Cannot change user name via user sync when LDAP is enabled
Summary
In 12.8, a read-only state was added for LDAP attributes. Looking at the MR for this feature, the feature is enabled by default, and when LDAP is enabled, the email
and name
are set as read-only in the User model.
This feature is also enabled by default in the user update service, which causes the read-only attributes, email and name, to be removed from the update parameters. This prevents updating user names, even via LDAP user sync.
This feature's purpose wasn't to block changes via LDAP user sync. From the feature proposal description, it should allow the sync to update information, but just prevent updates via the GitLab UI. It is currently blocking
Steps to reproduce
- Enable LDAP on a test instance running 12.8 and sync users
- Try to change a user's name in LDAP, and run a user sync, it doesn't change in GitLab
What is the current bug behavior?
User information can't be updated in GitLab when LDAP is enabled, even through LDAP user sync.
What is the expected correct behavior?
The ldap_readonly_attributes
feature should only effect edits in the GitLab UI. It should still allow changes via the LDAP User Sync (keeping LDAP the single source of truth).
Output of checks - I ran in GDK
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Proxy: rvm_proxy: Current User: blairlunceford Using RVM: yes RVM Version: 1.29.9 Ruby Version: 2.6.5p114 Gem Version: 3.0.6 Bundler Version:1.17.3 Rake Version: 12.3.3 Redis Version: 5.0.7 Git Version: 2.25.0 Sidekiq Version:5.2.7 Go Version: go1.13.6 darwin/amd64
GitLab information Version: 12.9.0-pre Revision: 206bdcc7a2d Directory: /Users/blairlunceford/gitlab-development/gitlab-development-kit/gitlab DB Adapter: PostgreSQL DB Version: 10.11 URL: http://127.0.0.1:3000 HTTP Clone URL: http://127.0.0.1:3000/some-group/some-project.git SSH Clone URL: ssh://blairlunceford@127.0.0.1:2222/some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: yes Using Omniauth: yes Omniauth Providers: google_oauth2
GitLab Shell Version: 12.0.0 Repository storage paths:
- default: / GitLab Shell path: /Users/blairlunceford/gitlab-development/gitlab-development-kit/gitlab-shell Git: /usr/local/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 12.0.0 ? ... OK (12.0.0) Running /Users/blairlunceford/gitlab-development/gitlab-development-kit/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes ... 1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... Server: ldapmain LDAP authentication... Anonymous. No
bind_dn
orpassword
configured LDAP users with access to your GitLab server (only showing the first 100 results) User output sanitized. Found 100 users of 100 limit.Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... no Trying to fix error automatically. ...Success Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... no Try fixing it: sudo chmod 700 /Users/blairlunceford/gitlab-development/gitlab-development-kit/gitlab/public/uploads For more information see: doc/install/installation.md in section "GitLab" Please fix the error above and rerun the checks. Uploads directory tmp has correct permissions? ... yes Init script exists? ... no Try fixing it: Install the init script For more information see: doc/install/installation.md in section "Install Init Script" Please fix the error above and rerun the checks. Init script up-to-date? ... can't check because of previous errors Projects have namespace: ... 22/1 ... yes 22/2 ... yes 23/3 ... yes 24/4 ... yes 25/5 ... yes 26/6 ... yes 27/7 ... yes 28/8 ... yes 51/9 ... yes 29/10 ... yes 13/11 ... yes 49/12 ... yes 21/13 ... yes 15/14 ... yes 10/15 ... yes 19/16 ... yes 9/17 ... yes 4/18 ... yes 52/19 ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.5.3 ? ... yes (2.6.5) Git version >= 2.22.0 ? ... yes (2.25.0) Git user has default SSH configuration? ... no Try fixing it: mkdir ~/gitlab-check-backup-1584053683 sudo mv /Users/blairlunceford/.ssh/id_ed25519 ~/gitlab-check-backup-1584053683 sudo mv /Users/blairlunceford/.ssh/id_ed25519.pub ~/gitlab-check-backup-1584053683 For more information see: doc/ssh/README.md in section "SSH on the GitLab server" Please fix the error above and rerun the checks. Active users: ... 45 Is authorized keys file accessible? ... yes Elasticsearch version 5.6 - 6.x? ... skipped (elasticsearch is disabled)
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
Possible fixes
I think the main issue is that the LDAP User Sync updates via the User Update Service, which won't update read-only attributes. The new feature makes the name and email read only by default, which prevents them from being updated via user sync.
https://gitlab.com/gitlab-org/gitlab/-/blob/v12.8.6-ee/app/services/users/update_service.rb#L55