LDAP attribute workarounds for on-the-fly user creation?
Hello helpful forum people,
So, I have a Redmine configuration set up with LDAP authentication, and I am having a bit of trouble with on-the-fly user creation in this sort of setup. In the Active Directory I am working with, not every user has the "mail" attribute (which lists the user's e-mail address). About 20% of the users do not have it, which causes problems for on-the-fly user creation.
Specifically, whenever a user account lacks this attribute and they try to log into Redmine (using on-the-fly user creation to create their account), they get a 404 error page with Redmine saying: "The page you were trying to access doesn't exist or has been removed."
I think this may be expected behavior, but it is unclear. For example, on the RedmineLDAP wiki page (http://www.redmine.org/projects/redmine/wiki/RedmineLDAP), it reads: "For example, on-the-fly user creation won't work if you don't have valid email adresses in your directory (you will get an 'Invalid username/password' error message when trying to log in)."
However, this is immediately followed by: "(This is not true with newer Redmine versions; the user creation dialog is populated with everything it can find from the LDAP server, and asks the new user to fill in the rest.)" But Redmine does not seem to be asking the user to fill in this information. It just returns a 404 error, not even saying "Invalid username/password."
The domain administrator is very unhelpful, so it is unlikely that I will be able to get him to add the missing "mail" attribute to the appropriate LDAP records. So, I am looking for a workaround.
I have a few (hopefully) helpful resources in the LDAP attributes themselves that may lend to some possible solutions...
- Using sAMAccountName: First of all, the user login name (for me, it's "steve") is also the username for the e-mail address (steve@domain.com). (The LDAP attribute for login name is sAMAccountName.) So, if there were any way to append "@domain.com" onto the e-mail field while using sAMAccountName, then we would have our solution. Is there any way to do this?
- Using userPrincipalName: If this is not possible, I have another LDAP attribute for every user called userPrincipalName. For all users, this is just their e-mail address but ".com" is replaced with ".local"--so, for example, mine is "steve@domain.local". Is there any way to use this and replace ".local" with ".com" to use as an e-mail address?
- Ask the user: Is there any way to actually just enable Redmine asking the user for their e-mail address when they attempt on-the-fly account creation? Reading the wiki, it seems like this feature may have existed at one point, and is possibly just broken for me.
I am using a fairly fresh copy of Redmine 2.1.0 on a Bitnami stack running Ubuntu 12.04. So whatever the defaults are for that configuration, that's what I'm using.
Here are my LDAP authentication settings:
Any assistance would be greatly appreciated.
Thanks,
-Steve
Replies (4)
RE: LDAP attribute workarounds for on-the-fly user creation?
-
Added by Matthew Houston over 11 years ago
Strange, when testing I used the Bitnami stack and I saw the expected behaviour - when a user was missing an email address for example, when they log in it provided a second screen to add the details that were missing.
Are you having any other problems with missing pages etc?
RE: LDAP attribute workarounds for on-the-fly user creation?
-
Added by Steve O over 11 years ago
Matthew: None at all, actually, and I haven't made any significant changes that would affect that sort of thing, I believe. Maybe I'll download a fresh version of the Bitnami stack today and see what behavior it's exhibiting with no other changes to the settings.
Thanks for the reply.
RE: LDAP attribute workarounds for on-the-fly user creation?
-
Added by Matthew Houston over 11 years ago
My settings are attached if any help, the only difference I can see is that I'm using a filter to only allow a specific group access. Regardless of that screen is the LDAP actually working and creating on-the-fly accounts?
This morning I set up a fresh Bitnami stack in a fresh VM, the only setting I've applied so far are the LDAP queries. With a test AD user with no mailbox I got the attached result, expected behaviour (see screenshot attached).
If you check the C:\Program Files\BitNami Redmine Stack\apps\redmine\htdocs\log\production.log does it say anything worth while?
If not, I've enabled debugging by doing the following
Is there a way to turn up the logging? Hi - add the following line to redmine/config/environments/production.rb : config.log_level = :debug ... this seems to log quite a bit, esp. SQL
Which logs quite a bit more and might shed some light on it a bit more. I had quite a bit of problems with different plugins causing 404 or 500 in different areas of the application.
RE: LDAP attribute workarounds for on-the-fly user creation?
-
Added by Steve O over 11 years ago
I seem to have fixed my problem.
But to answer your question, yes, LDAP was working and creating accounts on-the-fly--for anyone who had a valid "mail" attribute entry in their LDAP record, that is.
Apparently, the problem was a regression created in Redmine 2.1.0 and I just wasn't looking hard enough to realize that. It's documented here: http://www.redmine.org/issues/11850
In my app/controllers/account_controller.rb file, I changed the following
def onthefly_creation_failed(user, auth_source_options = { })
@user = user
session[:auth_source_registration] = auth_source_options unless auth_source_options.empty?
render register_path
end
to instead read:
def onthefly_creation_failed(user, auth_source_options = { })
@user = user
session[:auth_source_registration] = auth_source_options unless auth_source_options.empty?
render :action => 'register'
end
I am now finally seeing the expected behavior, thank goodness.
Thank you so much for your assistance in the mean time. I appreciate it.