With SAML + LDAP error occurs if LDAP does not have an email address value
Zendesk: https://gitlab.zendesk.com/agent/tickets/107214
A customer has a situation where users are already able to sign in via SAML successfully. SAML provides the necessary attributes like name and email address. Now they want to add LDAP so they can use group sync. Their LDAP system does not have email attributes for users, though. When configured with LDAP + SAML and with auto_link_ldap_user
set, GitLab attempts to update the user's profile with information from the sign in provider and from LDAP. This fails when LDAP cannot provide an email address.
NoMethodError (undefined method `first' for nil:NilClass):
lib/gitlab/auth/o_auth/user.rb:246:in `update_profile'
lib/gitlab/auth/o_auth/user.rb:19:in `initialize'
app/controllers/omniauth_callbacks_controller.rb:125:in `new'
app/controllers/omniauth_callbacks_controller.rb:125:in `sign_in_user_flow'
app/controllers/omniauth_callbacks_controller.rb:102:in `omniauth_flow'
app/controllers/omniauth_callbacks_controller.rb:40:in `saml'
The code in question:
if creating_linked_ldap_user? && gl_user.email == ldap_person.email.first
metadata.set_attribute_synced(:email, true)
metadata.provider = ldap_person.provider
end
Specifically ldap_person.email
is nil so .first
fails.