Skip to content
This repository was archived by the owner on Dec 22, 2024. It is now read-only.

LDAP sync fails when user has multiple mail attributes #57

Open
sophieqc opened this issue Mar 12, 2019 · 5 comments
Open

LDAP sync fails when user has multiple mail attributes #57

sophieqc opened this issue Mar 12, 2019 · 5 comments

Comments

@sophieqc
Copy link

Hi Team,

I'm doing some tests with Wekan on openshift, with LDAP Auth.

Login with a user with a single "mail" attribute works. Login with a user with multiple "mail" attributes doesn't.

Log :

[INFO] Init LDAP login "pcurie"
[WARN] Lookup for unset variable: INTERNAL_LOG_LEVEL 
[INFO] Init setup 
[INFO] Connecting "ldap://192.168.1.44:389"
[DEBUG] connectionOptions{ url: 'ldap://192.168.1.44:389',
  timeout: 10000,
  connectTimeout: 10000,
  idleTimeout: 10000,
  reconnect: true,
  log: 
   Logger {
     domain: null,
     _events: {},
     _eventsCount: 0,
     _maxListeners: undefined,
     _level: 30,
     streams: [ [Object] ],
     serializers: null,
     src: false,
     fields: 
      { name: 'ldapjs',
        component: 'client',
        hostname: 'wekan-14-b6slr',
        pid: 1 } } } 
[INFO] LDAP connected 
[INFO] Binding UserDN "uid=svc-wekan,cn=sysaccounts,cn=etc,dc=acme,dc=org"
[INFO] Searching user "pcurie"
[DEBUG] searchOptions {
  "filter": "(&(uid=pcurie))",
  "scope": "sub",
  "sizeLimit": 0
}
[DEBUG] BaseDN "cn=users,cn=accounts,dc=acme,dc=org"
[INFO] Search result count 1
[INFO] Authenticating "uid=pcurie,cn=users,cn=accounts,dc=acme,dc=org"
[INFO] Authenticated "uid=pcurie,cn=users,cn=accounts,dc=acme,dc=org"
[DEBUG] Identifying user with: uid 
[INFO] Querying user 
[DEBUG] userQuery {
  "services.ldap.id": "706175637572"
}
[DEBUG] userQuery {
  "username": "pcurie"
}
[INFO] User does not exist, creating "pcurie"
[DEBUG] Identifying user with: uid 
[DEBUG] Mapping field cn -> name 
[DEBUG] user.name changed to: Paul CURIE 
[DEBUG] Mapping field mail -> email 
[DEBUG] Identifying user with: uid 
[DEBUG] New user data {
  "username": "pcurie",
  "email": {
    "type": "Buffer",
    "data": [
      112,
      97,
      117,
      99,
      117,
      114,
      64,
      119,
      111,
      114,
      116,
      101,
      107,
      115,
      46,
      99,
      111,
      109
    ]
  }
}
[ERROR] Error creating user {
  "message": "Match error: Expected string, got object in field email",
  "path": "email",
  "sanitizedError": {
    "isClientSafe": true,
    "error": 400,
    "reason": "Match failed",
    "message": "Match failed [400]",
    "errorType": "Meteor.Error"
  },
  "errorType": "Match.Error"
}
Exception while invoking method 'login' Error: Match error: Expected string, got object in field email
    at exports.check (packages/check.js:55:15)
    at createUser (packages/accounts-password/password_server.js:1028:3)
    at AccountsServer.Accounts.createUser (packages/accounts-password/password_server.js:1123:10)
    at addLdapUser (packages/wekan:wekan-ldap/server/sync.js:277:31)
    at DDPCommon.MethodInvocation.<anonymous> (packages/wekan:wekan-ldap/server/loginHandler.js:159:18)
    at packages/accounts-base/accounts_server.js:468:32
    at tryLoginMethod (packages/accounts-base/accounts_server.js:245:14)
    at AccountsServer.Ap._runLoginHandlers (packages/accounts-base/accounts_server.js:465:18)
    at DDPCommon.MethodInvocation.methods.login (packages/accounts-base/accounts_server.js:528:27)
    at packages/check.js:128:16
    at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1186:15)
    at Object._failIfArgumentsAreNotAllChecked (packages/check.js:127:41)
    at maybeAuditArgumentChecks (packages/ddp-server/livedata_server.js:1765:18)
    at DDP._CurrentMethodInvocation.withValue (packages/ddp-server/livedata_server.js:719:19)
    at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1186:15)
    at DDPServer._CurrentWriteFence.withValue (packages/ddp-server/livedata_server.js:717:46)
Sanitized and reported to the client as: Match failed [400]

[INFO] Idle 
[INFO] Disconecting 
[INFO] Closed

Thank you
@sophieqc
Copy link
Author

As a work-around, you can remove "LDAP_EMAIL_FIELD" variable from your env, and wekan let you login.

@stevenpwaters
Copy link
Contributor

Interesting - is that the only change you made to get it working?

I can't see how removing the environment variable fixes the issue.

@sophieqc
Copy link
Author

Indeed, sorry I wasn't careful enough in my tests.

What actually made it work was setting "LDAP_SYNC_USER_DATA_FIELDMAP" from {"displayName":"name","mail":"email"} to {"displayName":"name"}.

So it seems related to sync fonctions.

@stevenpwaters
Copy link
Contributor

Yes, that makes sense considering it will no longer attempt to sync email address.

Out of interest, could you expand a bit on the multiple mail attributes? Do you have multiple attributes for the user with the same name (i.e. more than one "email" attribute) or is it a multi valued attribute?

Seeing an example LDAP user entry would be helpful.

@sophieqc
Copy link
Author

sophieqc commented Mar 15, 2019
edited
Loading

It is multi-valued attribute for a single user, in ldif format it would look like :

mail: short@domain.tld
mail: long.mail@domain.tld

@sophieqc sophieqc changed the title LDAP Login fails when user has multiple mail attributes LDAP sync fails when user has multiple mail attributes Mar 21, 2019
@xet7 xet7 transferred this issue from wekan/ldap Apr 20, 2019
@xet7 xet7 transferred this issue from wekan/wekan Jan 8, 2020
@fflorent fflorent mentioned this issue Jun 22, 2020
Closed
@Tagadda Tagadda mentioned this issue Jan 5, 2022
Merged
2 tasks
@yalh76 yalh76 mentioned this issue Jan 18, 2022
Merged
2 tasks
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sophieqc @stevenpwaters