Skip to content

GitLab Omnibus LDAP User Mismatch After OU Change

This is way out of date now

The information in this post is so out-dated that I wonder why I'm keeping it around. I guess I'm a digital hoarder...

Disclaimer

As always, use documents you find on blogs at your own risk. This worked for me. It may not work for you.

Also, make sure you have good backups before you go poking around in the GitLab database.

Issues

The main issue was that after an LDAP server migration, my user's OU changed but the username did not.

Secondary issue was that I'd locked my local admin account in GitLab and had no other admin level users to get eyes into the settings on the GitLab web interface.

EXAMPLE

  • User Pre LDAP Move

  • username = someuser

  • cn=Some User,ou=Users,dc=example,dc=com

  • User Post LDAP Move

  • username = someuser

  • uid=someuser,ou=People,dc=example,dc=com

I'd originally thought that since my username did not change, I'd be golden. I could just log back in and everything would be as it was...

Not so. There is an attribute for each user that is set upon initial LDAP login called 'LDAP uid:'. You can see this attribute and its value in the 'Admin area' -> 'Users' -> 'Username' section of your GitLab instance.

Since my user now had a new OU, GitLab saw it as a new user.

Steps Towards Resolution

I'll start with the secondary issue.

The admin account is locked and you have no other admins that can unlock it for you. In my case, since LDAP auth was working, I created a temporary user in my LDAP (called tempuser) and logged into GitLab with that user.

This created the user in the Database. Now I could modify the user from the DB side and make it an admin.

First, we need into the DB

gitlab-rails dbconsole

From there I found the new user, and updated the 'admin' column in the 'users' table for said user.

gitlabhq_production=> UPDATE users SET admin = 't' WHERE username = 'tempuser';

Now, for the 'LDAP uid' issue, an update to the 'identities' table was needed. First you need to find your user in the table and make note of the 'id'

SELECT * FROM identities;


## Output trimmed to fit here

 id |                extern_uid                 | provider |
----+-------------------------------------------+----------+
  1 | cn=Some User,ou=Users,dc=example,dc=com | ldapmain

We can see 'id' is 1 in this table for the user I want to modify.

UPDATE identities SET extern_uid = 'uid=someuser,ou=People,dc=example,dc=com' WHERE id=1;

Take a look at identities to confirm the change happened.

SELECT * FROM identities;


## Output trimmed to fit here

 id |                extern_uid                 | provider |
----+-------------------------------------------+----------+
  1 | uid=someuser,ou=People,dc=example,dc=com | ldapmain

Then exit out of the console

\q

After updating that column in the table, I was able to log in successfully as my old user.