlab.yml


Checking Incoming Email ... Finished


Checking LDAP ...


LDAP: ... Server: ldapmain
LDAP authentication... Anonymous. No bind_dn or password configured
LDAP users with access to your GitLab server (only showing the first 100 results)
User output sanitized. Found 100 users of 100 limit.


Checking LDAP ... Finished


Checking GitLab App ...


Git configured correctly? ... no
Trying to fix error automatically. ...Success
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... no
Try fixing it:
sudo chmod 700 /Users/blairlunceford/gitlab-development/gitlab-development-kit/gitlab/public/uploads
For more information see:
doc/install/installation.md in section "GitLab"
Please fix the error above and rerun the checks.
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... no
Try fixing it:
Install the init script
For more information see:
doc/install/installation.md in section "Install Init Script"
Please fix the error above and rerun the checks.
Init script up-to-date? ... can't check because of previous errors
Projects have namespace: ...
22/1 ... yes
22/2 ... yes
23/3 ... yes
24/4 ... yes
25/5 ... yes
26/6 ... yes
27/7 ... yes
28/8 ... yes
51/9 ... yes
29/10 ... yes
13/11 ... yes
49/12 ... yes
21/13 ... yes
15/14 ... yes
10/15 ... yes
19/16 ... yes
9/17 ... yes
4/18 ... yes
52/19 ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.5.3 ? ... yes (2.6.5)
Git version >= 2.22.0 ? ... yes (2.25.0)
Git user has default SSH configuration? ... no
Try fixing it:
mkdir ~/gitlab-check-backup-1584053683
sudo mv /Users/blairlunceford/.ssh/id_ed25519 ~/gitlab-check-backup-1584053683
sudo mv /Users/blairlunceford/.ssh/id_ed25519.pub ~/gitlab-check-backup-1584053683
For more information see:
doc/ssh/README.md in section "SSH on the GitLab server"
Please fix the error above and rerun the checks.
Active users: ... 45
Is authorized keys file accessible? ... yes
Elasticsearch version 5.6 - 6.x? ... skipped (elasticsearch is disabled)


Checking GitLab App ... Finished


Checking GitLab subtasks ... Finished

Possible fixes

I think the main issue is that the LDAP User Sync updates via the User Update Service, which won't update read-only attributes. The new feature makes the name and email read only by default, which prevents them from being updated via user sync.

https://gitlab.com/gitlab-org/gitlab/-/blob/v12.8.6-ee/app/services/users/update_service.rb#L55

Edited by Blair Lunceford