LDAP `sync_time` configuration duplicated/not used properly

Related to gitlab-org/gitlab-ee#132

It seems that when we switched from old to new LDAP configuration syntax, sync_time was sort of half-way migrated. But, code references the old configuration so the 'properly' configured sync_time is never referenced.

1_settings.rb:

Notice the two spots I put the >>. One seems to be a 'global' sync_time that is not specific to a provider, while the other is provider specific.

# Default settings
Settings['ldap'] ||= Settingslogic.new({})
Settings.ldap['enabled'] = false if Settings.ldap['enabled'].nil?
>> Settings.ldap['sync_time'] = 3600 if Settings.ldap['sync_time'].nil?
Settings.ldap['schedule_sync_daily'] = 1 if Settings.ldap['schedule_sync_daily'].nil?
Settings.ldap['schedule_sync_hour'] = 1 if Settings.ldap['schedule_sync_hour'].nil?
Settings.ldap['schedule_sync_minute'] = 30  if Settings.ldap['schedule_sync_minute'].nil?

# backwards compatibility, we only have one host
if Settings.ldap['enabled'] || Rails.env.test?
  if Settings.ldap['host'].present?
    # We detected old LDAP configuration syntax. Update the config to make it
    # look like it was entered with the new syntax.
    server = Settings.ldap.except('sync_time')
    Settings.ldap['servers'] = {
      'main' => server
    }
  end

  Settings.ldap['servers'].each do |key, server|
    server = Settingslogic.new(server)
    server['label'] ||= 'LDAP'
    server['timeout'] ||= 10.seconds
    server['block_auto_created_users'] = false if server['block_auto_created_users'].nil?
    server['allow_username_or_email_login'] = false if server['allow_username_or_email_login'].nil?
    server['active_directory'] = true if server['active_directory'].nil?
    server['attributes'] = {} if server['attributes'].nil?
    server['provider_name'] ||= "ldap#{key}".downcase
>>    server['sync_time'] = 3600 if server['sync_time'].nil?
    server['provider_class'] = OmniAuth::Utils.camelize(server['provider_name'])
    Settings.ldap['servers'][key] = server
  end
end

user.rb:

Now look at the code in user.rb that detects if an LDAP check is necessary. It references only the global setting, not the provider specific one.

  def requires_ldap_check?
    if !Gitlab.config.ldap.enabled
      false
    elsif ldap_user?
      !last_credential_check_at || (last_credential_check_at + Gitlab.config.ldap['sync_time']) < Time.now
    else
      false
    end
  end

If we retain the provider specific one then a lot of code will have to get a lot smarter and look up the LDAP provider before checking sync time.

cc/ @jacobvosmaer - Mentioning you because this is related to gitlab-org/gitlab-ee#132

Hah. I should have read this before commenting on the other one. Yeah, this is a sticky wicket. For us we'd be happy if anything worked right now, since we only have one ldap server defined anyway.

cc/ @DouweM Can we squeeze this in for 8.6?

If 8.6 is the target, I'm going to have to hack in something before then. Like perhaps my ugly substitute for Gitlab.config.ldap['sync_time']

mentioned in issue omnibus-gitlab#1161 (closed)

Milestone changed to 8.6

@dblessing Yep, 8.6 makes sense. It's not hard to fix.

I'm not sure why for the mean time, adding sync_time at the top level wouldn't solve the issue?

@dstanley @dblessing If this is kinda working in GitLab but the omnibus-gitlab package is not passing the correct configuration, we can always create a fix in the package and backport it to the necessary version.

This is of course if the package is the only issue. Anything else would probably require a bit more work but shouldn't be the blocker in that case too.

@marin You could update the chef template to use the top-level config if it's specified (gitlab_rails['ldap_sync_time']) to set the global variable. That would have prevented me having to hack in a number.

mentioned in merge request omnibus-gitlab!679 (merged)

@dstanley Indeed, it is a very simple fix. The proposed fix is in omnibus-gitlab!679 (merged) . I will leave it to @dblessing to coordinate how to proceed with this, package patch release for 8.4 or a proper fix in this issue(or both).

mentioned in commit omnibus-gitlab@3a58bfda

mentioned in commit omnibus-gitlab@76fd9226

mentioned in commit omnibus-gitlab@ec6871d4

Marin merged a fix in to Omnibus to make the global config work now. However, we need to update documentation, update the default gitlab.yml file, and remove any references to provider specific ldap sync times in code. You can see the reference in the settings initializer above. cc/ @rspeicher

Reassigned to @rspeicher

mentioned in commit b7436e39

mentioned in merge request !266 (merged)

Status changed to closed by commit b7436e3958e61560daa676f9b26884a3348b990b

@dblessing Merged for 8.6, please report back if necessary.

mentioned in commit 593ee4db

Mentioned in commit pfjason/gitlab-ce@b7436e39

Mentioned in commit pfjason/gitlab-ce@0dba8e20