LDAP filter is not applied consistently

SUMMARY: The LDAP filter we have configured in Gitlab works upon user's first-time login; thereafter it's ignored.

STEPS TO REPRODUCE:

1. Configure an ldap filter in Gitlab:

   (a) In the "ldap:" section of config/gitlab.yaml:

        user_filter: '(gitlabUser=yes)'

   (b) In the "if Gitlab.config.ldap.enabled" section of config/initializers/devise.rb:

        user_filter:   Gitlab.config.ldap['user_filter'],

2. Create a new user in OpenLDAP with attribute gitlabUser set to "no".

3. Try to login to gitlab as this user - it should, and does, fail.

4. Set gitlabUser to "yes" in user's OpenLDAP entry.

5. Login should, and does, now succeed. Logout.

6. Set gitlabUser back to "no" in user's OpenLDAP entry.

7. Login should once again fail, but instead succeeds.

In order to get the expected behaviour - login fail - it was necessary to login to Gitlab as the admin user and destroy the user's account there.

OUTPUT OF CHECKS: Application Check output appears after my signature below.

We are running gitlab 6.9.2 on Debian wheezy.

Our Setup Description (sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production): System information System: Debian 7.5 Current User: git Using RVM: no Ruby Version: 1.9.3p194 Gem Version: 1.8.23 Bundler Version:1.3.5 Rake Version: 10.3.1 Sidekiq Version:2.17.0

GitLab information Version: 6.9.2 Revision: e46b644a Directory: /srv/home/git/gitlab DB Adapter: mysql2 URL: http://gitlab.scss.tcd.ie HTTP Clone URL: http://gitlab.scss.tcd.ie/some-project.git SSH Clone URL: git@gitlab.scss.tcd.ie:some-project.git Using LDAP: yes Using Omniauth: yes Omniauth Providers: google_oauth2

GitLab Shell Version: 1.9.4 Repositories: /srv/git/repositories/ Hooks: /home/git/gitlab-shell/hooks/ Git: /usr/bin/git

---

Stephen Kenny (skenny@scss.tcd.ie) School of Computer Science and Statistics Trinity College Dublin 2.

Gitlab Application Check output:

Checking Environment ...

Git configured for git user? ... yes

Checking Environment ... Finished

Checking GitLab Shell ...

GitLab Shell version >= 1.9.4 ? ... OK (1.9.4) Repo base directory exists? ... yes Repo base directory is a symlink? ... no Repo base owned by git:git? ... yes Repo base access is drwxrws---? ... yes Satellites access is drwxr-x---? ... yes update hook up-to-date? ... yes update hooks in repos are links: ... . . . Running /home/git/gitlab-shell/bin/check Check GitLab API access: OK Check directories and files: /srv/git/repositories: OK /home/git/.ssh/authorized_keys: OK Test redis-cli executable: redis-cli 2.4.14 Send ping to redis server: PONG gitlab-shell self-check successful

Checking GitLab Shell ... Finished

Checking Sidekiq ...

Running? ... yes Number of Sidekiq processes ... 1

Checking Sidekiq ... Finished

Checking LDAP ...

LDAP users with access to your GitLab server (only showing the first 100 results) . . .

Checking LDAP ... Finished

Checking GitLab ...

Database config exists? ... yes Database is SQLite ... no All migrations up? ... yes Database contains orphaned UsersGroups? ... no GitLab config exists? ... yes GitLab config outdated? ... no Log directory writable? ... yes Tmp directory writable? ... yes Init script exists? ... yes Init script up-to-date? ... yes projects have namespace: ... . . . Redis version >= 2.0.0? ... yes Your git bin path is "/usr/bin/git" Git version >= 1.7.10 ? ... yes (1.7.10)

Checking GitLab ... Finished

This should be fixed in the current version so I'm closing this issue.
If you're still experiencing this problem, please reopen it.

Status changed to closed