Before there was a bug in omniauth-ldap which prevented samaccountname
showing up as a possible username for new LDAP users. Thanks to upstream
fixes, we no longer need to work around this bug.
The blocked? method is used to check whether a user exists in LDAP. Prior to this change, if the LDAP server had more objects below the one pointed to by the DN, those objects would also be picked up by the search, causing the method to determine the user should be blocked.
One case where this can happen is when using Active Directory and a user have a mobile phone assigned. In this case, Exchange will add an entry called ExchangeActiveSyncDevices under the users entry. The user-visible behaviour is then that a user loses Gitlab access when he enables a mobile device.
This fix sets the search scope to BaseObject in order to ensure that only the user itself is returned.
-when logging in if users are allowed to login with just usernames in ldap we will update uid of the user if their uid is out of date
Conflicts:
spec/lib/auth_spec.rb
Change-Id: Ia171b3d5133da86edc18c0d08ecfaf6a174f2574