New user login over LDAP after email change

Hello. We have a company where users often change business units. With change of business unit he also changes email. After doing that and loging in with LDAP gitlab creates new user as he doesn’t find his email. Is there some solution? Is there a way for Gitlab to check existing user with userPrincipalName field from LDAP, as userPrincipalName never changes and stays the same even after change of business unit and email.

Is the answer maybe in gitlab ldap config as stated in documentation:

attributes:
# The username will be used in paths for the user’s own projects
# (like gitlab.example.com/username/project) and when mentioning
# them in issues, merge request and comments (like @username).
# If the attribute specified for username contains an email address,
# the GitLab username will be the part of the email address before the ‘@’.
username: [‘uid’, ‘userid’, ‘sAMAccountName’]
email: [‘mail’, ‘email’, ']

What is the correct setting?

BR Denis

Update: as users already logged in with changed email address, I see that tha documentation isn’t ok, or there is a bug (hope not, as it Works great for me).

As it is now, with version 9.0.2 CE if user changes email in LDAP, he can login to gitlab to existing Account and his email is updated in gitlab :slight_smile:

And I also tested on test environment attributes setting in LDAP and it also Works. If you put:
attributes:
email: [‘userPrincipalName’, ‘email’, ‘mail’]

you will have userPrincipalName value in email field.

So if anyone from Gitlab development reads this, I just need one answer. How does gitlab work regarding user log-in? We use domain username to login. Ge gets info from LDAP. What field from LDAP does it compare to what field from Gitlab, when it decides if you can login or you are a new user?

BR, Denis