We allow users to configure LDAP attribute preferences. For example,
email can be configured to use `mail`, `email` and `userPrincipalName`,
falling through to the next until a value is found. Prior to this
change, Gitlab::LDAP::Person did not honor this configuration. Now,
the class will honor `name` and `mail` configuration. It does not
handle `username`, or fallback to `first_name` + `last_name` in the
absence of `name`.
Centralize all LDAP config logic in `GitLab::LDAP::Config`. Previously,
some logic was in the Devise initializer and it was not honoring the
`user_filter`. If a user outside the configured `user_filter` signed
in, an account would be created but they would then be denied access.
Now that logic is centralized, the filter is honored and users outside
the filter are never created.
It was previously possible for invalid credential errors to go unnoticed
in this task. Users would believe everything was configured correctly and
then sign in would fail with 'invalid credentials'. This adds a specific
bind check, plus catches errors connecting to the server. Also, specs :)
LDAP Sync blocked user edgecases
Allow GitLab admins to block otherwise valid GitLab LDAP users
(https://gitlab.com/gitlab-org/gitlab-ce/issues/3462)
Based on the discussion on the original issue, we are going to differentiate "normal" block operations to the ldap automatic ones in order to make some decisions when its one or the other.
Expected behavior:
- [x] "ldap_blocked" users respond to both `blocked?` and `ldap_blocked?`
- [x] "ldap_blocked" users can't be unblocked by the Admin UI
- [x] "ldap_blocked" users can't be unblocked by the API
- [x] Block operations that are originated from LDAP synchronization will flag user as "ldap_blocked"
- [x] Only "ldap_blocked" users will be automatically unblocked by LDAP synchronization
- [x] When LDAP identity is removed, we should convert `ldap_blocked` into `blocked`
Mockup for the Admin UI with both "ldap_blocked" and normal "blocked" users:
There will be another MR for the EE version.
See merge request !2242
Rémy Coutable
mhasbini
Douwe Maan
Grzegorz Bizon
Drew Blessing
Markus Koller
Gabriel Mazetto
Patricio Cano
Douwe Maan
Петров Роман
Joel Koglin
quodos
Dmitriy Zaporozhets
Jacob Vosmaer
Robert Speicher