Could not parse auth data out of gitlab user object

[MinePro120]

Issue

Hello! I recently decided to update from commit 122e7138e7de7c5941f7c243e0319a9223b09d6c to the current version. First, I compared the config examples between the 2 versions and they were the same, so I just copied my old configs to the new version. Mattermost did not need any further configuration (I didn't need to alter the db as there was no "Configurations" table on MySQL, and the config.json did not require any further changes). After that, I only replaced the oauth folder and the oauth.conf on nginx. The authentication worked fine, but upon trying to login to Mattermost after submitting credentials, Mattermost complains "Could not parse auth data out of gitlab user object".

Solutions I tried

• Deleting the old db and creating a new one with the db init script
• Setting timezone in the conf
• Restarting everything

System details

• Installation type: Bare metal
• OS: Debian 11
• SQL: mysql Ver 15.1 Distrib 10.5.15-MariaDB, for debian-linux-gnu (x86_64) using EditLine wrapper
• Mattermost: 7.4.0 Teams Edition

Notes

I suppose it has something to do with the Mattermost version since 7.x.x is not supported according to the README, but since an older version works fine, I figured you should know that.

[Crivaledaz]

Hi,

I can confirm Mattermost-LDAP is working with Mattermost 7.X.X. I ran the Demo/docker-compose.yaml from e7efc7d with Mattermost v7.5.2. Since it works on a fresh install, I don't think the issue is linked to Mattermost version.

If you remove the users table from Oauth database, you erase the corresponding between user_id and username. This table can be recreated by the init script, but it will be empty since this table is completed each time a new user connects through the Oauth server.

Thus, once the table has been erased, the next time you log on Oauth, it will create a new entry with a new user_id for your username. So the data sent to Mattermost will contain the new ID with user's data. On its side, Mattermost failed to parse the data as there is already an user in its database, with same username and same email, but the previous ID. The user_id does not match and two different users can not have the same email.

To check if the problem comes from this point, you can look at the ID stored for your user in the Mattermost database, and create the corresponding entry in the users table in the Oauth database, with the following SQL command :

INSERT INTO users (id, username) VALUES ('<MATTERMOST_USER_ID>', '<USERNAME>');

Let me know if it solves your issue,

Regards

[MinePro120]

Initially I tried without creating a new db and that didn't work either. Creating a new db was only done as a troubleshooting step.

[MinePro120]

I believe that 2a775074b934422a4da7c14557e35e40e80e0cac might the issue. It may work on a fresh installation, but updating older versions of the script might break compatibility.

[Crivaledaz]

You can try to retrieve data manually with cURL, to check if returned data is valid.

To do that, you will need the access_token used by Mattermost to get user's data from Oauth server. This token can be found in Oauth database in the oauth_access_token table.

First, try to authenticate on Mattermost using Mattermost-LDAP method, even if this will failed. This will trigger the creation of the access_token in the database.

Connect to the Oauth database and get the last access_token. You can check the expiry date to be sure a token has been generated.

SELECT * FROM oauth_access_tokens;

With the retrieved access token, use the following cURL to get user's data :

curl --header "Authorization: Bearer <ACCESS_TOKEN>" http://<OAUTH_SERVER>/oauth/resource.php

Change <ACCESS_TOKEN> by the token retrieved, and <OAUTH_SERVER> by the oauth server hostname. You should get an output like this :

{"id":1,"name":"John DOE","username":"jdoe","state":"active","avatar_url":"","web_url":"","created_at":"0000-00-00T00:00:00.000Z","bio":null,"location":null,"skype":"","linkedin":"","twitter":"","website_url":"","organization":null,"last_sign_in_at":"0000-00-00T00:00:00.000Z","confirmed_at":"0000-00-00T00:00:00.000Z","last_activity_on":null,"email":"john.doe@example.com","theme_id":1,"color_scheme_id":1,"projects_limit":100000,"current_sign_in_at":"0000-00-00T00:00:00.000Z","identities":[{"provider":"ldapmain","extern_uid":"John DOE"}],"can_create_group":true,"can_create_project":true,"two_factor_enabled":false,"external":false,"shared_runners_minutes_limit":null}

Note : Access tokens expire after 30 seconds for security purpose.

Data returned by Oauth server must match the data stored in the table users from the Mattermost database for this user.

[MinePro120]

I get this:

{"error":"Impossible to get data","message":"An error has occured during ldap_get_values execution (mail). Please check parameter of LDAP\/getData."}

[MinePro120]

My fault, my LDAP object has no "mail" attribute, it rather uses "email" :sweat_smile:.

[GloriamSemper]

My fault, my LDAP object has no "mail" attribute, it rather uses "email" 😅.

This was frustrating me to all hell that some users were getting this error. Thank you for sharing your solution!

Do you know if there is there a way to auto create email addresses with a placeholder (we don't use email notifications), or a way to have mattermost ignore the email field?