Skip to content

Prevent LDAP group sync from removing a group's last owner

As discussed with Patricio in support request 3151

When setting up LDAP group sync, users can easily lock themselves out of their own group (cf. http://doc.gitlab.com/ee/integration/ldap.html#locking-yourself-out-of-your-own-group). The group may be left without any owner and requires intervention of the GitLab Administrators - a significant burden for a large deployment. In order to avoid this situation, this patch prevents the LDAP group sync from removing the last owner of a group, in the same way GitLab does not allow removing the last owner of a group via the Members page. This "last owner" is left in place until a new owner is nominated, the next sync after that will remove him/her.

Merge request reports