ActiveDirectory Group Inheritance moving intermediate group cause losing access
Summary
Hello, we're using Gitlab-ee at work and right now we noticed a strange behaviour regarding group memberships and moving of groups within ActiveDirectory
Steps to reproduce
Create the groups dl_gitlab_administrators (domain local) and g_it and a user foo. User foo is part of the it department (e.g. the g_it group). The g_it group is allowed to perform administrative tasks within gitlab, so g_it is added to dl_gitlab_administrators group (Basic IGDLA/AGDLP concept).
What is the current bug behavior?
If now the ActiveDirectory administrators decide to restructure the ad and move the group g_it into another ou the user foo temporarily loses his administrative permissions.
What is the expected correct behavior?
The position of the g_it group should not matter at all, as the group dl_gitlab_administrators is permitted and all of its members.
From other programs that utilize ldap (and are not ActiveDirectory aware) backends with inheritance support, don't care about the intermediate group being moved. They only fail if the permitted group (dl_gitlab_administrators) is moved because they utilize the bind-dn instead of the sid to query it's members.
The SID (Security Identifier) is a unique, immutable identifier of a user, security group and many other objects that is intended to be used for assigning permissions.
Possible fixes
Consider using the SID instead of the dn for unique identification of objects in all LDAP backends that support it (e.g. ActiveDirectory). This would remove the limitation of not being allowed to move groups in active directory.
Cache full list all group a user is assignments to on logon until the user signs out and use that mapping to check if a user has been granted access to resources within gitlab (this is also what windows does with it's access tokens). Therefore changes to intermediate groups don't cause temporary lookup issues if moved. Also temporary lookup failures after a user is authenticated don't cause problems.