Skip to content

Gitlab LDAP users get blocked when they pull/clone repositories after their DN changed in Active Directory. Users must login via gitlab webfrontend to get unblocked. When pulling / cloning a repository gitlab just queries a local copy of the saved DN called extern_uid against AD. Since DN changed AD responce with no match. When using the webfrontend gitlab is using the credentials to check if AD accepts them without using the extern_uid. When AD accepts these credentials gitlab will take the DN and update extern_uid and unblock the user.

This behaviour causes confusion and is kind of annoying. The enterprise edition of gitlab is syncing the extern_uid with the actual DN. In the community edition there is nothing like that. I wrote a rake task that is syncing the extern_uid since i didn't want to bother arround 130 people logging in to gitlab after a AD change...

rake task


  • add the rake task

    sudo curl -fo /opt/gitlab/embedded/service/gitlab-rails/lib/tasks/gitlab/jd.rake

  • run task in noop

    sudo gitlab-rake gitlab:jd:update_ldap_dn

  • run task and realy update DN

    sudo UPDATE_DN="yes" gitlab-rake gitlab:jd:update_ldap_dn

Last update: March 22, 2021