Added ldap config setting to lower case usernames

changelogs/unreleased/fj-22607-lowercase-usernames-from-ldap.yml

+---
+title: Added ldap config setting to lower case the username
+merge_request: 16791
+author:
+type: added

config/gitlab.yml.example

@@ -370,6 +370,9 @@ production: &base
           first_name: 'givenName'
           last_name:  'sn'
+        # If lowercase_usernames is enabled, GitLab will lower case the username.
+        lowercase_usernames: false
+
       # GitLab EE only: add more LDAP servers
       # Choose an ID made of a-z and 0-9 . This ID will be stored in the database
       # so that GitLab can remember which LDAP server a user belongs to.

config/initializers/1_settings.rb

@@ -151,6 +151,7 @@ if Settings.ldap['enabled'] || Rails.env.test?
     server['allow_username_or_email_login'] = false if server['allow_username_or_email_login'].nil?
     server['active_directory'] = true if server['active_directory'].nil?
     server['attributes'] = {} if server['attributes'].nil?
+    server['lowercase_usernames'] = false if server['lowercase_usernames'].nil?
     server['provider_name'] ||= "ldap#{key}".downcase
     server['provider_class'] = OmniAuth::Utils.camelize(server['provider_name'])

doc/administration/auth/ldap.md

@@ -181,6 +181,10 @@ main: # 'main' is the GitLab 'provider ID' of this LDAP server
     first_name: 'givenName'
     last_name:  'sn'
+  # If lowercase_usernames is enabled, GitLab will lower case the username.
+  lowercase_usernames: false
+
+
   ## EE only
   # Base where we can search for groups
@@ -290,6 +294,41 @@ In other words, if an existing GitLab user wants to enable LDAP sign-in for
 themselves, they should check that their GitLab email address matches their
 LDAP email address, and then sign into GitLab via their LDAP credentials.
+## Enabling LDAP username lowercase
+
+Some LDAP servers, depending on their configurations, can return uppercase usernames. This can lead to several confusing issues like, for example, creating links or namespaces with uppercase names.
+
+GitLab can automatically lowercase usernames provided by the LDAP server by enabling
+the configuration option `lowercase_usernames`. By default, this configuration option is `false`.
+
+**Omnibus configuration**
+
+1. Edit `/etc/gitlab/gitlab.rb`:
+
+  ```ruby
+  gitlab_rails['ldap_servers'] = YAML.load <<-EOS
+  main:
+    # snip...
+    lowercase_usernames: true
+  EOS
+  ```
+
+2. [Reconfigure GitLab](../restart_gitlab.md#omnibus-gitlab-reconfigure) for the changes to take effect.
+
+**Source configuration**
+
+1. Edit `config/gitlab.yaml`:
+
+  ```yaml
+  production:
+    ldap:
+      servers:
+        main:
+          # snip...
+          lowercase_usernames: true
+  ```
+2. [Restart GitLab](../restart_gitlab.md#installations-from-source) for the changes to take effect.
+
 ## Encryption
 ### TLS Server Authentication

lib/gitlab/ldap/auth_hash.rb

@@ -7,6 +7,12 @@ module Gitlab
         @uid ||= Gitlab::LDAP::Person.normalize_dn(super)
       end
+      def username
+        super.tap do |username|
+          username.downcase! if ldap_config.lowercase_usernames
+        end
+      end
+
       private
       def get_info(key)

lib/gitlab/ldap/config.rb

@@ -139,6 +139,10 @@ module Gitlab
         options['allow_username_or_email_login']
       end
+      def lowercase_usernames
+        options['lowercase_usernames']
+      end
+
       def name_proc
         if allow_username_or_email_login
           proc { |name| name.gsub(/@.*\z/, '') }

lib/gitlab/ldap/person.rb

@@ -82,7 +82,9 @@ module Gitlab
         # be returned. We need only one for username.
         # Ex. `uid` returns only one value but `mail` may
         # return an array of multiple email addresses.
-        [username].flatten.first
+        [username].flatten.first.tap do |username|
+          username.downcase! if config.lowercase_usernames
+        end
       end
       def email

spec/lib/gitlab/ldap/auth_hash_spec.rb

 require 'spec_helper'
 describe Gitlab::LDAP::AuthHash do
+  include LdapHelpers
+
   let(:auth_hash) do
     described_class.new(
       OmniAuth::AuthHash.new(
@@ -83,4 +85,26 @@ describe Gitlab::LDAP::AuthHash do
       end
     end
   end
+
+  describe '#username' do
+    context 'if lowercase_usernames setting is' do
+      let(:given_uid) { 'uid=John Smith,ou=People,dc=example,dc=com' }
+
+      before do
+        raw_info[:uid] = ['JOHN']
+      end
+
+      it 'enabled the username attribute is lower cased' do
+        stub_ldap_config(lowercase_usernames: true)
+
+        expect(auth_hash.username).to eq 'john'
+      end
+
+      it 'disabled the username attribute is not lower cased' do
+        stub_ldap_config(lowercase_usernames: false)
+
+        expect(auth_hash.username).to eq 'JOHN'
+      end
+    end
+  end
 end

spec/lib/gitlab/ldap/person_spec.rb

@@ -139,6 +139,27 @@ describe Gitlab::LDAP::Person do
         expect(person.username).to eq(attr_value)
       end
     end
+
+    context 'if lowercase_usernames setting is' do
+      let(:username_attribute) { 'uid' }
+
+      before do
+        entry[username_attribute] = 'JOHN'
+        @person = described_class.new(entry, 'ldapmain')
+      end
+
+      it 'enabled the username attribute is lower cased' do
+        stub_ldap_config(lowercase_usernames: true)
+
+        expect(@person.username).to eq 'john'
+      end
+
+      it 'disabled the username attribute is not lower cased' do
+        stub_ldap_config(lowercase_usernames: false)
+
+        expect(@person.username).to eq 'JOHN'
+      end
+    end
   end
   def assert_generic_test(test_description, got, expected)