Allow admins to resynchronize state for blocked LDAP users via UI
Problem to solve
There is currently no way for a GitLab administrator to resynchronize the state of an LDAP-blocked user account via the admin UI.
Intended users
Further details
The only way to make LDAP-blocked user accounts active again is to wait for the daily user sync or get the user to sign in via the web UI.
There are some edge cases where this is undesirable. For example, a 1,500-seat premium customer reported (Zendesk, internal use only) that they were not able to quickly restore productivity to their end-users as critical service accounts were blocked and the admins did not have the passwords to these accounts.
Proposal
- We can add a button that checks an individual account with LDAP and unblocks if appropriate
- We can add a button that checks all LDAP-blocked accounts and unblocks if appropriate
- We can add a button that initiates an instance-wide user LDAP sync immediately
Permissions and Security
In theory, no special permissions are required for this since the source of truth for the user account state lies with the LDAP server rather than with GitLab.
In practice, maybe GitLab admins?