Closed jsiegers closed 5 years ago
I'm using FreeIPA where you can disable a user (so it still exists). When that happens the user disappears from LDAP itself. In this case I've disabled the user rdkoning. I then get this error:
[notice] Updating users of which were already in both Gitlab and the directory... [info] Updating Gitlab user #4 "rdkoning". [error] Gitlab user "rdkoning" has no LDAP details available. This should not happen!
What has happened inside GitLab is that this user is now blocked and marked as external. Blocked I get but don't really understand why it's now marked as external. Perhaps this is something GitLab does? Please note that the user still exists in FreeIPA and is inside FreeIPA still a member of it's groups.
I get why that error is happening. It's because it's trying to sync the user's details (name, email, isAdmin, isExternal, etc) based on what's been seen by LDAP, but the user's LDAP details are no longer available because you've disabled it. -- The LDAP query you've used is likely filtering disabled users out intentionally with the "nsAccountLock" attribute.
There is nothing wrong here other than the over-emphasis of the error message. It just needs to be a less shouty information message.
What has happened inside GitLab is that this user is now blocked and marked as external. Blocked I get but don't really understand why it's now marked as external. Perhaps this is something GitLab does?
This is something I did:
!$this->dryRun ? ($gitlabUser = $gitlab->api("users")->block($gitlabUserId)) : $this->logger->warning("Operation skipped due to dry run.");
!$this->dryRun ? ($gitlabUser = $gitlab->api("users")->update($gitlabUserId, [
"admin" => false,
"can_create_group" => false,
"external" => true,
])) : $this->logger->warning("Operation skipped due to dry run.");
Setting external to true is probably a bit overcautious, but when a user is re-enabled that external flag (should) be updated according to their group's external configuration.
When I now renable the user again and sync it then everything looks alright. The user is placed inside of every group again, etc. But inside GitLab the user is now no longer an external user but is still blocked!
I'm expecting that when I reenable a user that it's no longer external and no longer blocked.
Here is the output of the sync after I've reenabled the user:
I'm not seeing any errors there, or that the user is being re-created. I think what's been missed is an API call to unblock the user. This can likely be resolved as follows:
if ($gitlab->api("users")->all(["username" => $gitlabUserName, "blocked" => true])) {
$this->logger->info(sprintf("Enabling Gitlab user #%d \"%s\".", $gitlabUserId, $gitlabUserName));
$gitlabUser = null;
!$this->dryRun ? ($gitlabUser = $gitlab->api("users")->unblock($gitlabUserId)) : $this->logger->warning("Operation skipped due to dry run.");
}
It should be inserted into the block for updating user details just before $this->logger->info(sprintf("Updating Gitlab user #%d \"%s\".", $gitlabUserId, $gitlabUserName));
near line 1081 as follows:
if ($this->in_array_i($gitlabUserName, $config["gitlab"]["options"]["userNamesToIgnore"])) {
$this->logger->info(sprintf("User \"%s\" in ignore list.", $gitlabUserName));
continue;
}
if ($gitlab->api("users")->all(["username" => $gitlabUserName, "blocked" => true])) {
$this->logger->info(sprintf("Enabling Gitlab user #%d \"%s\".", $gitlabUserId, $gitlabUserName));
$gitlabUser = null;
!$this->dryRun ? ($gitlabUser = $gitlab->api("users")->unblock($gitlabUserId)) : $this->logger->warning("Operation skipped due to dry run.");
}
$this->logger->info(sprintf("Updating Gitlab user #%d \"%s\".", $gitlabUserId, $gitlabUserName));
$gitlabUser = null;
I've not tested this out yet.
Just tested it, seemed to work fine.
Forgot to reference this issue in my commit, but here it is.
Revision: 6eb1398b845ccddaefa2fd139dbb11f0d7f1d4d2
Author: Adam Reece
Date: 09/03/2019 11:46:07
Message:
Fixed user not being unblocked after re-appearing in the directory.
----
Modified: src/LdapSyncCommand.php
Cheers again! It also works now over here!
I'm using FreeIPA where you can disable a user (so it still exists). When that happens the user disappears from LDAP itself. In this case I've disabled the user rdkoning. I then get this error:
What has happened inside GitLab is that this user is now blocked and marked as external. Blocked I get but don't really understand why it's now marked as external. Perhaps this is something GitLab does? Please note that the user still exists in FreeIPA and is inside FreeIPA still a member of it's groups.
When I now renable the user again and sync it then everything looks alright. The user is placed inside of every group again, etc. But inside GitLab the user is now no longer an external user but is still blocked!
I'm expecting that when I reenable a user that it's no longer external and no longer blocked.
Here is the output of the sync after I've reenabled the user: