Follow-up from "Find a user by email from LDAP"

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

We should perform the allowed? check in Gitlab::LDAP::Access based on a specific LDAP-identity. Not the first one found by User.ldap_identity.

The following discussion from !2003 (merged) should be addressed:

• @dblessing started a discussion: (+3 comments)

  This seems dangerous. A user can have multiple LDAP identities. In this case, user.ldap_identity returns the first identity. This could lead to us updating the wrong identity's DN. I see we use user.ldap_identity in other places in this class, which is probably not great, but it never caused a huge problem because we weren't changing any values. We might have to rethink it now that we're adding this. Any ideas @reprazent