Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crashing when encountering users without an email address #100

Open
ViViDboarder opened this issue Sep 22, 2022 · 3 comments · May be fixed by #101
Open

Crashing when encountering users without an email address #100

ViViDboarder opened this issue Sep 22, 2022 · 3 comments · May be fixed by #101
Labels
bug Something isn't working good first issue Good for newcomers

Comments

@ViViDboarder
Copy link
Owner

Additional information for someone who tries to achieve the same as I.
The invite of the users can fail with the following message:

Try to invite user: 
Error inviting users from ldap. Count 0: Failed to invite user 

Caused by:
    0: http error making request reqwest::Error { kind: Status(500), url: Url { scheme: "http", cannot_be_a_base: false, username: "", password: None, host: Some(Domain("vaultwarden")), port: None, path: "/admin/invite", query: None, fragment: None } }
    1: HTTP status server error (500 Internal Server Error) for url (http:https://vaultwarden/admin/invite)

This is caused because authentik has users for the outposts as service accounts. Those are sent if a search query from vaultwarden_ldap is done. This service users hve an empty mail field. So the vaultwarden_ldap fails to send new invites, because the mail is empty. I fixed this by editing the search_filter to check for empt mails: ldap_search_filter = "(&(objectClass=user)(mail=*@*))".
This works now.

@ViViDboarder To prevent this error and crash of the whole program, could you add a check if the mail is empty in the function invite_from_ldap to simply go further and log it.

Originally posted by @Rufmord in #99 (comment)
@ViViDboarder ViViDboarder added bug Something isn't working good first issue Good for newcomers labels Sep 22, 2022
@ViViDboarder
Copy link
Owner Author

ViViDboarder commented Sep 22, 2022
edited
Loading

@Rufmord To be clear, these users have the email field present, but it is blank, correct? I’ve already got an integration test for missing fields but not an empty field.

Actually, thinking more about this, since this is really failing on the Vaultwarden side we’re not going to be able to validate every address (some invalid but non-blank). Perhaps logging all failed Vaultwarden calls and not crashing is the best course of action.

@Rufmord
Copy link

Rufmord commented Sep 22, 2022

Correct, here is an example:
(made with ldapsearch on CLI)

dn: cn=ak-outpost-id,ou=users,dc=ldap,dc=domain,dc=tld
goauthentik.io/user/service-account: true
goauthentik.io/user/override-ips: true
displayName: Outpost LDAP Outpost Service-Account
objectClass: user
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: goauthentik.io/ldap/user
goauthentik.io/ldap/active: true
cn: ak-outpost-id
sAMAccountName: ak-outpost-id
uidNumber: id
gidNumber: id
goauthentik.io/ldap/superuser: false
uid: id
name: Outpost LDAP Outpost Service-Account
mail:

@Rufmord
Copy link

Rufmord commented Sep 22, 2022

I do not have the logs of vaultwarden any more, but the error was 500 on /admin/invite. Vaultwarden should also return an error message that the mail is empty.

@ViViDboarder ViViDboarder linked a pull request Sep 22, 2022 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Log some Vaultwarden API failures ViViDboarder/vaultwarden_ldap
2 participants
@ViViDboarder @Rufmord