📧 feat: LDAP Authentication Enhancement for Email Handling (#4177)

* allow other ldap field besides "mail", or fallback to made up email * chore(ldap): add detailed logging for email fallback scenarios --------- Co-authored-by: Maxim Bonnaerens <maxim@bonnaerens.be>
2025-09-22 06:00:56 +02:00 · 2024-09-21 10:44:27 -04:00 · 2024-09-21 10:44:27 -04:00 · b0a48fd693
commit b0a48fd693
parent 561650d6f9
2 changed files with 20 additions and 11 deletions
--- a/api/strategies/ldapStrategy.js
+++ b/api/strategies/ldapStrategy.js
@ -14,6 +14,7 @@ const {
  LDAP_FULL_NAME,
  LDAP_ID,
  LDAP_USERNAME,
+  LDAP_EMAIL,
  LDAP_TLS_REJECT_UNAUTHORIZED,
 } = process.env;

@ -43,6 +44,9 @@ if (LDAP_ID) {
 if (LDAP_USERNAME) {
  searchAttributes.push(LDAP_USERNAME);
 }
+if (LDAP_EMAIL) {
+  searchAttributes.push(LDAP_EMAIL);
+}
 const rejectUnauthorized = isEnabled(LDAP_TLS_REJECT_UNAUTHORIZED);

 const ldapOptions = {
@ -76,15 +80,6 @@ const ldapLogin = new LdapStrategy(ldapOptions, async (userinfo, done) => {
    return done(null, false, { message: 'Invalid credentials' });
  }

-  if (!userinfo.mail) {
-    logger.warn(
-      '[ldapStrategy]',
-      'No email attributes found in userinfo',
-      JSON.stringify(userinfo, null, 2),
-    );
-    return done(null, false, { message: 'Invalid credentials' });
-  }
-
  try {
    const ldapId =
      (LDAP_ID && userinfo[LDAP_ID]) || userinfo.uid || userinfo.sAMAccountName || userinfo.mail;
@ -100,12 +95,25 @@ const ldapLogin = new LdapStrategy(ldapOptions, async (userinfo, done) => {
    const username =
      (LDAP_USERNAME && userinfo[LDAP_USERNAME]) || userinfo.givenName || userinfo.mail;

+    const mail = (LDAP_EMAIL && userinfo[LDAP_EMAIL]) || userinfo.mail || username + '@ldap.local';
+
+    if (!userinfo.mail && !(LDAP_EMAIL && userinfo[LDAP_EMAIL])) {
+      logger.warn(
+        '[ldapStrategy]',
+        `No valid email attribute found in LDAP userinfo. Using fallback email: ${username}@ldap.local`,
+        `LDAP_EMAIL env var: ${LDAP_EMAIL || 'not set'}`,
+        `Available userinfo attributes: ${Object.keys(userinfo).join(', ')}`,
+        'Full userinfo:',
+        JSON.stringify(userinfo, null, 2),
+      );
+    }
+
    if (!user) {
      user = {
        provider: 'ldap',
        ldapId,
        username,
-        email: userinfo.mail,
+        email: mail,
        emailVerified: true, // The ldap server administrator should verify the email
        name: fullName,
      };
@ -116,7 +124,7 @@ const ldapLogin = new LdapStrategy(ldapOptions, async (userinfo, done) => {
      // so update the user information with the values registered in LDAP
      user.provider = 'ldap';
      user.ldapId = ldapId;
-      user.email = userinfo.mail;
+      user.email = mail;
      user.username = username;
      user.name = fullName;
    }