vaultwarden_ldap icon indicating copy to clipboard operation
vaultwarden_ldap copied to clipboard

Published 20 hours ago verified publisher icon ViViDboarder

Crashing when encountering users without an email address

Open ViViDboarder opened this issue 1 year ago • 3 comments

Additional information for someone who tries to achieve the same as I. The invite of the users can fail with the following message:

Try to invite user: 
Error inviting users from ldap. Count 0: Failed to invite user 

Caused by:
    0: http error making request reqwest::Error { kind: Status(500), url: Url { scheme: "http", cannot_be_a_base: false, username: "", password: None, host: Some(Domain("vaultwarden")), port: None, path: "/admin/invite", query: None, fragment: None } }
    1: HTTP status server error (500 Internal Server Error) for url (http://vaultwarden/admin/invite)

This is caused because authentik has users for the outposts as service accounts. Those are sent if a search query from vaultwarden_ldap is done. This service users hve an empty mail field. So the vaultwarden_ldap fails to send new invites, because the mail is empty. I fixed this by editing the search_filter to check for empt mails: ldap_search_filter = "(&(objectClass=user)(mail=*@*))". This works now.

@ViViDboarder To prevent this error and crash of the whole program, could you add a check if the mail is empty in the function invite_from_ldap to simply go further and log it.

Originally posted by @Rufmord in https://github.com/ViViDboarder/vaultwarden_ldap/issues/99#issuecomment-1254264535

ViViDboarder avatar Sep 22 '22 03:09 ViViDboarder

@Rufmord To be clear, these users have the email field present, but it is blank, correct? I’ve already got an integration test for missing fields but not an empty field.

Actually, thinking more about this, since this is really failing on the Vaultwarden side we’re not going to be able to validate every address (some invalid but non-blank). Perhaps logging all failed Vaultwarden calls and not crashing is the best course of action.

ViViDboarder avatar Sep 22 '22 03:09 ViViDboarder

Correct, here is an example: (made with ldapsearch on CLI)

dn: cn=ak-outpost-id,ou=users,dc=ldap,dc=domain,dc=tld
goauthentik.io/user/service-account: true
goauthentik.io/user/override-ips: true
displayName: Outpost LDAP Outpost Service-Account
objectClass: user
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: goauthentik.io/ldap/user
goauthentik.io/ldap/active: true
cn: ak-outpost-id
sAMAccountName: ak-outpost-id
uidNumber: id
gidNumber: id
goauthentik.io/ldap/superuser: false
uid: id
name: Outpost LDAP Outpost Service-Account
mail:

Rufmord avatar Sep 22 '22 03:09 Rufmord

I do not have the logs of vaultwarden any more, but the error was 500 on /admin/invite. Vaultwarden should also return an error message that the mail is empty.

Rufmord avatar Sep 22 '22 03:09 Rufmord