[LDAP] Username changing

[Perflyst]

• Gitea version (or commit ref): 1.10.1
• Git version: 2.11.0
• Operating system: Debian 10
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant

Description

Changing username in LDAP does not change the username in gitea.
If I change the username in LDAP the user also cannot login anymore because the mail address needs to be unique.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. I am here to help clear issues left open even if solved or waiting for more insight. This issue will be closed if no further activity occurs during the next 2 weeks. If the issue is still valid just add a comment to keep it alive. Thank you for your contributions.

[Perflyst]

still valid

[bgellert]

Hello,
I'm new here. I don't know if I should open a new ticket, as our problem is very similar:

• the user changes his windows password (mandatory every 3 months)
• the new password is valid in windows or other LDAP connected services
• login in gitea is only possible using the old password.
• this could be linked to AD user password hashes are stored in Gitea database #14065

Gitea Version: 1.13.2
Database: MySQL
OS: Ubuntu 20.04
git version: 2.25.1
gitea.log

2021/03/05 14:42:33 ...es/auth/ldap/ldap.go:178:bindUser() [D] LDAP auth. failed for CN=User Name, ..., DC=CORP,DC=LOCAL, reason: LDAP Result Code 49 "Invalid Credentials": 80090308: LdapErr: DSID-0C090453, comment: AcceptSecurityContext error, data 52e, v3839\003d
2021/03/05 14:42:33 routers/user/auth.go:177:SignInPost() [I] Failed authentication attempt for user@mail.com from xxx.xx.xx.xx: user does not exist [uid: 0, name: user.name, keyid: 0]

LDAP settings
Auth Type: LDAP (via BindDN)
Security Protocol: Unencrypted

• Verify group membership in LDAP
• Use Paged Search
• Fetch Attributes in Bind DN Context
• Allow an empty search result to deactivate all users
• Enable User Synchronisation
• This Auth Source is Activated

[bgellert]

Hi,
I take it all back, it was apparently an issue on our side. We have multiple AD instances (don't ask me why) and the sync between them was not working properly.
It is all good now!
cheers

[jdoe0000000]

I'm having the same problem. Looking through the code, it looks like Gitea isn't storing the user's DN anywhere when an LDAP user logs in for the first time. If the username changes, there's no way it can figure out that it's still the same user, so it will try to create a new local user (which will fail unless the user also changed the email).

One solution I can think of is to add a field to the User struct to store the DN. When an LDAP user logins for the first time, the DN would be stored the local database. If the username changes, Gitea will be able to see that the DN matches an existing user.