LDAP sync fails when user has multiple mail attributes

[sophieqc]

Hi Team,

I'm doing some tests with Wekan on openshift, with LDAP Auth.

Login with a user with a single "mail" attribute works. Login with a user with multiple "mail" attributes doesn't.

Log :

[INFO] Init LDAP login "pcurie"
[WARN] Lookup for unset variable: INTERNAL_LOG_LEVEL 
[INFO] Init setup 
[INFO] Connecting "ldap://192.168.1.44:389"
[DEBUG] connectionOptions{ url: 'ldap://192.168.1.44:389',
  timeout: 10000,
  connectTimeout: 10000,
  idleTimeout: 10000,
  reconnect: true,
  log: 
   Logger {
     domain: null,
     _events: {},
     _eventsCount: 0,
     _maxListeners: undefined,
     _level: 30,
     streams: [ [Object] ],
     serializers: null,
     src: false,
     fields: 
      { name: 'ldapjs',
        component: 'client',
        hostname: 'wekan-14-b6slr',
        pid: 1 } } } 
[INFO] LDAP connected 
[INFO] Binding UserDN "uid=svc-wekan,cn=sysaccounts,cn=etc,dc=acme,dc=org"
[INFO] Searching user "pcurie"
[DEBUG] searchOptions {
  "filter": "(&(uid=pcurie))",
  "scope": "sub",
  "sizeLimit": 0
}
[DEBUG] BaseDN "cn=users,cn=accounts,dc=acme,dc=org"
[INFO] Search result count 1
[INFO] Authenticating "uid=pcurie,cn=users,cn=accounts,dc=acme,dc=org"
[INFO] Authenticated "uid=pcurie,cn=users,cn=accounts,dc=acme,dc=org"
[DEBUG] Identifying user with: uid 
[INFO] Querying user 
[DEBUG] userQuery {
  "services.ldap.id": "706175637572"
}
[DEBUG] userQuery {
  "username": "pcurie"
}
[INFO] User does not exist, creating "pcurie"
[DEBUG] Identifying user with: uid 
[DEBUG] Mapping field cn -> name 
[DEBUG] user.name changed to: Paul CURIE 
[DEBUG] Mapping field mail -> email 
[DEBUG] Identifying user with: uid 
[DEBUG] New user data {
  "username": "pcurie",
  "email": {
    "type": "Buffer",
    "data": [
      112,
      97,
      117,
      99,
      117,
      114,
      64,
      119,
      111,
      114,
      116,
      101,
      107,
      115,
      46,
      99,
      111,
      109
    ]
  }
}
[ERROR] Error creating user {
  "message": "Match error: Expected string, got object in field email",
  "path": "email",
  "sanitizedError": {
    "isClientSafe": true,
    "error": 400,
    "reason": "Match failed",
    "message": "Match failed [400]",
    "errorType": "Meteor.Error"
  },
  "errorType": "Match.Error"
}
Exception while invoking method 'login' Error: Match error: Expected string, got object in field email
    at exports.check (packages/check.js:55:15)
    at createUser (packages/accounts-password/password_server.js:1028:3)
    at AccountsServer.Accounts.createUser (packages/accounts-password/password_server.js:1123:10)
    at addLdapUser (packages/wekan:wekan-ldap/server/sync.js:277:31)
    at DDPCommon.MethodInvocation.<anonymous> (packages/wekan:wekan-ldap/server/loginHandler.js:159:18)
    at packages/accounts-base/accounts_server.js:468:32
    at tryLoginMethod (packages/accounts-base/accounts_server.js:245:14)
    at AccountsServer.Ap._runLoginHandlers (packages/accounts-base/accounts_server.js:465:18)
    at DDPCommon.MethodInvocation.methods.login (packages/accounts-base/accounts_server.js:528:27)
    at packages/check.js:128:16
    at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1186:15)
    at Object._failIfArgumentsAreNotAllChecked (packages/check.js:127:41)
    at maybeAuditArgumentChecks (packages/ddp-server/livedata_server.js:1765:18)
    at DDP._CurrentMethodInvocation.withValue (packages/ddp-server/livedata_server.js:719:19)
    at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1186:15)
    at DDPServer._CurrentWriteFence.withValue (packages/ddp-server/livedata_server.js:717:46)
Sanitized and reported to the client as: Match failed [400]

[INFO] Idle 
[INFO] Disconecting 
[INFO] Closed

Thank you

[sophieqc]

As a work-around, you can remove "LDAP_EMAIL_FIELD" variable from your env, and wekan let you login.

[stevenpwaters]

Interesting - is that the only change you made to get it working?

I can't see how removing the environment variable fixes the issue.

[sophieqc]

Indeed, sorry I wasn't careful enough in my tests.

What actually made it work was setting "LDAP_SYNC_USER_DATA_FIELDMAP" from {"displayName":"name","mail":"email"} to {"displayName":"name"}.

So it seems related to sync fonctions.

[stevenpwaters]

Yes, that makes sense considering it will no longer attempt to sync email address.

Out of interest, could you expand a bit on the multiple mail attributes? Do you have multiple attributes for the user with the same name (i.e. more than one "email" attribute) or is it a multi valued attribute?

Seeing an example LDAP user entry would be helpful.

[sophieqc]

It is multi-valued attribute for a single user, in ldif format it would look like :

mail: [email protected]
mail: [email protected]