View Issue Details

IDProjectCategoryView StatusLast Update
0024720mantisbtldappublic2021-04-27 16:31
ReporterSL-Gundam Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status confirmedResolutionreopened 
Product Version2.16.0 
Summary0024720: Editing user with use_ldap_email = ON empties email address
Description

I'm using LDAP in MantisBT and use_ldap_email = ON

When i, as administrator, edit a user and save the changes, the email address field is emptied.
Logging in again under that user account updates the email address. But users rarely do that so this causes email notifications to be an issue

Please make it so that a users data that is connected to LDAP is not lost on edits to a user

Steps To Reproduce

In a situation where LDAP is enabled and use_ldap_email = ON

  1. Edit a user with a cached email address
  2. change the protected or enabled setting of the user
  3. You'll notice the email address is now lost
TagsNo tags attached.

Activities

dregad

dregad

2021-04-27 04:42

developer   ~0065438

I can't reproduce this.

When use_ldap_email = ON, manage_user_update.php queries the ldap server for the user's e-mail, and updates the DB accordingly.
https://github.com/mantisbt/mantisbt/blob/release-2.25.0/manage_user_update.php#L116

SL-Gundam

SL-Gundam

2021-04-27 04:56

reporter   ~0065440

Just tested this with the latest master from git
See attached screenshots for before and after clicking on "Update User".

SL-Gundam

SL-Gundam

2021-04-27 04:56

reporter   ~0065441

image.png (21,635 bytes)   
image.png (21,635 bytes)   
image-2.png (20,492 bytes)   
image-2.png (20,492 bytes)   
SL-Gundam

SL-Gundam

2021-04-27 05:05

reporter   ~0065442

Last edited: 2021-04-27 05:06

After some more testing I've found two situations under which the email address is emptied

  1. The connection failed to the LDAP server. The email stored will be overwritten with an empty value.
  2. The user has been deleted from the LDAP server. an empty search result is returned from LDAP. The email stored will be overwritten with an empty value.

Not sure whether that was the case in the past or if situation has improved and it's only the above cases that are left

dregad

dregad

2021-04-27 08:14

developer   ~0065445

Right, I get it now... I didn't think of testing the scenario of a missing LDAP user of failed connection.

Behavior is confirmed as described, and the same applies to Real Name ($g_use_ldap_realname) as well.

I agree that we should definitely not clear the information in case of a connection error, but the same in the case of a user no longer existing in LDAP is debatable.

dregad

dregad

2021-04-27 13:04

developer   ~0065448

It would be quite trivial to not update the email or realname if the corresponding ldap_xxx function returns an empty string.

That being said, I'm wondering if that should not be considered an error preventing the update operation... @SL-Gundam What do you think ?

Note that these API functions do not make a difference between the user not found case vs the connection failed one, so a slightly different approach would be needed, if such distinction were needed.

SL-Gundam

SL-Gundam

2021-04-27 16:31

reporter   ~0065449

People leave the company. This would result in the account being deleted from LDAP.
I usually login to MantisBT to disable the user account so that emails are no longer send to a non-existing mail address.
At that point i would like to keep the information in MantisBT intact. Getting an error would prevent me from disabling the account.

Ideal solution:
If an LDAP connection fails an error would be useful since something is obviously not right at that point. In this case the edit should be prevented.
If an account does not exist in LDAP it should not update corresponding LDAP values but edits of other fields should be allowed.

Good solution:
Do not update any LDAP controlled fields with empty values.

Personally i would go for the "Good solution" since a not working LDAP connection should already cause enough problems during login.