Use OmniAuth/LDAP gem when querying user infomation
Summary
The current LDAP connection code has some quirks that make it harder to maintain and harder to debug.
If OmniAuth is used for user authentication and the LDAP provider is selected, a subset of options from gitlab_rails['ldap_servers']
in gitlab.rb
is passed to the OmniAuth/LDAP gem, which applies its own option transform before initializing a connection.
Second, if gitlab_rails['ldap_enabled']
is set to true
in config.rb
, then a different subset of options from gitlab_rails['ldap_servers']
is used to directly initialize a connection, which is then used to query user profile information.
Since there are two different ways to initialize a connection, you can run into a situation where authenticating a user succeeds and querying the user profile information fails, or vice versa.
The code should be refactored to use the OmniAuth/LDAP gem when querying user profile information.
Improvements
Commonizing on one connection initialization method would make the LDAP code easier to maintain by reducing the amount of code. In addition, it would make the code easier to debug by reducing the number of code paths that have to be examined when there is a failure.
Risks
- Could change how some configuration options are interpreted
- Possibly affects EE behavior
Involved components
- gitlab/lib/gitlab/auth/ldap/adapter.rb
- gitlab/lib/gitlab/auth/ldap/config.rb