Skip to content

Regression: Users with no email in LDAP cannot connect to UI after upgrade from 9.1.4 to 10.6

Summary

Applicative users (that are not related to real persons but to logical processes) that do not have a mail value in LDAP cannot connect to UI after upgrade from 9.1.4 to 10.6.

Steps to reproduce

Connection to our Gitlab EE is done through LDAP. Here is the configuration:

gitlab_rails['ldap_enabled'] = true

###! **remember to close this block with 'EOS' below**
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
  main: # 'main' is the GitLab 'provider ID' of this LDAP server
    label: 'LDAP'
    host: 'ldap.host.here'
    port: 1234
    uid: 'userPrincipalName'
    method: 'plain' # "tls" or "ssl" or "plain"
    bind_dn: 'bind_dn'
    password: 'password'
    active_directory: true
    allow_username_or_email_login: false
    block_auto_created_users: true
    base: 'DC=somedc'
    user_filter: ''
    attributes:
      username: 'sAMAccountName'
      email:    'mail'
      name:       'cn'
      first_name: 'givenName'
      last_name:  'sn'
    ## EE only
    group_base: ''
    admin_group: ''
    sync_ssh_keys: false
EOS

We created many applicative accounts, meaning by that: accounts that are dedicated to ci / cd actions, but that are not related to real people.

Our company forbids the attribution of emails in LDAP for such accounts.

We worked arround this by setting "fake" emails in Gitlab while creating these applicative accounts. These mails correspond to UPN of the account in LDAP.

What is the current bug behavior?

In version 9.1.4 we were able to connect to the UI using these accounts.

After upgrading to 10.6 we cannot connect to Gitlab UI with these accounts anymore.

We have performed a test where we attributed a fake email to an applicative account in LDAP and were able to connect to the GUI. However, LDAP administrators of our company explicitely told us that it was not possible to generalize this test to a live production environment.

What is the expected correct behavior?

We need to be able to connect to Gitlab using applicative accounts in version 10.6.

Relevant logs and/or screenshots

Message while trying to connect using an applicative account:

image

Possible fixes

First things first: is there a quick fix for this issue?

Here is a suggestion of fix for upcoming releases: fallback the gitlab email attribute on the user principal name (UPN) for users who do not have a mail value in LDAP, like our applicative accounts. This should not be a default behaviour, but rather a checkbox explicitely selected by an Admin user.

Edited by avi elkharrat