Open ViViDboarder opened 2 years ago
@Rufmord To be clear, these users have the email field present, but it is blank, correct? I’ve already got an integration test for missing fields but not an empty field.
Actually, thinking more about this, since this is really failing on the Vaultwarden side we’re not going to be able to validate every address (some invalid but non-blank). Perhaps logging all failed Vaultwarden calls and not crashing is the best course of action.
Correct, here is an example: (made with ldapsearch on CLI)
dn: cn=ak-outpost-id,ou=users,dc=ldap,dc=domain,dc=tld
goauthentik.io/user/service-account: true
goauthentik.io/user/override-ips: true
displayName: Outpost LDAP Outpost Service-Account
objectClass: user
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: goauthentik.io/ldap/user
goauthentik.io/ldap/active: true
cn: ak-outpost-id
sAMAccountName: ak-outpost-id
uidNumber: id
gidNumber: id
goauthentik.io/ldap/superuser: false
uid: id
name: Outpost LDAP Outpost Service-Account
mail:
I do not have the logs of vaultwarden any more, but the error was 500 on /admin/invite. Vaultwarden should also return an error message that the mail is empty.
Additional information for someone who tries to achieve the same as I. The invite of the users can fail with the following message:
This is caused because authentik has users for the outposts as service accounts. Those are sent if a search query from vaultwarden_ldap is done. This service users hve an empty mail field. So the vaultwarden_ldap fails to send new invites, because the mail is empty. I fixed this by editing the
search_filter
to check for empt mails:ldap_search_filter = "(&(objectClass=user)(mail=*@*))"
. This works now.@ViViDboarder To prevent this error and crash of the whole program, could you add a check if the mail is empty in the function
invite_from_ldap
to simply go further and log it._Originally posted by @Rufmord in https://github.com/ViViDboarder/vaultwarden_ldap/issues/99#issuecomment-1254264535_