Reduce overlap with LDAP from using "ldap_blocked" through SAML
Problem
Our SAML required_groups
check marks users as ldap_blocked
if they are missing from a group. This can be ambiguous when used alongside LDAP, which can also block users. We then can't be sure if the user was blocked due to SAML required_groups
or from LDAP, and can end up accidentally unblocking users from the other source
Solutions
- Rename/alias
ldap_blocked
to something likesync_blocked
orexternally_blocked
as suggested in https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/9489#note_139226398. - Potentially create a new
saml_blocked?
state. This would need a migration to move existingldap_blocked?
users tosaml_blocked?
when SAML is enabled but not LDAP. What would then happen to instances where both is enabled and we cannot tell?
Related
Noticed while fixing https://gitlab.com/gitlab-org/gitlab-ce/issues/45525
Edited by James Edwards-Jones