Logging into GitLab using LDAP
Recently, we deployed a GitLab instance, and my colleague discovered that when he logged in using our LDAP service account credentials, he ended up logging in as me; i.e., two different LDAP users with two pairs of usernames/passwords end up being the same user.
I didn’t want that to be the case, so I dug into this a bit. Using
ldapsearch with the
sAMAccountName attribute resulted in two users (correct), and the
gitlab-rake gitlab:ldap:check output proved similarly unhelpful, so I filed an issue.
Very quickly, I got a response that clued me to the problem. On our LDAP, we had two accounts bearing the same
GitLab assumes that LDAP users have unique email addresses, otherwise it is possible for LDAP users with the same email address to share the same GitLab account.
This from https://docs.gitlab.com/ee/administration/auth/ldap.html#security.
This gels with my experience with GitLab so far. The technical documentation is excellent, it just works. And now I can say that my personal support experience was similarly great.
TLDR: Correcting the email attributes resolved the issue I faced, not a bug.