Add gitlab:ldap:test_user_filter rake task
rake gitlab:ldap:test_user_filter FILTER='foo=bar' PROVIDER=main
This would ignore the existing
user_filtersetting in gitlab.yml. It would replace messing around with ldapsearch on the customer's server.
Hey, I looked at gitlab:ldap:check. I think it actually already applies the user_filter! https://dev.gitlab.org/gitlab/gitlabhq/blob/fe2e1ac3210d85e10c56cf226e7fffee738ac780/lib/tasks/gitlab/check.rake#L681
does that mean we can close this issue?
Maybe. On the other hand, it might still be worthwhile to have a new rake task which ignores the user_filter setting. With the current rake task, the test cycle is:
- edit gitlab.rb
- rake gitlab:ldap:check
With a dedicated rake task, the cycle could have just one step:
- rake gitlab:ldap:test_user_filter FILTER='foo=bar'
That way we could cut out ldapsearch.
Let us do the latest proposal about dedicated rake task. Every addition to LDAP debugging is a good one and worth the time. I propose having the clear proposal for what needs to be implemented and adding issue to the milestone.
I will update the title/description. Current content for posterity:
user_filtertest to the
gitlab:ldap:checktask After the call with customer about failing LDAP filters, jacobvosmaer and I thought it would be a good idea to improve the gitlab:ldap:check task and have it test for the filter as well.
If the filter is set, the LDAP check task should return only the users that are allowed to login. If it returns nothing, we know there might be a problem with the filter.
Having it inside the gitlab:ldap:check task will allow us to find about filter problems as early as when the gitlab:check task is ran.
I think this would be very nice for LDAP problems, both for support and end-users (admins). Problem with nice-to-have is that they get moved up indefinitely. Is this something we want to do soon?
it will immensely help us when troubleshooting LDAP problems, specially since LDAP filters can be very difficult to get right. It will also help us to try different filters without having to go the awful ldapsearch route.