External user flag is unset after an LDAP login

Here is what we think is happening:

1. In GitLab 9.5, a new user was created in GitLab and the “external” flag was set to “true” to match the “New users set to external” application setting.
2. This flag remained set to “true” because the LDAP group sync did not attempt to change this value if no external groups were configured in GitLab.
3. However, in GitLab 10.0, we introduced a change in behavior where the external flag would be set to “false” upon login if no LDAP external user groups were configured.

In summary, we are running into confusion over what determines an external user because LDAP external groups aren’t configured in GitLab. We were previously relying on the absence of that group definition, but this obviously isn’t working now.

In the short term, we can disable the modification of the user’s external flag if no external groups are defined. That will at least solve the immediate problem that happens in step 3.

Going forward, we think the right way to solve this problem is to provide an LDAP user filter to set the external user flag as described in https://gitlab.com/gitlab-org/gitlab-ee/issues/4270.

MR: https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/558