diff --git a/CHANGELOG-EE b/CHANGELOG-EE
index 47664a291dc7f3db371c208187b349526ee27950..19dea6e57ee2b02e950a9d5d4d733c25c2f84129 100644
--- a/CHANGELOG-EE
+++ b/CHANGELOG-EE
@@ -2,6 +2,7 @@ v 7.12 (Unreleased)
- Fix error when viewing merge request with a commit that includes "Closes #<issue id>".
- Enhance LDAP group synchronization to check also for member attributes that only contain "uid=<username>"
- Enhance LDAP group synchronization to check also for submember attributes
+ - Prevent LDAP group sync from removing a group's last owner
v 7.11.2
- Fixed license upload and verification mechanism
diff --git a/doc/integration/ldap.md b/doc/integration/ldap.md
index abd8932a9a29b249df970908bce2349956da7225..b60ac6d7853981b30fc9403d4defcd19492bb298 100644
--- a/doc/integration/ldap.md
+++ b/doc/integration/ldap.md
@@ -161,9 +161,9 @@ If you have two LDAP group links, e.g. 'cn=Engineering' at level 'Developer' and
### Locking yourself out of your own group
-As an LDAP-enabled GitLab user, if you create a group and then set it to synchronize with an LDAP group you do not belong to, you will be removed from the grop as soon as the synchronization takes effect for you.
+As an LDAP-enabled GitLab user, if you create a group and then set it to synchronize with an LDAP group you do not belong to, you will be removed from the group as soon as the synchronization takes effect for you, unless you are the last owner of the group.
-If you accidentally lock yourself out of your own GitLab group, ask a GitLab administrator to change the LDAP synchronization settings for your group.
+If you accidentally lock yourself out of your own GitLab group, ask another owner of the group or a GitLab administrator to change the LDAP synchronization settings for your group.
### Non-LDAP GitLab users
diff --git a/lib/gitlab/ldap/access.rb b/lib/gitlab/ldap/access.rb
index 8ded5fc006f6f6d9393433cdb385a20e8b7d8a0c..672b6ce86d3d062329a24704fc280786084d57d0 100644
--- a/lib/gitlab/ldap/access.rb
+++ b/lib/gitlab/ldap/access.rb
@@ -137,6 +137,8 @@ module Gitlab
if active_group_links.any?
group.add_users([user.id], fetch_group_access(group, user, active_group_links))
+ elsif group.last_owner?(user)
+ Rails.logger.warn "#{self.class.name}: LDAP group sync cannot remove #{user.name} (#{user.id}) from group #{group.name} (#{group.id}) as this is the group's last owner"
else
group.users.delete(user)
end
diff --git a/spec/lib/gitlab/ldap/access_spec.rb b/spec/lib/gitlab/ldap/access_spec.rb
index c9ca9a412630b313167dceb9bd6ef77c4d3f5f0a..a50e45aa90748eb4ab1ee80373925cbff49f31d3 100644
--- a/spec/lib/gitlab/ldap/access_spec.rb
+++ b/spec/lib/gitlab/ldap/access_spec.rb
@@ -287,6 +287,35 @@ objectclass: posixGroup
change{ gitlab_group_1.members.where(user_id: user).any? }.from(true).to(false)
end
end
+
+ context "existing access as owner for group-1 with no other owner, not allowed" do
+ before do
+ gitlab_group_1.group_members.owners.create(user_id: user.id)
+ gitlab_group_1.ldap_group_links.create({
+ cn: 'ldap-group1', group_access: Gitlab::Access::OWNER, provider: 'ldapmain'})
+ access.stub(cns_with_access: ['ldap-group2'])
+ end
+
+ it "does not remove the user from gitlab_group_1 since it's the last owner" do
+ expect { access.update_ldap_group_links }.not_to \
+ change{ gitlab_group_1.has_owner?(user) }
+ end
+ end
+
+ context "existing access as owner for group-1 while other owners present, not allowed" do
+ before do
+ owner2 = create(:user) # a 2nd owner
+ gitlab_group_1.group_members.owners.create([ {user_id: user.id}, {user_id: owner2.id} ] )
+ gitlab_group_1.ldap_group_links.create({
+ cn: 'ldap-group1', group_access: Gitlab::Access::OWNER, provider: 'ldapmain'})
+ access.stub(cns_with_access: ['ldap-group2'])
+ end
+
+ it "removes user from gitlab_group_1" do
+ expect { access.update_ldap_group_links }.to \
+ change{ gitlab_group_1.members.where(user_id: user).any? }.from(true).to(false)
+ end
+ end
end
describe 'ldap_groups' do