Gitlab LDAP users get blocked when they pull/clone repositories after their DN changed in Active Directory. Users must login via gitlab webfrontend to get unblocked. When pulling / cloning a repository gitlab just queries a local copy of the saved DN called extern_uid against AD. Since DN changed AD responce with no match. When using the webfrontend gitlab is using the credentials to check if AD accepts them without using the extern_uid. When AD accepts these credentials gitlab will take the DN and update extern_uid and unblock the user.
This behaviour causes confusion and is kind of annoying. The enterprise edition of gitlab is syncing the extern_uid with the actual DN. In the community edition there is nothing like that. I wrote a rake task that is syncing the extern_uid since i didn't want to bother arround 130 people logging in to gitlab after a AD change...
add the rake task
sudo curl https://raw.githubusercontent.com/derJD/gitlab_update_ldap_dn/master/jd.rake -fo /opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/jd.rake
run task in noop
sudo gitlab-rake gitlab:jd:update_ldap_dn
run task and realy update DN
sudo UPDATE_DN="yes" gitlab-rake gitlab:jd:update_ldap_dn