Omniauth auto-link ldap user not working

How to Use GitLab Self-managed
,
1

I’m using omnibus gitlab ee on debian buster with ldap through FreeIPA and saml authentication through Keycloack.

I have saml omniauth authentication setup with gitlab_rails['omniauth_auto_link_ldap_user'] = true set, but ldap users aren’t getting automatically linked. Ldap authentication and sync works correctly when the user logins using ldap rather than saml.

Here’s my saml config:

gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['saml']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_auto_link_ldap_user'] = true
gitlab_rails['omniauth_auto_link_saml_user'] = true
gitlab_rails['omniauth_providers'] = [
  {
    name: 'saml',
    label: 'SAML',
    args: {
             assertion_consumer_service_url: 'https://gitlab.domain.tld/users/auth/saml/callback',
             idp_cert: '-snip-'
             idp_sso_target_url: 'https://login.domain.tld/auth/realms/master/protocol/saml',
             issuer: 'https://gitlab.domain.tld',
             name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
             attribute_statements: { username: ['username'] }
           }
  }
]

Here’s my ldap config:

gitlab_rails['ldap_servers'] = YAML.load <<-'EOS'
  main:
    label: 'FreeIPA'
    host: 'ipaserver.domain.tld'
    port: 389
    uid: 'uid'
    bind_dn: 'uid=gitlab,cn=sysaccounts,cn=etc,dc=domain,dc=tld'
    password: '-snip-'
    encryption: 'start_tls'
    verify_certificates: true
    tls_options:
      ca_file: '/etc/ipa/ca.crt'
    smartcard_auth: false
    active_directory: false
    allow_username_or_email_login: false
    lowercase_usernames: false
    block_auto_created_users: false
    base: 'cn=users,cn=accounts,dc=domain,dc=tld'
    user_filter: '(objectclass=inetorgperson)'
    group_base: 'cn=groups,cn=accounts,dc=domain,dc=tld'
    admin_group: 'admins'
    sync_ssh_keys: ipaSshPubKey
EOS