Unblock LDAP blocked user on sign-in with other auth methods
What does this MR do and why?
Fixes #343298 (closed)
Many organizations use LDAP in conjunction with other authentication
methods such as SAML or OAuth. If transient LDAP errors cause the
user to become ldap_blocked it is desirable to also unblock the
user if the issue resolves itself. Otherwise, the user is unable
to sign-in again without manual intervention or to sign-in once
via LDAP directly. This change enables any sign-in to recheck
LDAP if the user is ldap_blocked.
Screenshots or screen recordings
The screen recording shows the new behavior. I first ldap_block the user in the console. On sign-in notice the LDAP logs in the bottom terminal which show a query took place. Then the user is signed in and you subsequently see the user is no longer ldap_blocked.
How to set up and validate locally
- Configure your GDK or test instance for LDAP. See GDK docs for instructions.
- Sign-in once as a test LDAP user such as
john. - Connect this test LDAP account to some external authentication method such as Google, GitHub, etc.
- Open a Rails console, find the user and manually block them:
user = User.find_by_username 'john' user.ldap_block! - Sign-in via the external auth method - Google, etc.
- Observe the user signed in successfully.
- Observe the user is no longer
ldap_blockedin the console:user.reload.ldap_blocked?
Prior to this change the last 2 steps would not happen. The user would receive a message they are blocked.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.