gitlab-ce-ldap-sync icon indicating copy to clipboard operation
gitlab-ce-ldap-sync copied to clipboard

Published 20 hours ago verified publisher icon Adambean

Updating a user's email address fails due to "public_email" is not an email you own

Open Adambean opened this issue 4 years ago • 1 comments

If a user whom has already been synchronised changes their email address in the directory resynchronising them will fail with Gitlab throwing error message:

"public_email" is not an email you own

This occurs right here on line 1190 of "LdapSyncCommand.php":

!$this->dryRun ? ($gitlabUser = $gitlab->api("users")->update($gitlabUserId, [
    // "username"          => $gitlabUserName,
    // No point updating that. ^
    // If the UID changes so will that bit of the DN anyway, so this can't be detected with a custom attribute containing the Gitlab user ID written back to user's LDAP object.
    "reset_password"    => false,
    "name"              => $ldapUserDetails["fullName"],
    "extern_uid"        => $ldapUserDetails["dn"],
    "provider"          => $gitlabConfig["ldapServerName"],
    "public_email"      => $ldapUserDetails["email"],
    "admin"             => $ldapUserDetails["isAdmin"],
    "can_create_group"  => $ldapUserDetails["isAdmin"],
    "skip_confirmation" => true,
    "external"          => $ldapUserDetails["isExternal"],
])) : $this->logger->warning("Operation skipped due to dry run.");

$usersSync["update"][$gitlabUserId] = $gitlabUserName;

Specifically "public_email" => $ldapUserDetails["email"],.

The problem is that you can't set a user's public email address to an email address that isn't already registered to their account on your Gitlab instance. This could be corrected by adjusting the Gitlab user's primary email address by changing "public_email" to "email", though this comes with drawbacks:

  1. You cannot adjust "email" and "public_email" in one call to avoid this error. Either two update() calls are required, or a get() call must be performed first with a check to determine if a 2nd update() is necessary. Not doing this just means that the user's publicly visible email address would not be updated.
  2. If the new email address for this Gitlab user has already been used by another Gitlab user the update() will fail due to a unique constraint violation. Recursive action would be necessary to resolve conflicts in advance. (This problem can also apply to users newly synchronising into Gitlab.)

--

Just taking note of this issue so I don't forget it, and I'm open to hearing if anyone else has had this issue already and what you think would be best to resolve it.

Adambean avatar Nov 19 '20 19:11 Adambean

Looks like we have confirmation that for creating users changing the key "public_email" to "email" works. https://github.com/Adambean/gitlab-ce-ldap-sync/issues/27#issuecomment-1077427013

Adambean avatar Mar 25 '22 19:03 Adambean