ldap auth fails if user changes distinguishedName

Issue

In our organization, if a user changes office, their distinguishedName is updated to represent this eg: CN=<full name>,OU=<office>,DC=<domain>.... This presents a problem because after that change, even though they have the same username and password, the user is unable to log in to Gitlab (since it contains the stale dn). Upon updating the ldap_uid manually in the database to the new distinguishedName, the user is again able to log in.

Relevant config.yml

  ## LDAP settings
  ldap:
    enabled: true
    servers:
      main:
        active_directory: true
        uid: 'sAMAccountName'
        allow_username_or_email_login: false
        ...

Versions

GitLab       7.9.4
GitLab Shell 2.6.0
GitLab API   3
Ruby         2.1.0p0
Rails        4.1.9

mentioned in issue #993 (closed)

I had a similar problem switching identity providers Apple LDAP -> Microsoft AD

even though the LDAP UID where the same as AD sAMAccountName, users could not login because of the old identity.

what I did was to open rails console and delete all Identities Identity.delete_all. onces this happened user's could login.

maybe you could clear out that user's identity like this User.find_by(username: 'username').identities.delete_all then when they log in it will build a new indentity. btw this only works if the user never changes their 'sAMAccountName'

Another method that I would sugguest is adding unix support to your Microsoft AD. this will expose 3 new fields (uid,uid_number, primary_group). then when a user is created make sAMAccountName = uid. if the same account changes, no problem because it still links to the old UID.

I'd like to update that this still happens in gitlab 7.13

mentioned in issue #993 (closed)

Fixed by !1018 (merged).

Status changed to closed

mentioned in merge request !14785