Skip to content

Fix LdapAllAddOnSeatSyncWorker removing seats when no groups configured

Paulo Barrosrequested to merge
pb/565064/fix-ldap-duo-seat-sync-worker into master

Resolves #565064 (closed).

What does this MR do and why?

This MR fixes a critical bug in LdapAllAddOnSeatSyncWorker - introduced by Add worker to periodically sync LDAP users Duo ... (!200729 - merged) - where all LDAP users would lose their Duo seats when LDAP is enabled but duo_add_on_groups is not configured.

The worker was processing all LDAP users against an empty set of member DNs (when no duo groups are configured), causing all users to be removed from Duo seats during the nightly sync.

This fix adds an early return when no duo member DNs are found, preventing unintended mass removal of Duo seat assignments.

We're probably gonna need to backport this into %18.3.

References

How to set up and validate locally

  1. Configure LDAP without setting duo_add_on_groups
  2. Create LDAP users with active Duo seats
  3. Run GitlabSubscriptions::AddOnPurchases::LdapAllAddOnSeatSyncWorker.new.perform
  4. Verify that users retain their Duo seats (no bulk unassignment occurs)

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Paulo Barros

Merge request reports