remove user from ldap group still has access to project link to the ldap group

Summary

On the LDAP side if you remove a user from a LDAP group link to gitlab group, the user still has access to the project group.

Steps to reproduce

Edit a group to create a Linked LDAP groups. Go to manage access for this group. Sync now to verify the ldap user has now access to the group. Log in with this user, everything is OK, we has access to the correct group and see the project in the group. On the ldap server remove the user from the ldap group used in the previous link. Sync now to verify the ldap user is removed from the group. Log in with this user, he has still access to the project.

What is the current bug behavior?

Removing an ldap user from an ldap group doesn't remove the access to the linked group

What is the expected correct behavior?

The user should not see anymore the project

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 
gitlab-rake gitlab:env:info
WARNING: The GitLab Enterprise Edition license will expire on 2017-07-01.


System information
System:
Proxy:          no
Current User:   git
Using RVM:      no
Ruby Version:   2.3.3p222
Gem Version:    2.6.6
Bundler Version:1.13.7
Rake Version:   10.5.0
Redis Version:  3.2.5
Git Version:    2.11.1
Sidekiq Version:5.0.0


GitLab information
Version:        9.2.2-ee
Revision:       b004167
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     postgresql
DB Version:     9.6.1
URL:            https://dtcrhint05.dtc.rccad.net
HTTP Clone URL: https://dtcrhint05.dtc.rccad.net/some-group/some-project.git
SSH Clone URL:  git@dtcrhint05.dtc.rccad.net:some-group/some-project.git
Elasticsearch:  no
Geo:            no
Using LDAP:     yes
Using Omniauth: no


GitLab Shell
Version:        5.0.4
Repository storage paths:
  • default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check 
WARNING: The GitLab Enterprise Edition license will expire on 2017-07-01.
Checking GitLab Shell ...


GitLab Shell version >= 5.0.4 ? ... OK (5.0.4)
Repo base directory exists?
default... yes
Repo storage directories are symlinks?
default... no
Repo paths owned by git:root, or git:git?
default... yes
Repo paths access is drwxrws---?
default... yes
hooks directories in repos are links: ...
9/3 ... ok
9/4 ... ok
9/5 ... ok
9/6 ... ok
9/10 ... ok
9/12 ... ok
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Access to /var/opt/gitlab/.ssh/authorized_keys: OK
Send ping to redis server: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Sidekiq ...


Running? ... yes
Number of Sidekiq processes ... 1


Checking Sidekiq ... Finished


Checking Reply by email ...


Reply by email is disabled in config/gitlab.yml


Checking Reply by email ... Finished


Checking LDAP ...


Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
DN: uid=admin,cn=users,cn=accounts,dc=XXX,dc=XXX,dc=XX        uid: admin


I removed the list of the user, and just let the first line


Checking LDAP ... Finished


Checking GitLab ...


Git configured with autocrlf=input? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config outdated? ... no
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory setup correctly? ... skipped (no tmp uploads folder yet)
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
projects have namespace: ...
9/3 ... yes
9/4 ... yes
9/5 ... yes
9/6 ... yes
9/10 ... yes
9/12 ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.1.0 ? ... yes (2.3.3)
Your git bin path is "/opt/gitlab/embedded/bin/git"
Git version >= 2.7.3 ? ... yes (2.11.1)
Active users: 2


Checking GitLab ... Finished

Possible fixes

(If you can, link to the line of code that might be responsible for the problem)

Edited by Mickael