Normalize LDAP user DNs (downcase and remove excess spaces)
What does this MR do?
Normalizes LDAP user distinguishing names by downcasing and removing excess spaces around attribute names and values.
TODO
-
Migrate existing LDAP identities -
Add migration spec -
Add some integration tests -
Note normalizing behavior in documentation -
Smoke test -
Backport to CE (only group sync part is EE only). CE MR: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/14697
Are there points in the code the reviewer needs to double check?
I cleaned auth_hash.uid
for LDAP auth_hash
's instead of only cleaning specific usages of auth_hash.uid
(like when setting an identity's extern_uid
.) This should be safe since our system should always work with normalized DNs, and LDAP providers should always compare DNs according to LDAP spec.
This should cover more cases where we might otherwise improperly compare DNs. And this requires fewer references to cleaning DNs that we need to maintain and add (when new comparisons of DNs arise).
Why was this MR needed?
There are rules in LDAP that allow different string representations of DNs to be equal (i.e. spaces around attribute names and values should be ignored).
So anywhere we compare DNs as strings (e.g. when syncing a group with its LDAP provider, or when looking up an Identity in our DB, etc.), we should compare them in some normalized form.
Screenshots (if relevant)
Does this MR meet the acceptance criteria?
-
Changelog entry added, if necessary -
Documentation created/updated -
API support added -
Tests added for this feature/bug - Review
-
Has been reviewed by UX -
Has been reviewed by Frontend -
Has been reviewed by Backend -
Has been reviewed by Database
-
-
Conform by the merge request performance guides -
Conform by the style guides -
Squashed related commits together