📧 feat: LDAP Authentication Enhancement for Email Handling (#4177)

* allow other ldap field besides "mail", or fallback to made up email * chore(ldap): add detailed logging for email fallback scenarios --------- Co-authored-by: Maxim Bonnaerens <maxim@bonnaerens.be>
2025-12-17 00:40:14 +01:00 · 2024-09-21 10:44:27 -04:00 · 2024-09-21 10:44:27 -04:00 · b0a48fd693
commit b0a48fd693
parent 561650d6f9
2 changed files with 20 additions and 11 deletions
--- a/.env.example
+++ b/.env.example
@ -412,6 +412,7 @@ LDAP_CA_CERT_PATH=
 # LDAP_LOGIN_USES_USERNAME=true
 # LDAP_ID=
 # LDAP_USERNAME=
 # LDAP_EMAIL=
 # LDAP_FULL_NAME=
 #========================#
--- a/api/strategies/ldapStrategy.js
+++ b/api/strategies/ldapStrategy.js
@ -14,6 +14,7 @@ const {
  LDAP_FULL_NAME,
  LDAP_ID,
  LDAP_USERNAME,
  LDAP_EMAIL,
  LDAP_TLS_REJECT_UNAUTHORIZED,
 } = process.env;
@ -43,6 +44,9 @@ if (LDAP_ID) {
 if (LDAP_USERNAME) {
  searchAttributes.push(LDAP_USERNAME);
 }
 if (LDAP_EMAIL) {
  searchAttributes.push(LDAP_EMAIL);
 }
 const rejectUnauthorized = isEnabled(LDAP_TLS_REJECT_UNAUTHORIZED);
 const ldapOptions = {
@ -76,15 +80,6 @@ const ldapLogin = new LdapStrategy(ldapOptions, async (userinfo, done) => {
    return done(null, false, { message: 'Invalid credentials' });
  }
  if (!userinfo.mail) {
    logger.warn(
      '[ldapStrategy]',
      'No email attributes found in userinfo',
      JSON.stringify(userinfo, null, 2),
    );
    return done(null, false, { message: 'Invalid credentials' });
  }
  try {
    const ldapId =
      (LDAP_ID && userinfo[LDAP_ID]) || userinfo.uid || userinfo.sAMAccountName || userinfo.mail;
@ -100,12 +95,25 @@ const ldapLogin = new LdapStrategy(ldapOptions, async (userinfo, done) => {
    const username =
      (LDAP_USERNAME && userinfo[LDAP_USERNAME]) || userinfo.givenName || userinfo.mail;
    const mail = (LDAP_EMAIL && userinfo[LDAP_EMAIL]) || userinfo.mail || username + '@ldap.local';
    if (!userinfo.mail && !(LDAP_EMAIL && userinfo[LDAP_EMAIL])) {
      logger.warn(
        '[ldapStrategy]',
        `No valid email attribute found in LDAP userinfo. Using fallback email: ${username}@ldap.local`,
        `LDAP_EMAIL env var: ${LDAP_EMAIL || 'not set'}`,
        `Available userinfo attributes: ${Object.keys(userinfo).join(', ')}`,
        'Full userinfo:',
        JSON.stringify(userinfo, null, 2),
      );
    }
    if (!user) {
      user = {
        provider: 'ldap',
        ldapId,
        username,
-        email: userinfo.mail,
+        email: mail,
        emailVerified: true, // The ldap server administrator should verify the email
        name: fullName,
      };
@ -116,7 +124,7 @@ const ldapLogin = new LdapStrategy(ldapOptions, async (userinfo, done) => {
      // so update the user information with the values registered in LDAP
      user.provider = 'ldap';
      user.ldapId = ldapId;
-      user.email = userinfo.mail;
+      user.email = mail;
      user.username = username;
      user.name = fullName;
    }