search

Adambean / gitlab-ce-ldap-sync

Synchronise users and groups (including group members) from an LDAP instance with Gitlab CE (and EE in free tier) self-hosted instance(s).
Apache License 2.0
59 stars 23 forks source link

Updating a user's email address fails due to "public_email" is not an email you own #21

Open Adambean opened 3 years ago

Adambean commented 3 years ago

If a user whom has already been synchronised changes their email address in the directory resynchronising them will fail with Gitlab throwing error message:

"public_email" is not an email you own

This occurs right here on line 1190 of "LdapSyncCommand.php":

!$this->dryRun ? ($gitlabUser = $gitlab->api("users")->update($gitlabUserId, [
    // "username"          => $gitlabUserName,
    // No point updating that. ^
    // If the UID changes so will that bit of the DN anyway, so this can't be detected with a custom attribute containing the Gitlab user ID written back to user's LDAP object.
    "reset_password"    => false,
    "name"              => $ldapUserDetails["fullName"],
    "extern_uid"        => $ldapUserDetails["dn"],
    "provider"          => $gitlabConfig["ldapServerName"],
    "public_email"      => $ldapUserDetails["email"],
    "admin"             => $ldapUserDetails["isAdmin"],
    "can_create_group"  => $ldapUserDetails["isAdmin"],
    "skip_confirmation" => true,
    "external"          => $ldapUserDetails["isExternal"],
])) : $this->logger->warning("Operation skipped due to dry run.");

$usersSync["update"][$gitlabUserId] = $gitlabUserName;

Specifically "public_email" => $ldapUserDetails["email"],.

The problem is that you can't set a user's public email address to an email address that isn't already registered to their account on your Gitlab instance. This could be corrected by adjusting the Gitlab user's primary email address by changing "public_email" to "email", though this comes with drawbacks:

  1. You cannot adjust "email" and "public_email" in one call to avoid this error. Either two update() calls are required, or a get() call must be performed first with a check to determine if a 2nd update() is necessary. Not doing this just means that the user's publicly visible email address would not be updated.
  2. If the new email address for this Gitlab user has already been used by another Gitlab user the update() will fail due to a unique constraint violation. Recursive action would be necessary to resolve conflicts in advance. (This problem can also apply to users newly synchronising into Gitlab.)

--

Just taking note of this issue so I don't forget it, and I'm open to hearing if anyone else has had this issue already and what you think would be best to resolve it.

Adambean commented 2 years ago

Looks like we have confirmation that for creating users changing the key "public_email" to "email" works. https://github.com/Adambean/gitlab-ce-ldap-sync/issues/27#issuecomment-1077427013