About LDAP user login with the same mail address


LDAP users with the same mail address can not log in individually.

Enabling LDAP login Setting.
For example, the following user exists in LDAP.
・ldap_user#1 uid=aaa, mail=hoge@test.com
・ldap_user#2 uid=bbb, mail=hoge@test.com

  • Have the same mail address

First, if “aaa” login via LDAP, account “aaa” will be created.
Next, if “bbb” login via LDAP, the account information becomes “aaa”.

When bbb login, will not the account be created as “bbb”?
Or, can not be an error as “duplicate mail address”?

[gitlab.rb Setting]

gitlab_rails['ldap_enabled'] = true
gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
  main: # 'main' is the GitLab 'provider ID' of this LDAP server
    label: 'LDAP'
    host: 'host_ip'
    port: 389
    uid: 'sAMAccountName'
    bind_dn: 'bind_dn_'
    password: '****'
    encryption: 'plain' # "start_tls" or "simple_tls" or "plain"
    #   verify_certificates: true
    active_directory: true
    allow_username_or_email_login: false
    #   lowercase_usernames: false
    block_auto_created_users: false
    base: 'CN=Users,DC=hoge,DC=hoge2,DC=hoge3,DC=jp'
      username: ['cn']
      email:    ['mail']



We have the same problem. We have formation users defined in our LDAP, all of them configured with the same mail address.

By reading this page “https://docs.gitlab.com/ce/administration/auth/ldap.html#enabling-ldap-sign-in-for-existing-gitlab-users” I understood why…

When a user signs in to GitLab with LDAP for the first time, and their LDAP email address is the primary email address of an existing GitLab user, then the LDAP DN will be associated with the existing user. If the LDAP email attribute is not found in GitLab’s database, a new user is created.

Connected as administrator account, I tried to change the email address of my gitlab existing formation user to be able to sign in with a second one but I couldn’t saved the mail address changed.

Is there a way to do so without modify our users informations recorded in our LDAP?


Is this a specification for using LDAP and can not be changed?

thank you.