adding multiple LDAP-identities (or migrating an account between two identities)
Problem description
it seems to be impossible to add/modify an LDAP
identity to/of an already existing LDAP user..
When I (as admin) navigate to the user's setting, go to the Identities
tab and try to add a new identity based on ldapmain
, i alway get a "User already taken" error, regardless of what i enter into the Identifier
field
It seems that I can add an LDAP
identity to an OAuth2 user without a problem.
User story
We are running GitLab-CE (8.16.6, via omnibus).
All our proper users are authenticating via LDAP
(we are also using Oauth2 for external
users, but I don't think this is realated.).
LDAP is only used for authentication (and authorizing them as internal; but no fine-grained roles are handled by LDAP).
We don't use gitlab-accounts (that is: accounts internal to the gitlab instance).
Users are encouraged to change their publicly visible username within gitlab on first login (as the "username" they get from LDAP is basically a numeric user id)
The LDAP directory is managed by a different facility, we (and our users) have read-only access (no way to change an email, dn or any other field). Every now and then, users (real people) are promoted to other ldap-dns (e.g. because they change to another subdivision within the company): if this happens, usually their username and email-address also change, effectively creating a new user on the LDAP-side.
Now we would like these users to be able to access our gitlab-instance as the same persona (so they still have access to all their projects, tickets,...), even when they changed to a different subdivision. Obviously they would need to authenticate via their new username/password, but on the gitlab side, they should end up as the same persona.
My basic idea was:
- user
cn=p123,ou=lab1,o=nuclear,dc=example,dc=com
logs in and changes their username tobhoward
- user can now login as
p123
but inside gitlab is visilbe asbhoward
- user gets assigned to a new lab, and gets a new dn
cn=p007,ou=specops,o=laundry,dc=example,dc=com
- admin goes to https://git.example.com/admin/users/bhoward/identities and adds the
cn=p007,ou=specops,o=laundry,dc=example,dc=com
LDAP-identity - user now logs in as as
p007
, but inside gitlab still acts asbhoward
since i cannot add the new identity, this doesn't work (and i don't really dare removing the old identity first, as in the past this would result in just creating a new user p007
on first login with the new identity)
a related issue is gitlab-foss#28430 (moved)