WIP: Do not create GL user when LDAP user falls outside user_filter (!2654) · Merge requests · GitLab.org / GitLab FOSS

Drew Blessing requested to merge dblessing/gitlab-ce:auto_block_ldap into master Jan 29, 2016

When a user specifies a user_filter in LDAP configuration the user was correctly denied access to GitLab. However, a user object was still created and saved to the GL database. This wasn't terrible, but it was annoying. The tricky part is that it actually appears to GL as if the authentication succeeded. That's because according to omniauth it does - the user provided a proper username and password. The next point where GL recognized this user shouldn't login is ldap_user.allowed?. By this time the user object is already created and saved.

I added a check to see if the ldap_user 'exists' according to our configuration, which includes the user_filter. If not, skip the parts that create the user object.

Make it work in CE
Write tests
Fix code on the EE side

Fixes gitlab-org/gitlab-ce#13296 and https://gitlab.com/gitlab-org/gitlab-ce/issues/21195

Admin message

Admin message

WIP: Do not create GL user when LDAP user falls outside user_filter

Merge request reports