Gitlab LDAP sync script tries to remove "bot" users from groups.

[TafkaMax]

The Gitlab LDAP sync script tries to currently remove "bot users" that are created when adding an access_token from non-ldap groups. Maybe even from groups that are also present in LDAP.

https://gitlab.example.com/groups/<GROUPNAME>/-/settings/access_tokens

[TafkaMax]

[notice] Deleting extra group members...
[info] Deleting user #132 "REDACTED" from group #1019 "REDACTED" [REDACTED].
[error] Gitlab failure: 403 Forbidden

[TafkaMax]

When adding an access token to a group a bot user is created there. So a check is necessary to see if user is bot.

[AdamReece-WebBox]

I've not looked yet, but I suspect the users API will be able to reveal if a user is a bot. We could then exclude bot users from deletions.

(I noticed this happening at our corporate Gitlab too, though I've only ever needed to run the tool once here so far.)

[TafkaMax]

Reformatted the Title. I first noticed it with groups that did not match a LDAP group name. But it is happening with all groups.

[mojibake-umd]

There is a boolean attribute called humans in the Gitlab Users API and a boolean attribute called bot for Gitlab User API

[Adambean]

According to the documentation the "bot" property is only returned when querying the API for a single user, not in the response when querying for multiple users. I'll check if that's true.

[Adambean]

I've added a branch issue/19-script-tries-to-remove-bots-from-groups you can switch to to see if this works for you. (Dry run first of course.)

[mojibake-umd]

@Adambean without_project_bots default is false...
curl -s --header "PRIVATE-TOKEN: $GITLAB_API_TOKEN" "https://gitlab.example.com/api/v4/users?without_project_bots=true"