Open pascalgross opened 4 years ago
Syncing usernames is working for me, but syncing e-mail addresses does not work (yet) with the following settings with UCS LDAP. Therefore I think its a configuration issue.
LDAP_ENABLE=true
LDAP_PORT=7636
LDAP_HOST=ucs.example.com
LDAP_BASEDN=cn=users,dc=example,dc=com
LDAP_LOGIN_FALLBACK=true
LDAP_RECONNECT=true (default value)
LDAP_TIMEOUT=10000 (default value)
LDAP_IDLE_TIMEOUT=10000 (default value)
LDAP_CONNECT_TIMEOUT=10000 (default value)
LDAP_AUTHENTIFICATION=true
LDAP_AUTHENTIFICATION_USERDN=uid=wekan,cn=users,dc=example,dc=com
LDAP_AUTHENTIFICATION_PASSWORD=SECRET
LDAP_LOG_ENABLED=true
LDAP_BACKGROUND_SYNC=true
LDAP_BACKGROUND_SYNC_INTERVAL= (default value)
LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED=true
LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS=true
LDAP_ENCRYPTION=ssl
LDAP_CA_CERT= (default value)
LDAP_REJECT_UNAUTHORIZED=true
LDAP_USER_AUTHENTICATION=true
LDAP_USER_AUTHENTICATION_FIELD=uid (default value)
LDAP_USER_SEARCH_FILTER=(&(memberOf=cn=Domain Users,cn=groups,dc=example,dc=com))
LDAP_USER_SEARCH_SCOPE= (default value)
LDAP_USER_SEARCH_FIELD=uid
LDAP_SEARCH_PAGE_SIZE=0 (default value)
LDAP_SEARCH_SIZE_LIMIT=0 (default value)
LDAP_GROUP_FILTER_ENABLE=false (default value)
LDAP_GROUP_FILTER_OBJECTCLASS= (default value)
LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE= (default value)
LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE= (default value)
LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT= (default value)
LDAP_GROUP_FILTER_GROUP_NAME= (default value)
LDAP_UNIQUE_IDENTIFIER_FIELD= (default value)
LDAP_UTF8_NAMES_SLUGIFY=true (default value)
LDAP_USERNAME_FIELD=uid
LDAP_FULLNAME_FIELD=displayName
LDAP_MERGE_EXISTING_USERS=false (default value)
LDAP_SYNC_USER_DATA=true
LDAP_SYNC_USER_DATA_FIELDMAP={
"mailPrimaryAddress": "email",
uid": "name"
}
LDAP_SYNC_GROUP_ROLES= (default value)
LDAP_DEFAULT_DOMAIN=example.com
LDAP_EMAIL_MATCH_ENABLE=true
LDAP_EMAIL_MATCH_REQUIRE=true
LDAP_EMAIL_MATCH_VERIFIED=true
LDAP_EMAIL_FIELD=mailPrimaryAddress
LDAP_SYNC_ADMIN_STATUS= (default value)
LDAP_SYNC_ADMIN_GROUPS= (default value)
are we talking about usernames (logon name) or the user's name (FullName, cn, DisplayName, ...)? I'm talking about the 'Full Name' displayed if you go to 'Edit Profile'.
What makes you think, that it's a configuration problem when you are unable to sync the mail address?
I was talking about the full name. But I realized that it is being synced during the log in process, but not during the interval sync. Therefore I'm stuck at the same problem you're at.
Ah okay, good to know. With my configuration, the full name is not even synced at login.
I'm not really able to find any issues in the configuration so far. I think I need either more detailed debug messages or more documentation. My gut feeling right now is that the association of Wekan users to LDAP users is not working in the sync process. This could be due to wrong configuration parameters or a bug.
*edit: I also see a [INFO] Searching by id "7365656265727376"
. This looks like a Wekan internal ID to me, as it does not appear anywhere in my LDAP directory. Why should it be used to search for a user?
The id is a parameter for the function in which the log line is created: getUserByIdSync(id, attribute)
. The function is only called in one place: ldapUser = ldap.getUserByIdSync(user.services.ldap.id, user.services.ldap.idAttribute);
. The value for user.services.ldap.id
seems to be associated with Unique_Identifier_Field
. In my case the field is empty in the config. Changing it to entryUUID does not help. Any advice?
*edit2: This id seems to get longer and longer for each new user created in Wekan. The latest user has an ID with 42 digits.
I'm using docker-compose with the following file
The LDAP login works as expected, but the user data (full name) is not synced. The log shows the following:
Am I doing anything wrong or is it a bug?