SAML login fails for accounts with an LDAP identity when LDAP provider is removed
Summary
A customer (gitlab_rails['ldap_enabled'] = false
) and rely on SAML for login. This worked fine before upgrading to 14.9.2, after which users no longer could login, getting a HTTP 500 error from GitLab after being redirected from the ADFS provider.
After removing the unused LDAP idenity from a user account, this user was then able to successfully login again.
Steps to reproduce
- Use LDAP, have GitLab user accounts associated with LDAP identities
- Disable LDAP integration
- Use SAML for login, experience no issues
- Upgrade to GitLab 14.9.2
- Attempt to login using SAML
What is the current bug behavior?
User gets HTTP 500 from GitLab after the redirect back to GitLab.
What is the expected correct behavior?
User is successfully logged in.
Relevant logs and/or screenshots
Here is the entire stack trace:
Completed 500 Internal Server Error in 176ms (ActiveRecord: 80.3ms | Elasticsearch: 0.0ms | Allocations: 36426)
Gitlab::Auth::Ldap::Config::InvalidProvider (Unknown provider (ldapmain). Available providers: []):
lib/gitlab/auth/ldap/config.rb:62:in `invalid_provider'
lib/gitlab/auth/ldap/config.rb:73:in `initialize'
ee/app/models/ee/user.rb:447:in `new'
ee/app/models/ee/user.rb:447:in `block_auto_created_users?'
ee/app/models/ee/user.rb:418:in `blocked_auto_created_oauth_ldap_user?'
ee/app/models/ee/user.rb:412:in `activate_based_on_user_cap?'
ee/lib/ee/gitlab/auth/o_auth/user.rb:26:in `activate_user_based_on_user_cap?'
ee/lib/ee/gitlab/auth/o_auth/user.rb:11:in `activate_user_if_user_cap_not_reached'
lib/gitlab/auth/o_auth/user.rb:58:in `save'
lib/gitlab/auth/o_auth/user.rb:86:in `find_and_update!'
app/controllers/omniauth_callbacks_controller.rb:162:in `sign_in_user_flow'
app/controllers/omniauth_callbacks_controller.rb:130:in `omniauth_flow'
app/controllers/omniauth_callbacks_controller.rb:49:in `saml'
ee/lib/gitlab/ip_address_state.rb:10:in `with'
ee/app/controllers/ee/application_controller.rb:45:in `set_current_ip_address'
app/controllers/application_controller.rb:499:in `set_current_admin'
lib/gitlab/session.rb:11:in `with_session'
app/controllers/application_controller.rb:490:in `set_session_storage'
lib/gitlab/i18n.rb:105:in `with_locale'
lib/gitlab/i18n.rb:111:in `with_user_locale'
app/controllers/application_controller.rb:484:in `set_locale'
app/controllers/application_controller.rb:478:in `set_current_context'
lib/gitlab/metrics/elasticsearch_rack_middleware.rb:16:in `call'
lib/gitlab/middleware/rails_queue_duration.rb:33:in `call'
lib/gitlab/middleware/memory_report.rb:13:in `call'
lib/gitlab/middleware/speedscope.rb:13:in `call'
lib/gitlab/request_profiler/middleware.rb:17:in `call'
lib/gitlab/database/load_balancing/rack_middleware.rb:23:in `call'
lib/gitlab/metrics/rack_middleware.rb:16:in `block in call'
lib/gitlab/metrics/web_transaction.rb:46:in `run'
lib/gitlab/metrics/rack_middleware.rb:16:in `call'
lib/gitlab/jira/middleware.rb:19:in `call'
lib/gitlab/middleware/go.rb:20:in `call'
lib/gitlab/etag_caching/middleware.rb:21:in `call'
lib/gitlab/middleware/query_analyzer.rb:11:in `block in call'
lib/gitlab/database/query_analyzer.rb:46:in `within'
lib/gitlab/middleware/query_analyzer.rb:11:in `call'
lib/gitlab/middleware/multipart.rb:173:in `call'
lib/gitlab/middleware/read_only/controller.rb:50:in `call'
lib/gitlab/middleware/read_only.rb:18:in `call'
lib/gitlab/middleware/same_site_cookies.rb:27:in `call'
lib/gitlab/middleware/handle_malformed_strings.rb:21:in `call'
lib/gitlab/middleware/basic_health_check.rb:25:in `call'
lib/gitlab/middleware/handle_ip_spoof_attack_error.rb:25:in `call'
lib/gitlab/middleware/request_context.rb:21:in `call'
lib/gitlab/middleware/webhook_recursion_detection.rb:15:in `call'
config/initializers/fix_local_cache_middleware.rb:11:in `call'
lib/gitlab/middleware/compressed_json.rb:26:in `call'
lib/gitlab/middleware/rack_multipart_tempfile_factory.rb:19:in `call'
lib/gitlab/middleware/sidekiq_web_static.rb:20:in `call'
lib/gitlab/metrics/requests_rack_middleware.rb:77:in `call'
lib/gitlab/middleware/release_env.rb:13:in `call'
Output of checks
Results of GitLab environment info
GitLab 14.9.2 Omnibus install
Results of GitLab application Check
Not performed
Possible fixes
The problem appears to have been introduced in Fix user cap evaluation for OAuth and LDAP login (!81272 - merged)
blocked_auto_created_oauth_ldap_user
from the stack trace above was introduced in that MR, which was merged for 14.9, see also Slack discussion in #g_utilization:
it looks like you’re correct and it wouldn’t have errored before that MR, because it would have gone through
::Gitlab.config.omniauth.block_auto_created_users
(boolean) now it needs a matching provider (ldapmain
) otherwise it’ll error🤔
I guess the desired behaviour is that if there are no
Gitlab::Auth::Ldap::Config.servers
defined then it should return false in block_auto_created_users? ?🤔
As mentioned above, a workaround is to remove the no longer needed but still associated identities from the user data:
# Rails console snippet
userid = User.find_by(username: "mytestuser").id
id = Identity.where(provider: "ldapmain").where(user_id: userid)
id.destroy_all
This snippet should work to bulk delete all these identities for all users:
# Rails console snippet
ldap_identities = Identity.where(provider: "ldapmain")
ldap_identities.each do | identity |
puts 'Destroying identity: ' + identity.attributes.to_s
identity.destroy!
rescue => e
puts 'This error was generated when destroying identity:\n ' + identity.attributes.to_s + ':\n' + e.to_s
end