Attempt to link saml users to ldap by email

3 files changed, 19 insertions, 8 deletions

diff --git a/lib/gitlab/ldap/person.rb b/lib/gitlab/ldap/person.rb
index 4d6f8ac79de..be64cc3991b 100644
--- a/lib/gitlab/ldap/person.rb
+++ b/lib/gitlab/ldap/person.rb
@@ -17,6 +17,10 @@ module Gitlab
         adapter.user('dn', dn)
       end
 
+      def self.find_by_email(email, adapter)
+        Array(adapter.config.attributes['email']).find { |attr| adapter.user(attr, email) }
+      end
+
       def self.disabled_via_active_directory?(dn, adapter)
         adapter.dn_matches_filter?(dn, AD_USER_DISABLED)
       end
diff --git a/lib/gitlab/o_auth/user.rb b/lib/gitlab/o_auth/user.rb
index 7704bf715e4..dd318b4242c 100644
--- a/lib/gitlab/o_auth/user.rb
+++ b/lib/gitlab/o_auth/user.rb
@@ -108,9 +108,12 @@ module Gitlab
       end
 
       def find_ldap_person(auth_hash, adapter)
-        by_uid = Gitlab::LDAP::Person.find_by_uid(auth_hash.uid, adapter)
+        person = Gitlab::LDAP::Person.find_by_uid(auth_hash.uid, adapter)
         # The `uid` might actually be a DN. Try it next.
-        by_uid || Gitlab::LDAP::Person.find_by_dn(auth_hash.uid, adapter)
+        person ||= Gitlab::LDAP::Person.find_by_dn(auth_hash.uid, adapter)
+
+        # The `uid` might actually be a Email. Try it next.
+        person || Gitlab::LDAP::Person.find_by_email(auth_hash.uid, adapter)
       end
 
       def ldap_config
diff --git a/lib/gitlab/saml/user.rb b/lib/gitlab/saml/user.rb
index 0f323a9e8b2..2af54f8bb25 100644
--- a/lib/gitlab/saml/user.rb
+++ b/lib/gitlab/saml/user.rb
@@ -11,16 +11,16 @@ module Gitlab
       end
 
       def gl_user
-        if auto_link_ldap_user?
+        if auto_link_saml_user?
+          @user ||= find_by_email
+        end
+
+        if auto_link_ldap_user? && !@user&.ldap_user?
           @user ||= find_or_create_ldap_user
         end
 
         @user ||= find_by_uid_and_provider
 
-        if auto_link_saml_user?
-          @user ||= find_by_email
-        end
-
         if signup_enabled?
           @user ||= build_new_user
         end
@@ -42,7 +42,11 @@ module Gitlab
       def find_by_email
         if auth_hash.has_attribute?(:email)
           user = ::User.find_by(email: auth_hash.email.downcase)
-          user.identities.new(extern_uid: auth_hash.uid, provider: auth_hash.provider) if user
+
+          if user&.identities&.empty?
+            user.identities.new(extern_uid: auth_hash.uid, provider: auth_hash.provider)
+          end
+
           user
         end
       end