Skip to content

Blueprint : Duo Add-on seat assignment via LDAP

status: proposed
creation-date: "2024-12-03"
authors: [ "@bhrai", "@qzhaogitlab" ]
coach: "TBD"
approvers: [ "@courtmeddaugh", "@rhardarson " ]
owning-stage: "~"section::fulfillment" "~"group::provision"
participating-stages: []

Duo Seat Management via LDAP

Summary

As a part of the Iteration 1: Duo Seat management via LDAP (&15899 - closed), we want to have Duo Add-on seat assignment managed via LDAP sync.

Related issues:

  1. MVC: Define the product requirements for 1st it... (#503746 - closed)
  2. https://gitlab.com/gitlab-org/gitlab/-/issues/503745+

Motivation

Bulk Duo seat assignments has been asked by multiple customers, and management of seat assignment via LDAP is one of the options and ASK from those large customers.

Goals

The goal of this blueprint is to produce:

  1. an architectural design(s) on how the Duo Pro seat assignments will work on LDAP
  2. an iteration plan to achieve the chosen design

Proposal 1

LDAP is only available for self-hosted instances (Self-Managed). Customer have to configure different settings in order to have LDAP integrated.

We will add a new attribute for the config, say duo_add_on_groups = ['group-1'] to implement this feature. Customers will set the config attribute with the desired LDAP group names.

Once the config is set and user sing-in via LDAP:

  1. If a LDAP user is part of that group, they will have seat assigned to them, when they sign in.
  2. If the LDAP user is not part of that group, then any seat that has been assigned to them will be removed, whenever they sign-in
graph TD
    subgraph "Main Login Process"
    Login[User logs in with LDAP] --> LDAPCheck{Is valid login?}
    LDAPCheck -->|No| EndProcess1[End process: Not a valid LDAP login]
    LDAPCheck -->|Yes| EnqueueWorker[Enqueue LdapAddOnSeatSyncWorker with user_id]
    EnqueueWorker --> EndProcess[Continue: valid sing_in user flow actions]
    end

    subgraph "Background Job: LdapAddOnSeatSyncWorker"
    WorkerStart[LdapAddOnSeatSyncWorker starts] --> ConfigCheck{LDAP config: duo_add_on_groups set?}
    ConfigCheck -->|No| EndWorker[End worker process]
    ConfigCheck -->|Yes| FetchGroups[Fetch user memberships from LDAP server of 'duo_add_on_groups']
    FetchGroups --> MembershipCheck{User is member of any duo_add_on_groups?}
    MembershipCheck -->|No| RemoveSeat[Remove Duo Add-on seat, if present]
    MembershipCheck -->|Yes| AssignSeat[Assign Duo Add-on seat, if not present]
    RemoveSeat --> EndWorker
    AssignSeat --> EndWorker
    end
  
    EnqueueWorker -->|perform_async| WorkerStart

Notes

  1. Currently we only support single LDAP identity per user: !175101 (comment 2258241471)
Edited by Bishwa Hang Rai