Email address of some LDAP users cannot be changed
Summary
When a user is created via LDAP, their GitLab accounts will have "email" set in user_synced_attributes_metadata.read_only_attributes
.
This means that whenever the email is tried to be updated, it will silently fail as the email is silently discarded as non-editable entry.
Due to email being removed silently however, the update command itself is successful and this leads to an "update successful" message when actually the update action failed.
Steps to reproduce
- Have user that was created via LDAP sign-in (or set the
user_synced_attributes_metadata.read_only_attributes
to ["email"] for a user. - Log in as administrator, update that user's email address and click save. Message says "Updated successfully"...
- Check the email address for that account - email address is unchanged.
Example Project
What is the current bug behavior?
Email address are not being updated for LDAP created users in specific conditions.
What is the expected correct behavior?
Either an error is shown for example: "Cannot update LDAP attribute for this user" OR make the email field un-editable for these users.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Workaround
An administrator can delete the user's identity in https://gitlab.example.com/admin/users/<username>/identities
.
This will remove the read_only_attribute
and allow the email address to be changed.