Adambean
commented
5 years ago Hi @Natureshadow,
Thank you for your interest in this tool.
As you've noticed already this tool is largely designed around LDAP being the primary source of users and groups. I built it this way as it's a fair expectation that if Gitlab is authenticating against LDAP at all it's going to be for reasons along these lines. (It would seem pretty rare to have LDAP authentication used at all in an application broader than for internal use.)
Some fairly large modifications would need to be made to have this tool work in a secondary manner as per your requirements. If you tried to use this tool in the way you like you'd encounter at least the following unexpected destructive behaviour:
- Users not in LDAP would become blocked (but not deleted, this tool never deletes users)
- Groups containing no users, subgroups, or projects would get deleted (unless you used the option to preserve empty groups)
- Groups with members that are not LDAP users and a member of the matching LDAP group would all lose their membership for those groups
Therefore definitely do not use this tool on your Gitlab instances. You can see exactly what the tool would do if it were not in dry run mode -d by also using very verbose mode -vv.
To get this tool to work in a less destructive way you suggested this would pose some challenges.
The main one is that this tool matches users solely by the LDAP user object's "uid" attribute (customisable) against a Gitlab user's username, not the Gitlab user's namespace. This is because there is not enough information available for this tool to know that this would be a mistake. LDAP user objects don't typically have a namespace in the "slug" style Gitlab has, they typically work with the UID attribute, CN attribute, or full object DN. (In your case you could easily find that existing users get linked to different LDAP users unintentionally.)
This is the same reason that if an LDAP user's "uid" is changed a new user would be made on Gitlab rather than the intended existing user renamed accordingly. This couldn't be worked around unless there as an attribute added to the LDAP schema to keep track of the Gitlab user object ID so the tool would have something permanent to match with. -- Obviously when you rename the LDAP user their UID and DN both change, so the linked external ID on the Gitlab user becomes useless. Namespaces can also be changed via Gitlab admin making that also unsuitable to match with.
I appreciate your use case, but honestly it's quite beyond the scope scope I have enough free time for. However if someone else wanted to fork the project to implement it I'd happily accept a well built merge providing the original purpose and mode of operation was preserved in the same (or exceeding) quality it is now. (Secondary mode would have to be opt-in rather than the default behaviour.)
willmmiles
BOW-el
brgsousa
On EduGit.org, users and groups can come from different sources. One is our LDAP directory, others are omniauth identities and manually created namespaces (groups). It seems that this tool does not expect any users or groups to be there that do not come from the LDAP directory. I do not know whether it just ocmplains loudly, but would work otherwise and just ignore the other users and groups, or if it would cause other errors if I ran it without the dry run option.
It would be good if this mode of operation could be supported correctly. Itworks out in general, as GitLab handles duplicate usernames from different sources quite nicely (it adds a number to the namespace if a newly authenticating user would cause the creation of an already existing namespace). It would maybe help if this tool had an option to keep all the synced LDAP groups as subgroups of a defined parent group, to start with.