WIP: Allow for configuration of LDAP group filter
What does this MR do?
This adds a new configuration setting group_filter, akin to the existing user_filter. It allows GitLab administrators to set an LDAP filter expression that cuts down the entries returned from a search using the attributes appropriate for the local directory setup (e.g. (objectClass=posixGroup) or similar).
As a configuration setting, this is directly exposed to users/administrators.
Are there points in the code the reviewer needs to double check?
The implementation closely follows what is already done for the existing user_filter.
Why was this MR needed?
For certain directory structures, the current LDAP group sync feature is hardly usable. Imagine a university with a directory schema approximately matching the following:
$base
├── alumni
│ ├── groups
│ │ ├── a-group
│ │ └── another-group
│ └── [lots of other non-groupy things]
├── staff
│ ├── groups
│ │ ├── also-a-group
│ │ └── yet-another-group
│ └── [...]
├── students
└── head-honchos
Setting the group_base to $base (required to include all groups) causes GitLab to treat all the other non-group directory entries as groups, displaying lots of confusing entries in the auto-complete web dialog.
Screenshots (if relevant)
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated -
API support added -
Tests added for this feature/bug - Review
-
Has been reviewed by UX -
Has been reviewed by Frontend -
Has been reviewed by Backend -
Has been reviewed by Database
-
-
Conform by the merge request performance guides -
Conform by the style guides -
Squashed related commits together -
Internationalization required/considered -
If paid feature, have we considered GitLab.com plan and how it works for groups and is there a design for promoting it to users who aren't on the correct plan
What are the relevant issue numbers?
Closes gitlab-org/gitlab-ee#334