gitlab-ce-ldap-sync Gitlab LDAP sync script tries to remove "bot" users from groups.

Gitlab LDAP sync script tries to remove "bot" users from groups.

Open TafkaMax opened this issue 1 year ago • 8 comments

The Gitlab LDAP sync script tries to currently remove "bot users" that are created when adding an access_token from non-ldap groups. Maybe even from groups that are also present in LDAP.

https://gitlab.example.com/groups/<GROUPNAME>/-/settings/access_tokens

Jan 22 '24 16:01 TafkaMax

[notice] Deleting extra group members...
[info] Deleting user #132 "REDACTED" from group #1019 "REDACTED" [REDACTED].
[error] Gitlab failure: 403 Forbidden

Jan 22 '24 16:01 TafkaMax

When adding an access token to a group a bot user is created there. So a check is necessary to see if user is bot.

Jan 24 '24 08:01 TafkaMax

I've not looked yet, but I suspect the users API will be able to reveal if a user is a bot. We could then exclude bot users from deletions.

(I noticed this happening at our corporate Gitlab too, though I've only ever needed to run the tool once here so far.)

Jan 25 '24 09:01 AdamReece-WebBox

Reformatted the Title. I first noticed it with groups that did not match a LDAP group name. But it is happening with all groups.

Jan 25 '24 11:01 TafkaMax

gitlab-ce-ldap-sync gitlab-ce-ldap-sync copied to clipboard

Gitlab LDAP sync script tries to remove "bot" users from groups.

gitlab-ce-ldap-sync
gitlab-ce-ldap-sync copied to clipboard