LDAP attributes are migrated on import when LDAP is not configured on target instance
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Summary
LDAP user attributes are migrated when imported from a file export. This results in user memberships on the imported instance being locked, unless LDAP is reconfigured on the imported instance and the override attribute changed (only works if LDAP is enabled). Otherwise, users must be removed from groups/projects and re-invited - this will destroy the membership record with the inappropriate LDAP attributes.
We should likely not be importing these attributes if the destination instance does not have LDAP configured, or it is not possible to configure it (such as GitLab.com).
Steps to reproduce
- Configure an instance with users who have memberships managed via LDAP.
- Configure the same users (username/emails/public emails) on the target instance.
- Export the group where these users have LDAP managed memberships.
- Import the group on the target instance.
If you configured the users on the target instance correctly, their memberships should be appropriately mapped. You will notice their membership cannot be edited by any user (missing dropdown/403 via API) to the override: false attribute on their membership records.
What is the current bug behavior?
LDAP attributes are imported for user accounts on destination instance, resulting in locked memberships even if LDAP is not enabled.
What is the expected correct behavior?
LDAP attributes are not imported for user accounts on destination instances when LDAP is not enabled or configurable (GitLab.com).
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
GitLab information Version: 17.5.2-ee Revision: 9811944b476 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 14.11 Elasticsearch: no Geo: no Using LDAP: yes Using Omniauth: yes Omniauth Providers: