Resolving accidental user account takeover by a new LDAP user on GitHub Enterprise Server

[github-staff]

Summary

This document outlines the steps to resolve issues where a new user on GitHub Enterprise Server (GHES) is mistakenly associated with an old user account due to matching LDAP Distinguished Name (DN) mappings.
This situation can occur when the LDAP DN of the new user account in the LDAP directory matches the LDAP DN (mapping) stored on GitHub Enterprise Server for an old user account, causing the new user to inherit the old user's account and access on the server.

Steps to Resolve

Ask the admin to follow the steps below to ensure that a new user account can be created on GitHub Enterprise Server for the new LDAP user.

1. Update the LDAP DN for the Old User Account

1. Navigate to the old user's admin page:
   https://[hostname]/stafftools/users/[old_username]/admin
2. Change the LDAP DN field to a placeholder value, such as deactivated.
3. Click the Update button.

2. Verify and Update the Username for the Existing (old) GitHub Enterprise Server User Account

1. Ensure the username of the old user account ([old_username]) is not the same as the "username" of the new LDAP user account to ensure that they do not conflict.
   • GHES uses the LDAP uid attribute as the "username" unless a custom mapping is configured in the Management Console under Authentication > User Fields > User ID.
2. If necessary, update the username of the old user account using the option on the https://[hostname]/stafftools/users/[old_username]/admin page.

3. Verify and Update the Email Address

1. Ensure the email address of the old user account is not the same as the "email" LDAP attribute of the new user.
   • GHES uses the LDAP mail attribute as the email address unless a custom mapping is configured in the Management Console under Authentication > User Fields > Emails.
2. If the email addresses conflict and your GHES is configured to sync email addresses, update the email address of the new user in the LDAP directory.
   • Note: It is not possible to change the email address of the old user directly on GHES if it is managed by LDAP.

4. Re-Suspend the Old User Account

1. As a security best practice, ensure the old GitHub Enterprise Server user account is re-suspended.
   • If LDAP Sync is enabled on the appliance, click the Sync now button on the https://[hostname]/stafftools/users/[old_username]/admin page. The user account should automatically be re-suspended when LDAP Sync runs, since it would not be able to find an LDAP DN with deactivated.
   • If LDAP Sync is not enabled on the appliance, follow the steps in this doc to manually suspend the old user account.

5. Update the fallback_uid for the Old User Account

1. Access the GHES console and run the following commands to update the fallback_uid for the old GitHub Enterprise Server user account. Note that ghe-console should only be used when advised by the GitHub Support team. Incorrect use could cause damage or data loss.

   # Check the current fallback_uid
   echo "ActiveRecord::Base.filter_attributes = []; User.find_by_login('[old_username]').ldap_mapping" | ghe-console -y
   
   # Change the fallback_uid
   ghe-console
   # Enter `y` to acknowledge the warning and proceed with ghe-console
   user = User.find_by_login('[old_username]')
   user.ldap_mapping.fallback_uid = "DeactivatedUser_[old_username]"
   user.ldap_mapping.save!
   exit

   Replace [old_username] with the username of the old user account.

6. Ask the new LDAP user to try to log in again

1. Have the new user attempt to log into GitHub Enterprise Server again with their LDAP credentials.
2. Verify that the new GitHub Enterprise Server user account was created for this LDAP user.

Related Resources

• GitHub Enterprise Server Documentation
• Managing User Accounts with Stafftools

If you encounter further issues or have additional questions, please contact GitHub Support.