Impersonate button in the admin area blocks the user (with ldap login configured)
Summary
After updating my self hosted instance to version 13.12.8 and trying to impersonate a user to validate their permissions the system presented Error 500 and when returning to the user page in the admin area it was blocked!
The "unlock" button did not work after the event, displaying the message:
I managed to unlock the user using the rails console as described at: https://docs.gitlab.com/ee/security/unlock_user.html#how-to-unlock-a-locked-user-from-the-command-line. user was with status => "ldap_blocked"
Note: We use LDAP (Windows Active Directory) as an external authentication source.
Steps to reproduce
On instances with LDAP login (Windows Active Directory):
- Access a user in the administrative area
- Click on the "Impersonate button"
- Error 500 is displayed.
- When returning to the previous page, the user will be locked without the possibility of unlocking showing the error: "This user cannot be unlocked manually from Gitlab" when you click on the unlock button.
Example Project
Not related to a specific project. Resource from the administration area.
What is the expected correct behavior?
After clicking the impersonate button, you should reload the page viewing the system according to the impersonated user's permissions.
Relevant logs and/or screenshots
none.
Output of checks
Self-hosted CE instance.
Results of GitLab environment info
Result of gitlab-rake gitlab:env:info
Expand for output related to GitLab environment info
System information System: Current User: git Using RVM: no Ruby Version: 2.7.2p137 Gem Version: 3.1.4 Bundler Version:2.1.4 Rake Version: 13.0.3 Redis Version: 6.0.14 Git Version: 2.31.1 Sidekiq Version:5.2.9 Go Version: unknown GitLab information Version: 13.12.8 Revision: 29fc8ef8bbd Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 12.6 URL: HTTP Clone URL: SSH Clone URL: Using LDAP: yes Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 13.18.0 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Result of sudo gitlab-rake gitlab:check SANITIZE=true
Expand for output related to the GitLab application check
Checking GitLab subtasks ...
Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 13.18.0 ? ... OK (13.18.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes (cluster/worker) ... 1/1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Checking Reply by email ...
IMAP server credentials are correct? ... Exception: Tried to load unspecified class: Symbol Init.d configured correctly? ... skipped MailRoom running? ... skipped
Checking Reply by email ... Finished
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... Server: ldapmain not verifying SSL hostname of LDAPS server '10.10.255.17:636' LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) User output sanitized. Found 100 users of 100 limit.
Checking LDAP ... Finished
Checking GitLab App ...
Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 48/1 ... yes 125/2 ... yes 60/5 ... yes 201/9 ... yes 60/10 ... yes 87/11 ... yes 87/12 ... yes 87/13 ... yes 90/14 ... yes 194/15 ... yes 240/16 ... yes 60/17 ... yes 194/18 ... yes 240/19 ... yes 154/20 ... yes 154/21 ... yes 114/22 ... yes 114/23 ... yes 236/24 ... yes 236/25 ... yes 239/26 ... yes 239/27 ... yes 155/28 ... yes 235/29 ... yes 235/30 ... yes 239/31 ... yes 182/32 ... yes 182/33 ... yes 237/34 ... yes 200/35 ... yes 209/36 ... yes 235/37 ... yes 125/38 ... yes 93/39 ... yes 125/40 ... yes 93/41 ... yes 105/42 ... yes 135/43 ... yes 91/44 ... yes 244/45 ... yes 233/46 ... yes 244/47 ... yes 201/48 ... yes 154/49 ... yes 240/50 ... yes 192/51 ... yes 244/54 ... yes 470/55 ... yes 195/56 ... yes 48/57 ... yes 48/58 ... yes 302/59 ... yes 155/60 ... yes 470/63 ... yes 233/67 ... yes 233/68 ... yes 233/69 ... yes 77/70 ... yes 77/71 ... yes 77/72 ... yes 83/73 ... yes 203/74 ... yes 188/75 ... yes 188/77 ... yes 232/78 ... yes 188/79 ... yes 244/80 ... yes 211/81 ... yes 272/82 ... yes 272/83 ... yes 188/84 ... yes 186/85 ... yes 60/86 ... yes 212/87 ... yes 60/88 ... yes 60/89 ... yes 231/90 ... yes 263/93 ... yes 274/94 ... yes 239/95 ... yes 79/97 ... yes 291/98 ... yes 87/99 ... yes 185/100 ... yes 470/101 ... yes 79/102 ... yes 84/103 ... yes 84/104 ... yes 207/105 ... yes 100/106 ... yes 92/107 ... yes 100/108 ... yes 183/109 ... yes 184/111 ... yes 103/112 ... yes 103/113 ... yes 184/114 ... yes 184/115 ... yes 184/116 ... yes 198/117 ... yes 105/119 ... yes 107/120 ... yes 107/121 ... yes 107/122 ... yes 191/123 ... yes 209/127 ... yes 60/128 ... yes 84/129 ... yes 209/130 ... yes 118/131 ... yes 79/132 ... yes 84/133 ... yes 122/136 ... yes 78/137 ... yes 78/138 ... yes 48/139 ... yes 123/140 ... yes 200/142 ... yes 125/143 ... yes 197/144 ... yes 207/145 ... yes 109/146 ... yes 97/147 ... yes 91/148 ... yes 178/150 ... yes 123/154 ... yes 114/155 ... yes 84/156 ... yes 94/157 ... yes 93/158 ... yes 90/159 ... yes 89/160 ... yes 87/161 ... yes 182/163 ... yes 191/164 ... yes 67/165 ... yes 193/166 ... yes 207/167 ... yes 231/168 ... yes 208/170 ... yes 183/171 ... yes 188/173 ... yes 182/174 ... yes 60/176 ... yes 122/177 ... yes 87/178 ... yes 192/179 ... yes 155/180 ... yes 155/181 ... yes 187/182 ... yes 295/186 ... yes 196/187 ... yes 87/188 ... yes 186/189 ... yes 87/193 ... yes 181/196 ... yes 181/199 ... yes 68/200 ... yes 67/201 ... yes 67/202 ... yes 84/203 ... yes 205/204 ... yes 184/205 ... yes 181/206 ... yes 92/207 ... yes 103/208 ... yes 211/209 ... yes 173/210 ... yes 185/211 ... yes 185/212 ... yes 185/213 ... yes 105/214 ... yes 185/215 ... yes 189/216 ... yes 187/217 ... yes 189/218 ... yes 189/219 ... yes 189/220 ... yes 155/221 ... yes 60/222 ... yes 83/223 ... yes 125/224 ... yes 125/225 ... yes 125/226 ... yes 202/227 ... yes 202/228 ... yes 390/229 ... yes 203/231 ... yes 203/232 ... yes 239/233 ... yes 188/234 ... yes 191/235 ... yes 191/236 ... yes 203/237 ... yes 237/241 ... yes 207/242 ... yes 216/243 ... yes 216/244 ... yes 216/245 ... yes 223/246 ... yes 222/247 ... yes 222/248 ... yes 222/249 ... yes 222/250 ... yes 222/251 ... yes 222/252 ... yes 222/253 ... yes 222/254 ... yes 222/255 ... yes 222/256 ... yes 222/257 ... yes 222/258 ... yes 222/259 ... yes 222/260 ... yes 222/261 ... yes 222/262 ... yes 222/263 ... yes 222/264 ... yes 222/265 ... yes 222/266 ... yes 222/267 ... yes 222/268 ... yes 222/269 ... yes 221/270 ... yes 221/271 ... yes 221/272 ... yes 221/273 ... yes 221/274 ... yes 221/275 ... yes 221/276 ... yes 221/277 ... yes 221/278 ... yes 221/279 ... yes 221/280 ... yes 221/281 ... yes 221/282 ... yes 221/283 ... yes 221/284 ... yes 221/285 ... yes 221/286 ... yes 221/287 ... yes 221/288 ... yes 221/289 ... yes 221/290 ... yes 221/291 ... yes 221/292 ... yes 221/293 ... yes 221/294 ... yes 221/295 ... yes 221/296 ... yes 221/297 ... yes 221/298 ... yes 221/299 ... yes 221/300 ... yes 221/301 ... yes 221/302 ... yes 221/303 ... yes 221/304 ... yes 221/305 ... yes 221/306 ... yes 221/307 ... yes 221/308 ... yes 221/309 ... yes 221/310 ... yes 221/311 ... yes 221/312 ... yes 221/313 ... yes 221/314 ... yes 221/315 ... yes 220/316 ... yes 220/317 ... yes 220/318 ... yes 220/319 ... yes 220/320 ... yes 219/321 ... yes 218/322 ... yes 218/323 ... yes 218/324 ... yes 218/325 ... yes 218/326 ... yes 218/327 ... yes 218/328 ... yes 218/329 ... yes 218/330 ... yes 218/331 ... yes 218/332 ... yes 218/333 ... yes 218/334 ... yes 218/335 ... yes 218/336 ... yes 218/337 ... yes 218/338 ... yes 218/339 ... yes 218/340 ... yes 218/341 ... yes 217/342 ... yes 216/343 ... yes 87/345 ... yes 220/346 ... yes 220/347 ... yes 224/348 ... yes 203/349 ... yes 203/350 ... yes 230/351 ... yes 189/352 ... yes 263/353 ... yes 202/354 ... yes 410/359 ... yes 90/360 ... yes 182/362 ... yes 182/363 ... yes 185/364 ... yes 179/365 ... yes 130/366 ... yes 65/367 ... yes 60/368 ... yes 60/369 ... yes 60/370 ... yes 83/371 ... yes 185/372 ... yes 201/374 ... yes 195/375 ... yes 195/377 ... yes 207/379 ... yes 60/381 ... yes 240/382 ... yes 463/383 ... yes 256/386 ... yes 239/387 ... yes 240/388 ... yes 260/390 ... yes 260/391 ... yes 198/392 ... yes 198/393 ... yes 463/395 ... yes 54/403 ... yes 178/404 ... yes 181/406 ... yes 263/407 ... yes 264/409 ... yes 264/410 ... yes 181/411 ... yes 181/412 ... yes 181/413 ... yes 260/414 ... yes 266/415 ... yes 266/416 ... yes 266/417 ... yes 267/418 ... yes 267/419 ... yes 267/421 ... yes 267/422 ... yes 267/423 ... yes 267/424 ... yes 267/425 ... yes 267/426 ... yes 267/427 ... yes 267/428 ... yes 267/429 ... yes 267/430 ... yes 267/431 ... yes 267/432 ... yes 267/433 ... yes 267/434 ... yes 267/435 ... yes 267/436 ... yes 267/437 ... yes 267/438 ... yes 267/439 ... yes 267/440 ... yes 267/441 ... yes 267/442 ... yes 267/443 ... yes 267/444 ... yes 267/445 ... yes 267/446 ... yes 268/447 ... yes 267/448 ... yes 267/449 ... yes 267/450 ... yes 267/451 ... yes 268/452 ... yes 268/453 ... yes 267/455 ... yes 267/456 ... yes 268/457 ... yes 267/458 ... yes 268/460 ... yes 267/461 ... yes 267/462 ... yes 267/463 ... yes 267/464 ... yes 267/465 ... yes 268/466 ... yes 267/467 ... yes 267/468 ... yes 267/470 ... yes 267/471 ... yes 267/472 ... yes 268/473 ... yes 267/474 ... yes 267/475 ... yes 267/476 ... yes 267/477 ... yes 267/478 ... yes 267/479 ... yes 267/480 ... yes 268/481 ... yes 267/482 ... yes 267/483 ... yes 267/484 ... yes 267/485 ... yes 268/486 ... yes 267/487 ... yes 267/488 ... yes 267/489 ... yes 267/490 ... yes 267/491 ... yes 267/492 ... yes 267/493 ... yes 267/494 ... yes 267/495 ... yes 267/496 ... yes 267/497 ... yes 267/498 ... yes 267/499 ... yes 267/500 ... yes 267/501 ... yes 267/502 ... yes 267/503 ... yes 267/504 ... yes 267/505 ... yes 267/506 ... yes 267/507 ... yes 264/508 ... yes 264/509 ... yes 269/510 ... yes 48/511 ... yes 267/512 ... yes 267/513 ... yes 267/514 ... yes 185/515 ... yes 90/517 ... yes 60/518 ... yes 181/519 ... yes 60/520 ... yes 271/521 ... yes 271/522 ... yes 199/523 ... yes 73/524 ... yes 60/525 ... yes 273/526 ... yes 273/527 ... yes 390/528 ... yes 187/529 ... yes 390/530 ... yes 192/531 ... yes 390/532 ... yes 274/533 ... yes 154/534 ... yes 274/535 ... yes 274/536 ... yes 264/537 ... yes 277/538 ... yes 60/539 ... yes 464/540 ... yes 278/541 ... yes 278/543 ... yes 278/544 ... yes 277/546 ... yes 181/547 ... yes 281/548 ... yes 281/549 ... yes 240/550 ... yes 240/551 ... yes 103/553 ... yes 182/554 ... yes 240/556 ... yes 287/557 ... yes 288/558 ... yes 281/559 ... yes 281/560 ... yes 90/561 ... yes 239/562 ... yes 289/563 ... yes 289/564 ... yes 239/565 ... yes 239/566 ... yes 182/567 ... yes 240/568 ... yes 240/569 ... yes 89/570 ... yes 290/572 ... yes 291/573 ... yes 122/574 ... yes 60/575 ... yes 268/576 ... yes 438/577 ... yes 438/578 ... yes 195/579 ... yes 293/580 ... yes 293/581 ... yes 281/582 ... yes 264/583 ... yes 240/584 ... yes 237/585 ... yes 237/586 ... yes 264/587 ... yes 105/589 ... yes 87/591 ... yes 87/592 ... yes 295/593 ... yes 296/594 ... yes 260/595 ... yes 268/596 ... yes 301/597 ... yes 293/599 ... yes 90/600 ... yes 298/601 ... yes 298/602 ... yes 268/603 ... yes 260/604 ... yes 293/606 ... yes 268/607 ... yes 48/608 ... yes 77/609 ... yes 260/610 ... yes 299/611 ... yes 299/612 ... yes 299/613 ... yes 260/614 ... yes 199/615 ... yes 203/616 ... yes 263/617 ... yes 179/619 ... yes 184/620 ... yes 184/621 ... yes 182/622 ... yes 289/624 ... yes 289/625 ... yes 109/626 ... yes 237/627 ... yes 182/629 ... yes 199/630 ... yes 267/631 ... yes 268/632 ... yes 302/633 ... yes 302/634 ... yes 92/635 ... yes 183/636 ... yes 260/637 ... yes 122/638 ... yes 306/639 ... yes 135/640 ... yes 260/641 ... yes 305/642 ... yes 260/643 ... yes 313/645 ... yes 312/646 ... yes 311/647 ... yes 317/648 ... yes 317/649 ... yes 319/650 ... yes 202/651 ... yes 122/652 ... yes 268/654 ... yes 260/655 ... yes 260/656 ... yes 260/657 ... yes 260/658 ... yes 198/659 ... yes 279/660 ... yes 295/661 ... yes 274/662 ... yes 295/663 ... yes 195/664 ... yes 332/666 ... yes 296/667 ... yes 264/668 ... yes 183/669 ... yes 267/670 ... yes 266/671 ... yes 195/672 ... yes 192/673 ... yes 312/674 ... yes 195/675 ... yes 195/676 ... yes 201/677 ... yes 100/679 ... yes 188/680 ... yes 182/681 ... yes 390/682 ... yes 293/683 ... yes 178/684 ... yes 48/685 ... yes 182/686 ... yes 397/687 ... yes 209/689 ... yes 308/691 ... yes 90/693 ... yes 167/694 ... yes 268/695 ... yes 77/696 ... yes 264/697 ... yes 182/698 ... yes 306/701 ... yes 264/702 ... yes 209/703 ... yes 306/704 ... yes 201/706 ... yes 408/707 ... yes 408/708 ... yes 410/709 ... yes 113/710 ... yes 151/711 ... yes 48/712 ... yes 184/713 ... yes 408/714 ... yes 90/717 ... yes 268/718 ... yes 394/719 ... yes 180/720 ... yes 238/721 ... yes 408/722 ... yes 178/723 ... yes 114/724 ... yes 114/725 ... yes 114/730 ... yes 267/731 ... yes 267/732 ... yes 432/733 ... yes 432/737 ... yes 236/741 ... yes 236/742 ... yes 236/743 ... yes 236/744 ... yes 236/746 ... yes 190/748 ... yes 203/749 ... yes 91/750 ... yes 154/751 ... yes 154/752 ... yes 268/753 ... yes 183/754 ... yes 183/755 ... yes 267/756 ... yes 195/757 ... yes 440/758 ... yes 440/760 ... yes 389/761 ... yes 38/762 ... yes 208/763 ... yes 140/764 ... yes 443/765 ... yes 444/766 ... yes 447/767 ... yes 151/768 ... yes 452/769 ... yes 178/771 ... yes 452/772 ... yes 90/773 ... yes 195/774 ... yes 440/775 ... yes 89/776 ... yes 89/777 ... yes 89/778 ... yes 89/779 ... yes 202/780 ... yes 89/781 ... yes 453/782 ... yes 453/783 ... yes 236/784 ... yes 462/785 ... yes 101/786 ... yes 440/787 ... yes 183/788 ... yes 188/790 ... yes 462/791 ... yes 268/792 ... yes 462/793 ... yes 474/794 ... yes 470/795 ... yes 474/796 ... yes 167/797 ... yes 472/798 ... yes 457/799 ... yes 472/800 ... yes 472/801 ... yes 472/802 ... yes 472/803 ... yes 472/804 ... yes 167/805 ... yes 452/807 ... yes 60/808 ... yes 60/809 ... yes Redis version >= 5.0.0? ... yes Ruby version >= 2.7.2 ? ... yes (2.7.2) Git version >= 2.31.0 ? ... yes (2.31.1) Git user has default SSH configuration? ... yes Active users: ... 181 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... no Try fixing it: Please migrate all projects to hashed storage as legacy storage is deprecated in 13.0 and support will be removed in 14.0. For more information see: doc/administration/repository_storage_types.md
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
Possible fixes
A workaround was to update the user status via rails console (.status='active' and .status.save), as specified in the documentation: https://docs.gitlab.com/ee/security/unlock_user.html# how-to-unlock-a-locked-user-from-the-command-line . Maybe including this action linked to the unlock button might be interesting. Remembering that the blocking status was related to LDAP (=> "ldap_blocked").