Skip to content

Fix synced attrs when creating linked LDAP user

Drew Blessing requested to merge dblessing_fix_ldap_synced_attrs_email into master

What does this MR do and why?

When creating a user/signing in via SAML or another OmniAuth mechanism and with auto_link_ldap_user, attributes should be synced from LDAP. To ensure email address is properly compared and synced, downcase before comparison.

The code changes ensure that when a user's profile is updated through LDAP, their name and email are marked as synced and read-only. This means that any changes made to these attributes through LDAP will automatically be reflected in the user's GitLab profile, and the user won't be able to modify them directly in GitLab. This helps maintain data consistency and accuracy by ensuring that the information in GitLab is always up-to-date with the LDAP server.

This issue only occurred for existing users whose email address had capital letters in LDAP. Email addresses in GitLab are only downcased on save, so for new users the comparison would have worked since the comparison happens before save. However, on subsequent sign-ins users may have had their email address unmarked as read-only due to GitLab value being downcased and LDAP email not.

I also considered making a change to downcase the value in Ldap::Person#email. I think this would be an ideal approach, but I considered the change higher risk. We would need to be careful to ensure that no other locations have case-sensitive comparisons and adjust those. We can do it, and I'm willing to go that route if people feel strongly. But I just didn't feel as confident about it.

Related to #469205 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Setup both SAML and LDAP in GDK. Be sure to set auto_link_ldap_user to true.

  2. Ensure you have a user that exists in both SAML and LDAP with the same email address. To truly test the bug, you would need to ensure your LDAP server and/or SAML IdP had the email address with some capital letters.

  3. Sign in via SAML.

  4. Go to edit your profile to check that email address is read-only.

  5. The account should be created with both a SAML identity and LDAP identity.

    Sign in as an administrator to verify the identities.

Edited by Drew Blessing

Merge request reports