Switch LDAP backend from AD to openldap (and changing email address)

Hey there,

I want to switch our LDAP Backend (which is Active Directory) to OpenLDAP, because AD contains “wrong” data. I especially want to change the email address. (Reasoning: AD holds an email address which is used internally for Exchange: user@exchange.domain.com, and I want to get rid of that “exchange.” part).

So I set up an openldap containing the better email format. Accountname and Password are the same on AD and openldap, but esp. the email-address differs.

Now, when I just switch the backend (ldapmain) with the new openldap config, login works fine, but Gitlab creates a new account “username1” and users cant access their old account “username”.

I assumed that Gitlab matches both – accountname+emailadresse – to the local user account and thinks that this is a new user.

I played around with “gitlab-rake gitlab:ldap:rename_provider” while hoping that the email address would be updated that way, but it wasn’t.
Testing around, what worked in the end, was to edit the Gitlab database to match the new email address and then flip the LDAP config.

I really don’t want to mess with the database, esp. not for 1000+ users.
Is there a better way to do this?
Is Gitlabs behaviour buggy?
Shouldn’t the “rename_provider” rake task fix this?

So long,
Christian