Existing accounts cannot be merged when the email address obtained from LDAP has uppercase characters.

[njpaul]

I've been asked to integrate Wekan with our company's Active Directory. I'm unable to merge existing users.

The error I am getting is

wekan_1    | [DEBUG] Identifying user with: objectGUID
wekan_1    | [INFO] Querying user
wekan_1    | [DEBUG] userQuery {
wekan_1    |   "services.ldap.id": "da4a9f103466e34baa9e40bd34280c29"
wekan_1    | }
wekan_1    | [DEBUG] userQuery {
wekan_1    |   "_id": "last.f",
wekan_1    |   "emails.0.address": "[email protected]"
wekan_1    | }
wekan_1    | [INFO] No user exists with username "last.f"
wekan_1    | [DEBUG] userQuery {
wekan_1    |   "emails.0.address": "[email protected]"
wekan_1    | }
wekan_1    | [INFO] User does not exist, creating "last.f"
wekan_1    | [DEBUG] Identifying user with: objectGUID
wekan_1    | [DEBUG] Identifying user with: objectGUID
wekan_1    | [DEBUG] New user data {
wekan_1    |   "username": "last.f",
wekan_1    |   "email": "[email protected]"
wekan_1    | }
wekan_1    | [ERROR] Error creating user {
wekan_1    |   "isClientSafe": true,
wekan_1    |   "error": 403,
wekan_1    |   "reason": "Email already exists.",
wekan_1    |   "message": "Email already exists. [403]",
wekan_1    |   "errorType": "Meteor.Error"
wekan_1    | }

The user names are in the format <last>.<first initial>, and the email is <first initial>.<last>. The email addresses stored in Active Directory use uppercase letters for the first initial and the first letter of the last name. It turned out that this is an issue.

When non-LDAP users are created in Wekan, it appears the email address is converted to lowercase. When merging an LDAP account with an existing account, the email address is used to match the accounts. However, the email address retrieved from Active Directory is not converted to lowercase before calling Meteor.users.findOne. Since the match failed, Wekan attempts to create a new user, using the lowercase version of the email address, which fails because the email already exists.

I think all that's needed to fix this issue is to convert the email address to lowercase when creating the query that gets fed into Meteor.users.findOne.

To confirm this was the issue, I manually modified the database entry for an existing user's email address to make it match the case of the Active Directory entry. After doing that I was able to successfully login using the LDAP credentials, and the logs indicated the accounts were merged. This will be my workaround until the actual issue is fixed.

While tracing this issue I came across a very minor secondary issue. The log message log_info('No user exists with username', username, '- attempting to find by e-mail address instead'); is not fully written. The third argument, starting with - attempting..., is not written. That argument to log_info is lost since the underlying log function only accepts two arguments in addition to level.

My day is done, but I'll try to set up a development environment and fix the issues tomorrow, unless someone wants to beat me to it.

[xet7]

@njpaul

You are welcome to send pull request. Some development info is here wekan/wekan#3071 (comment)

[xet7]

Some problems: #82 (comment)