Gitlab allows submitting a new LDAP Group link with the default access role value (null) which causes a 500 Internal server error on submission

Summary

One of the instances we have, Gitlab v17.2.1, allows submitting a new LDAP group link with the default options where LDAP Access is not selected, which causes a 500 Internal server error on submission.

We have another instance on v16.11.5 where the default value for LDAP Access field is set as Guest where this issue cannot be observed. Whereas in v17.2.1, the default value for LDAP Access field is not populated but shows the Select a Role placeholder message. Due to this the INSERT query seems to receive a NULL value and is erroring out due to the NOT NULL constraint.

Steps to reproduce

I've validated this on v17.2.1

1. Have LDAP integration enabled.
2. Navigate to a Gitlab group
3. Navigate to Settings > LDAP Synchronization
4. Without making any changes on this page, click on Add synchronization

What is the current bug behavior?

The webpage returns a 500 page with the following message.

We're sorry. Something went wrong on our end.

What is the expected correct behavior?

The Gitlab page should not crash when the user submits as page is submittable with default values.

Relevant logs and/or screenshots

Relevant snippets from gitlab-rails/production_json.log

exception.message:

PG::NotNullViolation: ERROR:  null value in column "group_access" of relation "ldap_group_links" violates not-null constraint
DETAIL:  Failing row contains (7, null, null, 259, 2024-08-23 13:09:32.176742, 2024-08-23 13:09:32.176742, ldapmain, null, null).

exception.sql:

INSERT INTO "ldap_group_links" ("group_id", "created_at", "updated_at", "provider") VALUES ($1, $2, $3, $4) RETURNING "id"

Results of GitLab environment info

Expand for output related to GitLab environment info

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\`\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\`\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\`yaml System information System: Proxy: no_proxy: https_proxy: http_proxy: Current User: git Using RVM: no Ruby Version: 3.1.5p253 Gem Version: 3.5.11 Bundler Version:2.5.11 Rake Version: 13.0.6 Redis Version: 7.0.15 Sidekiq Version:7.1.6 Go Version: unknown GitLab information Version: 17.2.1-ee Revision: 88793996279 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 14.11 URL: HTTP Clone URL: SSH Clone URL: Elasticsearch: no Geo: yes Geo node: Primary Using LDAP: yes Using Omniauth: yes Omniauth Providers: github GitLab Shell Version: 14.37.0 Repository storages: - default: unix:/var/opt/gitlab/gitaly/gitaly.socket GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Gitaly - default Address: unix:/var/opt/gitlab/gitaly/gitaly.socket - default Version: 17.2.1 - default Git Version: 2.45.2 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\`\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\`\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\`

Results of GitLab application Check

Expand for output related to the GitLab application check

Checking GitLab subtasks ... Checking GitLab Shell ... GitLab Shell: ... GitLab Shell version \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\>= 14.37.0 ? ... OK (14.37.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful Checking GitLab Shell ... Finished Checking Gitaly ... Gitaly: ... default ... OK Checking Gitaly ... Finished Checking Sidekiq ... Sidekiq: ... Running? ... yes Number of Sidekiq processes (cluster/worker) ... 1/1 Checking Sidekiq ... Finished Checking Incoming Email ... Incoming Email: ... Reply by email is disabled in config/gitlab.yml Checking Incoming Email ... Finished Checking LDAP ... LDAP: ... Server: ldapmain LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) Checking LDAP ... Finished Checking GitLab App ... Database config exists? ... yes Tables are truncated? ... skipped All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Cable config exists? ... yes Resque config exists? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... skipped (no tmp uploads folder yet) Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units) Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units) Projects have namespace: ... 2/1 ... yes 8/2 ... yes 11/3 ... yes 17/4 ... yes 19/5 ... yes 19/6 ... yes 25/7 ... yes 25/8 ... yes 25/9 ... yes 25/10 ... yes 37/11 ... yes 39/12 ... yes 41/13 ... yes 43/14 ... yes 43/15 ... yes 47/16 ... yes 25/17 ... yes 17/51 ... yes 85/52 ... yes 87/53 ... yes 1/54 ... yes 87/55 ... yes 87/56 ... yes 87/57 ... yes 87/58 ... yes 87/59 ... yes 95/60 ... yes 95/61 ... yes 95/62 ... yes 95/63 ... yes 1/64 ... yes 95/67 ... yes 95/68 ... yes 95/69 ... yes 95/70 ... yes 95/71 ... yes 95/72 ... yes 109/73 ... yes 111/74 ... yes 111/75 ... yes 111/77 ... yes 111/78 ... yes 111/79 ... yes 111/80 ... yes 111/81 ... yes 111/82 ... yes 111/83 ... yes 111/84 ... yes 111/85 ... yes 111/86 ... yes 111/87 ... yes 111/88 ... yes 111/89 ... yes 17/90 ... yes 131/91 ... yes 134/92 ... yes 134/93 ... yes 134/94 ... yes 134/95 ... yes 134/96 ... yes 1/97 ... yes 134/98 ... yes 134/99 ... yes 134/100 ... yes 134/101 ... yes 134/104 ... yes 134/105 ... yes 134/106 ... yes 134/107 ... yes 134/108 ... yes 152/109 ... yes 155/110 ... yes 155/111 ... yes 155/112 ... yes 155/113 ... yes 155/114 ... yes 155/115 ... yes 155/116 ... yes 155/117 ... yes 155/118 ... yes 155/119 ... yes 155/120 ... yes 155/121 ... yes 1/122 ... yes 155/123 ... yes 155/125 ... yes 155/126 ... yes 155/127 ... yes 155/128 ... yes 155/129 ... yes 180/130 ... yes 185/131 ... yes 155/132 ... yes 190/133 ... yes 131/166 ... yes 29/167 ... yes 25/168 ... yes Redis version \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\>= 6.2.14? ... yes Ruby version \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\>= 3.0.6 ? ... yes (3.1.5) Git user has default SSH configuration? ... yes Active users: ... 6 Is authorized keys file accessible? ... skipped (authorized keys not enabled) GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes Elasticsearch version 7.x-8.x or OpenSearch version 1.x ... skipped (Advanced Search is disabled) All migrations must be finished before doing a major upgrade ... skipped (Advanced Search is disabled) Checking GitLab App ... Finished Checking Geo ... GitLab Geo is available ... GitLab Geo is enabled ... yes This machine's Geo node name matches a database record ... yes, found a primary node named "" HTTP/HTTPS repository cloning is enabled ... yes Machine clock is synchronized ... warning Reason: Connection to the NTP Server pool.ntp.org took more than 60 seconds (Timeout) Try fixing it: Check whether you have a connectivity problem or if there is a firewall blocking it If this is an offline environment, you can ignore this error, but make sure you have a way to keep clocks synced. For more information see: /help/administration/geo/replication/troubleshooting#health-check-rake-task Git user has default SSH configuration? ... yes OpenSSH configured to use AuthorizedKeysCommand ... skipped Reason: Cannot access OpenSSH configuration file Try fixing it: This is expected if you are using SELinux. You may want to check configuration manually For more information see: doc/administration/operations/fast_ssh_key_lookup.md GitLab configured to disable writing to authorized_keys file ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes Checking Geo ... Finished Checking GitLab subtasks ... Finished

Possible fixes

Gitlab frontend should either perform validation so that NULL values for group_access are not allowed to be submitted or set a default value like Guest as in earlier versions.