Allow GitLab admins to create new user identities

https://gitlab.zendesk.com/agent/tickets/6565

GitLab admins can edit and delete user identities (e.g. LDAP DN's) at /admin/users/:user/identities, but they cannot add new identities. Today I spoke with a customer who would be helped by an 'Add' button.

Can we make that?

cc @JobV @dzaporozhets @vsizov

Milestone changed to Support

This would not matter anyway. Only enterprise version allows more then one identity.

When there is no identity and a user connect via ldap/ad the identity is automatically created. This would mean we really would not need an add button.

Actually that's a problem when you want to connect users to LDAP (to use the LDAP group sync) but you don't want them to actually login with their LDAP password (in our case, the LDAP password is the same as the Kerberos password so it isn't something we want users to be typing anywhere but kinit). Having an option like this allows the admin of the GitLab server to map a user with their LDAP account without having to ask them to break a policy of not logging into any web service with their Kerberos/LDAP password).

@vdanen what I am about to say is from memory and I will probably need to recheck it. MS-AD and Apple open LDAP both do not store passwords in their Directory systems.

With apple LDAP you make a request to LDAP with a user/password, it passes requests to Kinit with a yes/no response to Open LDAP which at this point will return a USER LDAP object. this object is the one that will attach as an identity with gitlab.. so if the password doesn't work then the identity will not be created.

that saying I have never seen any install of gitlab running omni-auth kerberos http://doc.gitlab.com/ee/integration/kerberos.html . Most ppl will just connect directly via AD or LDAP . if this was the same as other omni auth configs then the user credentials are invalid then the identity will not be created.

Remember, even if you have an identity and your cred's dont work then it will not update the identity so adding one manually would be moot.

@jacobvosmaer can you comment on @freibuis' comments?

As an ignorant bystander, this does sound like a good idea. I suppose 8.3 if this is defendable to do.

@JobV 8.3 sounds good.

@freibuis I am not sure if I understand your concerns or how to respond to them.

Only enterprise version allows more then one identity.

I don't believe this is true. GitLab CE allows only one LDAP server, but you can have multiple identity providers in CE (twitter, google, etc.).

I do not expect the 'add identity' button to be used a lot, but I think it is a useful for user identity troubleshooting. As a GitLab service engineer, I want to avoid GitLab administrators having to use SQL or Rails consoles to fix problems.

cc @vsizov

@freibuis I'm not so concerned with how the password is stored in the backend (hashed, plaintext, whatever). The concern is actually typing it into the webui. For a kerberos password, you should never ever type it in. I'm using FreeIPA and with it the kerberos password is identical to the LDAP password, so even typing in the LDAP password means you're typing in the kerberos password -- there's no way around that. The current means of determining whether or not your kerberos password is legit (which is effectively taking the user password, and the server passing it to kinit to see if it's legit) leaves a lot to be desired. It should be pulling the token from the web browser like any other good kerberized web app. But that's not even really the point here (that's just an aside). The point is I'd like, as an admin, to be able to assign this mapping without the user having to login with their LDAP (kerberos) password. I (and any other good kerberos admin) don't want them typing that password anywhere except to kinit on their local system. Having an option like this is really helpful to us administrators who want to do things the right way.

And, as @jacobvosmaer pointed out, I don't want to muck around in the belly of the beast to change this (without this, or proper kerberos login, or a mapping between LDAP and Kerberos accounts (which is common)) the effectiveness of GitLab in an LDAP+Kerberos environment is really not awesome.

@JobV the 8.3 milestone does not exist yet.

@jacobvosmaer yes it does! Ha!

Milestone changed to 8.3

This would have been helpful for https://gitlab.zendesk.com/agent/tickets/8926, also. Thanks for slating it for 8.3

Also, https://gitlab.zendesk.com/agent/tickets/9377

cc/ @JobV

thanks for mentioning me @dblessing. Don't see space to move it to an earlier release though.

Another - https://gitlab.zendesk.com/agent/tickets/9470

Given the need, I may try to tackle this one. It's on my to-do list - no promises :)

@dblessing FYI 8.1 will allow you to do this via the API. It already has been implemented. https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/1398

mentioned in merge request !1018 (merged)

mentioned in merge request !2077 (merged)

Status changed to closed by commit f4c05ee4

mentioned in commit c62f7ca4

Thanks @patricio It will be nice to have the API plus this ability now.

mentioned in commit f4c05ee4