LDAP Group Sync failures from member validation errors aren't obvious
A customer configured LDAP group sync in a subgroup and found two strange behaviors in the UI without any errors:
- Some member access levels weren't getting updated
- The "Sync now" button stayed grayed out after clicking it
There was no message in the UI nor anything registered in the logs. After some debugging, Support used the rails console to find that there was a Members and requesters is invalid
error thrown because The member's email address is not allowed for this group. Go to the group’s 'Settings > General' page, and check 'Restrict membership by email domain'.
.
The problem ended up being that the domain configured under Group Settings -> Permissions, LFS, 2FA -> Restrict membership by email domain was the wrong value and the LDAP group member's emails didn't match this domain. Correcting this value fixed the problem. However, this error should be sent to the logs so customers can find their mistake on their own.
This is a feature request to send any underlying failures of the group sync, such as from the Member
or Requester
objects, to the logs.
Here are the specific rails commands used to find the errors. How we found that the members and requesters were invalid:
# This only worked while the group's sync button was stuck
irb(main):012:0> subgroup.fail_ldap_sync!
=> ...snip...
Traceback (most recent call last):
2: from (irb):11
1: from (irb):12:in `rescue in irb_binding'
StateMachines::InvalidTransition (Cannot transition ldap_sync_status via :fail from :started (Reason(s): Members and requesters is invalid))
Later, while the group was still stuck, we found the specific error:
irb(main):018:0> group.members.map(&:errors).map(&:full_messages)
=> [["The member's email address is not allowed for this group. Go to the group’s 'Settings > General' page, and check 'Restrict membership by email domain'."]]
...
irb(main):023:0> subgroup.members.map(&:errors).map(&:full_messages)
=> [[], ["The member's email address is not allowed for this group. Check with your administrator."], ["The member's email address is not allowed for this group. Check with your administrator."], ["The member's email address is not allowed for this group. Check with your administrator."], ["The member's email address is not allowed for this group. Check with your administrator."], ["The member's email address is not allowed for this group. Check with your administrator."], ["The member's email address is not allowed for this group. Check with your administrator."], [], [], [], [], [], [], [], ["The member's email address is not allowed for this group. Check with your administrator."], [], [], [], [], [], [], []]
It would be helpful to have sent these errors to the logs and/or the UI so that the customer could have originally found it themselves.