A user can become ldap_blocked and remain ldap_blocked if temporarily locked on domain
Summary
A user on the domain gets it account on the domain locked. Gitlab will mark this user as ldap_blocked
when LDAP integration is enabled. The domain account is unlocked, but Gitlab still see it as ldap_blocked
. It does not restore it back to active
.
Steps to reproduce
- Lock domain account.
- Try to log into Gitlab -> fails which is expected.
- Domain admin unlock the account.
- Try to log into Gitlab -> fails which is NOT expected.
- Gitlab admin see the user as blocked on the web and
ldap_blocked
on the gitlab console. - Gitlab admin has to unlock the user from the gitlab console. It is not allowed through the web.
What is the current bug behavior?
- Lock domain account.
- Try to log into Gitlab -> fails which is expected.
- Domain admin unlock the account.
- Try to log into Gitlab -> fails which is NOT expected.
What is the expected correct behavior?
- Lock domain account.
- Try to log into Gitlab -> fails which is expected.
- Domain admin unlock the account.
- Try to log into Gitlab -> success.
Possible fixes
Reading the doc, it seems the LDAP users are cached (for a day?) which is too much for a locked account. If a user is marked as ldap_blocked
always query the LDAP server to check its current state, not from cache.