[go: up one dir, main page]
Skip to content

Allow minimal access in LDAP group links API

Duo Developerrequested to merge
workloads/ebf84345300 into master

What does this MR do and why?

The REST API for creating LDAP group links currently rejects requests when group_access is set to 5 (minimal access), returning the error "group_access does not have a valid value".

This happens because the API validation excludes Minimal Access from the allowed values. This change updates the LDAP group links API to include minimal access in the validation, consistent with the SAML group links fix in Allow Minimal Access for Saml Group Links API (!205467 - merged).

References

  • Resolves #577953
  • Related to !205467 (merged) (Fix SAML Group Link with minimal access via REST API)
  • Related to #420655 (closed) (Cannot add SAML Group Link with minimal access via REST API) - FIXED
  • Parent epic: &8538 (LDAP Group Sync)
  • Parent epic: &19084 (Enterprise user provisioning and management)

Screenshots or screen recordings

This is an API-only change, no UI modifications.

How to set up and validate locally

Prerequisites

  1. Set up LDAP integration in your GitLab instance
  2. Create a group with LDAP group sync enabled and note the group ID.

Validation Steps

Test 1: Verify the fix works via API

  1. Try to create an LDAP group link with minimal access via REST API:

    curl --request POST \
  --header "PRIVATE-TOKEN: <your-token>" \
  --header "Content-Type: application/json" \
  --data '{ "cn": "cn-foo", "group_access": 5, "provider": "ldapmain" }' \
  --url "http://localhost:3000/api/v4/groups/<group-id>/ldap_group_links"

  2. Verify the request succeeds (returns 201 Created) instead of failing with "group_access does not have a valid value"

  3. Confirm the LDAP group link is created with minimal access level by checking the UI here

Test 2: Verify invalid access levels are still rejected

  1. Try with an invalid access level:

    curl --request POST \
  --header "PRIVATE-TOKEN: <your-token>" \
  --header "Content-Type: application/json" \
  --data '{ "cn": "cn-bar", "group_access": 111, "provider": "ldapmain" }' \
  --url "http://localhost:3000/api/v4/groups/<group-id>/ldap_group_links"

  2. Verify it returns 400 Bad Request with "group_access does not have a valid value"

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Lukas Wanko

Merge request reports