ldap group sync ran without errors with bad bind_dn
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
https://gitlab.zendesk.com/agent/tickets/94119
The customer reported that their groups were losing members on ldap sync. When we tried an ldapsearch using the bind_dn and password in the config file, we were getting authentication failure. After checking with their AD admin, they found they were using the wrong bind_dn. GitLab had been working, somehow, with the previous bind_dn, but nobody is really sure how, since it was clearly bad.
The reason I'm filing this issue is that sidekiq logs showed ldap group sync jobs running without error while the system had the wrong/failing bind_dn. It seems that if the bind failed we should have failed the sync rather than ending up emptying out the groups.