It seems like Gitlab has a pretty critical bug regarding LDAP accounts. The issue is brought up with Gitlab lots, but the issues seem to sit idle for now. It is impossible to start your organization on Gitlab with local users, and then switch to LDAP when your company matures. It is also impossible to rebuild your LDAP/FreeIPA/ActiveDirectory instance and use the same accounts ever again through gitlab.
It looks like the Gitlab DB schema leaves behind artifacts from an existing user and makes it impossible for a new LDAP entry to map in by some sort of race condition.
This bug impacts gitlab-ce-10.3.3-ce.0.el7.x86_64 omnibus installation.
Steps to reproduce
- Create user j
onwith email firstname.lastname@example.org
- Setup a FreeIPA 4.5.0 LDAP with the same username and password.
jonoldin gitlab CE admin and change his e-mail address to email@example.com
Try to login as 'jon' using LDAP and you will get
Could not authenticate you from Ldapmain because "Undefined method `provider' for nil:nilclass".
You can even check the users table to make sure local account has no conflicts with your LDAP user.
select * from users where id = '2'x\g\x -[ RECORD 2 ]--------------------------------+------------------------------------------------------------- username | jonold id | 2 email | firstname.lastname@example.org encrypted_password | xxxx reset_password_token | reset_password_sent_at | remember_created_at | sign_in_count | 8 current_sign_in_at | 2018-01-26 22:12:33.258934 last_sign_in_at | 2018-01-26 18:02:28.898503 current_sign_in_ip | 126.96.36.199 last_sign_in_ip | 188.8.131.52 created_at | 2018-01-10 22:14:20.374668 updated_at | 2018-01-26 22:13:41.275444 name | Administrator admin | t projects_limit | 100000 notification_email | email@example.com
However, try to log in as your fresh new LDAP user and you will get these error messages on the Web UI:
/var/log/gitlab/gitlab-rails/application.log will quickly tell you: January 26, 2018 16:27: (LDAP) Error saving user uid=jon.k,cn=users,cn=accounts,dc=gvoperations,dc=com (firstname.lastname@example.org): ["Email has already been taken"]
What to do about it?
I'm still researching a solution, but it seems like Gitlab just has poor support until some code changes are done. There are no tools in their framework, and it's likely an E-Mail in some table somewhere which needs to be fixed.
There are these Gitlab bug reports which are 2+ year old about the issue:
I'm going to try to get some time this weekend to look at the Ruby code and might have a patch available to work around this issue.