[Bug]: LDAP Advance > Special attributes > email field should take first "email shaped" value, not first value of LDAP answer.

Thatoo commented 2 weeks ago

⚠️ This issue respects the following points: ⚠️

[x] This is a bug, not a question or a configuration/webserver/proxy issue.
[x] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
[x] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
[x] I agree to follow Nextcloud's Code of Conduct.

Bug description

In LDAP Advance > Special attributes > email field we enter "maildrop" a multi-value LDAP attribute. In our system (yunohost), the first value of this multi-value LDAP attribute is (it's mandatory) the username (the linux local username) and then in second value comes the transfert email adresses. Nextcloud takes the first value without testing if this value has the shape of an email address so in nextcloud users have their username in their email field instead of their eamil address.

Steps to reproduce

Put a multi-values LDAP attribute in LDAP Advance > Special attributes > email
Nextcloud retrieve the first value
This first value doesn't have the shape of an email address
Nextcloud user's email field is field with a non email address shape (their username)

Expected behavior

Nextcloud should check if the first value of the multi-values LDAP attribute in LDAP Advance > Special attributes > email field has the shape of an email address. If yes, it takes it, if no, it checks the second value, if the second value has the shape of an email address it takes it, if not, the third and so on and if none of the value have the shape of an email address, it either fill the field with :

the first value
nothing
a standard error email address such as error@nextcloudomain.tld for example. Ideally, it would send an email to the nextcloud admin saying that these LDAP users don't have any correct email address.

Nextcloud Server version

28

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.3

Web server

Nginx

Database engine version

PostgreSQL

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

[ ] Default user-backend (database)
[x] LDAP/ Active Directory
[ ] SSO - SAML
[ ] Other

Configuration report

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "nc.zyuno.local"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "29.0.7.1",
        "overwrite.cli.url": "https:\/\/nc.zyuno.local\/",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "logfile": "\/var\/log\/nextcloud__2\/nextcloud.log",
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "updatechecker": false,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "integrity.check.disabled": true,
        "filelocking.enabled": true,
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": "6379",
            "timeout": "0.0",
            "password": "***REMOVED SENSITIVE VALUE***"
        },
        "hashing_default_password": true,
        "localstorage.allowsymlinks": true,
        "simpleSignUpLink.shown": false,
        "maintenance_window_start": 1,
        "mail_smtpmode": "smtp",
        "mail_smtpport": "25",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpstreamoptions": {
            "ssl": {
                "allow_self_signed": true,
                "verify_peer": false,
                "verify_peer_name": false
            }
        },
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "logout_url": "https:\/\/zyuno.local\/yunohost\/sso\/?action=logout&r=aHR0cHM6Ly9uYy56eXVuby5sb2NhbC8="
    }
}

List of activated Apps

Enabled:
  - activity: 2.21.1
  - circles: 29.0.0-dev
  - cloud_federation_api: 1.12.0
  - comments: 1.19.0
  - contactsinteraction: 1.10.0
  - dashboard: 7.9.0
  - dav: 1.30.1
  - federatedfilesharing: 1.19.0
  - federation: 1.19.0
  - files: 2.1.1
  - files_downloadlimit: 2.0.0
  - files_external: 1.21.0
  - files_pdfviewer: 2.10.0
  - files_reminders: 1.2.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - files_versions: 1.22.0
  - firstrunwizard: 2.18.0
  - logreader: 2.14.0
  - lookup_server_connector: 1.17.0
  - nextcloud_announcements: 1.18.0
  - notifications: 2.17.0
  - oauth2: 1.17.1
  - password_policy: 1.19.0
  - photos: 2.5.0
  - picker: 1.0.11
  - privacy: 1.13.0
  - provisioning_api: 1.19.0
  - recommendations: 2.1.0
  - related_resources: 1.4.0
  - riotchat: 0.18.3
  - serverinfo: 1.19.0
  - settings: 1.12.0
  - sharebymail: 1.19.0
  - support: 1.12.0
  - survey_client: 1.17.0
  - systemtags: 1.19.0
  - text: 3.10.1
  - theming: 2.4.0
  - twofactor_backupcodes: 1.18.0
  - user_ldap: 1.20.0
  - user_status: 1.9.0
  - viewer: 2.3.0
  - weather_status: 1.9.0
  - workflowengine: 2.11.0
Disabled:
  - admin_audit: 1.19.0
  - bruteforcesettings: 2.9.0
  - encryption: 2.17.0
  - suspicious_login: 7.0.0
  - twofactor_totp: 11.0.0-dev
  - updatenotification: 1.19.1 (installed 1.19.1)

Nextcloud Signing status

Nextcloud Logs

Additional info

No response

joshtrichards commented 1 week ago

This sounds like an enhancement request rather than a bug. :-) Seems odd to be provided with a multi-value attribute that contains different types of values.

Thatoo commented 1 week ago

Well, Nextcloud having a while loop on all values of an LDAP attribute would be an enhancement request but Nextcloud not checking if the given value by LDAP has or hasn't the shape of an email is a bug so I hesitate between both.

I don't mind you change it to enhancement but I think it needs some care and working on both the enhancement and the bug at the same time won't take much more work than just the bug part (checking value has the shape of email).

Thatoo commented 1 week ago

I've made a PR to solve this issue and enhance nextcloud : https://github.com/nextcloud/server/pull/49316

nextcloud / server