Gitlab LDAP sync script tries to remove "bot" users from groups.

Adambean / gitlab-ce-ldap-sync

Synchronise users and groups (including group members) from an LDAP instance with Gitlab CE (and EE in free tier) self-hosted instance(s).

Apache License 2.0

59 stars 23 forks source link

Gitlab LDAP sync script tries to remove "bot" users from groups. #44

Open TafkaMax opened 5 months ago

TafkaMax commented 5 months ago

The Gitlab LDAP sync script tries to currently remove "bot users" that are created when adding an access_token from non-ldap groups. Maybe even from groups that are also present in LDAP.

https://gitlab.example.com/groups/<GROUPNAME>/-/settings/access_tokens

TafkaMax commented 5 months ago

[notice] Deleting extra group members...
[info] Deleting user #132 "REDACTED" from group #1019 "REDACTED" [REDACTED].
[error] Gitlab failure: 403 Forbidden

TafkaMax commented 5 months ago

When adding an access token to a group a bot user is created there. So a check is necessary to see if user is bot.

AdamReece-WebBox commented 5 months ago

I've not looked yet, but I suspect the users API will be able to reveal if a user is a bot. We could then exclude bot users from deletions.

(I noticed this happening at our corporate Gitlab too, though I've only ever needed to run the tool once here so far.)

TafkaMax commented 5 months ago

Reformatted the Title. I first noticed it with groups that did not match a LDAP group name. But it is happening with all groups.