Kallithea issues archive

Issue #107: email address disappears upon login

Reported by: Jens Henke
State: new
Created on: 2015-03-13 14:30
Updated on: 2015-03-23 15:01

Description

Hi, we authenticate via LDAP and it appears that Kallithea will always copy the LDAP email address upon login even if it is empty. It would be great if you could implement the following logic: (*) Copy the LDAP email address to Kallithea if and only if it is not empty. That feature would allow us to maintain the email adress in Kallithea without the fear that it disappears if the LDAP email address is empty. Many thanks, Jens

Attachments

Comments

Comment by Mads Kiilerich, on 2015-03-13 14:35

It seems odd to implement workarounds for incorrect LDAP info. Wouldn't it be reasonable to expect LDAP to be authoritative?

Comment by Mads Kiilerich, on 2015-03-13 14:36

Comment by Jens Henke, on 2015-03-13 14:41

Many thanks for the quick answer! I agree with you: The email address should be maintained in LDAP. Unfortunately in our case LDAP does not supply the email address and it is not easily possible to change that. Therefore I would be very grateful for a workaround. /Jens

Comment by Mads Kiilerich, on 2015-03-13 14:43

I suggest you do that in a local patch. It would be an odd upstream feature.

Alternatively, you can try to add the emails as extra email addresses - I think they are considered local and not synced from LDAP (even though it could make sense to sync multiple email addresses from ldap...)

Comment by Thomas De Schampheleire, on 2015-03-13 14:50

The code that does this seems to be: https://kallithea-scm.org/repos/kallithea/files/6892b0515af98fd2e4e6db9c535a854e1ba2e0b1/kallithea/lib/auth_modules/init.py#L282

You could either change create_or_update to only update non-empty values, but this would mean that you cannot make a field of a user empty, or change the call itself, or otherwise implement the logic in the LDAP auth module itself.

Comment by Jens Henke, on 2015-03-13 14:56

I think we will go for a local path - again many thanks for your quick replies and the reference to the code! :-)

Comment by Andrej Shadura, on 2015-03-13 14:57

Contrary to what @kiilerix says, I don't think we need to update information upon login every time. Maybe it's worth adding a checkbox setting.

Comment by Mads Kiilerich, on 2015-03-13 16:00

Data that live in two places is a PITA when you do or do not have two-way synchronization with or without conflicts. IMO, the only solution is to make one place authoritative and consider the other place a cache.

Comment by Andrej Shadura, on 2015-03-13 16:15

I certainly can imagine that LDAP (or PAM fwiw) may be used for auth only or for auth + profile initialisation, but intentionally not kept in sync and allowing users to modify their data.

Comment by Andrej Shadura, on 2015-03-13 16:17

So, I think the best solution would be to have an additional setting for external auth modules:

❑ Keep profile data in sync

Comment by Mads Kiilerich, on 2015-03-14 12:27

It could also be seen as a variant of the request to be able to configure authentication and user info to come from different sources. In this case they pretty much want ldap authentication of local users.

Comment by Jens Henke, on 2015-03-23 12:46

I would like to suggest the following in pseudo-code:

If (field "Admin » Authentication » Plugin: ldap » Email Attribute" is empty) then { leave the content of field "Admin » Users » <user_name> » Email:" as it is }

Right now the email address will be erased upon login even if there is no LDAP Email Attribute specified. The above logic could also apply to the fields "First Name Attribute" and "Last Name Attribute".

I would be very grateful if the above feature could be implemented in the next release.

Many thanks! Jens

Comment by Mads Kiilerich, on 2015-03-23 15:01

That would make sense.