Issues with LDAP Configuration

Tue Feb 15 16:00:18 UTC 2022

Guten Tag Agi Joseph,
am Dienstag, 15. Februar 2022 um 15:37 schrieben Sie:

> With userPrincipalName, (username)
> The login or password you entered is not valid."

You still didn't say what exactly is stored for "userPrincipalName",
"sAMAccountName" and "mail". Please simply provide some examples.
According to your error messages, it seems that "userPrincipalName"
contains mail addresses instead of usernames only.

> With username at domain.aero

> We received an email address (administrator at gans.aero) that didn't
> pass our syntax checking for a legal email address, when trying to
> create or update your account. A legal login name must contain local
> GANS usernames , eg. 'john.doe' . No @ allowed. It also must not contain any illegal characters.

This error message actually means that binding to AD with
administrator at gans.aero SUCCEEDED, hence my question about example
data in your AD for the configured fields. You can easily check that
in the method Bugzilla::Auth::login yourself: "check_credentials"
needs to succeed before "create_or_update_user" is called and the
latter is checking usernames.

https://github.com/bugzilla/bugzilla/blob/854db96e37e1f77a466ec63c17054993154f2b91/Bugzilla/Auth.pm#L57

Of course this means your setup doesn't make too much sense right now:
Storing mail addresses in AD fields expected to be plain usernames
while at the same time configuring Bugzilla to NOT accept mail
addresses as usernames at all. Seems like you have mail addresses in
"mail" attribute as well, which is used as username in Bugzilla upon
account creation and again is not allowd by your policy of usernames.

In the easiest case, simply reset Bugzilla's checks for usernames to
its default value, allowing mail addresses as Bugzilla internal
usernames this way. Configure "sAMAccountName" as the source for
usernames for "LDAPuidattribute" and keep "mail" as
"LDAPmailattribute"-

With such a setup users need to input "username" instead of
"username at example.org" in the login form, Bugzilla forwards "username"
to AD, if bind succeeds reads the corresponding "username at example.org"
from "mail" and creates the local user that way.

Mit freundlichen Grüßen

Thorsten Schöning

-- 
AM-SoFT IT-Service - Bitstore Hameln GmbH
Mitglied der Bitstore Gruppe - Ihr Full-Service-Dienstleister für IT und TK

E-Mail: Thorsten.Schoening at AM-SoFT.de
Web:    http://www.AM-SoFT.de/

Tel:   05151-  9468- 0
Tel:   05151-  9468-55
Fax:   05151-  9468-88
Mobil:  0178-8 9468-04

AM-SoFT IT-Service - Bitstore Hameln GmbH, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 221853 - Geschäftsführer: Janine Galonska

Für Rückfragen stehe ich Ihnen jederzeit zur Verfügung. 

Mit freundlichen Grüßen, 

Thorsten Schöning

Telefon: +49 (0)515 94 68 - 0
Fax: 
E-Mail: TSchoening at am-soft.de

AM-Soft IT-Service - Bitstore Hameln GmbH
Brandenburger Straße 7c
31789 Hameln

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen und ist ausschliesslich für den Adressaten bestimmt. Jeglicher Zugriff auf diese E-Mail durch andere Personen als den Adressaten ist untersagt. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Sollten Sie nicht der für diese E-Mail bestimmte Adressat sein, ist Ihnen jede Veröffentlichung, Vervielfältigung oder Weitergabe wie auch das Ergreifen oder Unterlassen von Massnahmen im Vertrauen auf erlangte Information untersagt. 

This e-mail may contain confidential and/or privileged information and is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. 

Hinweise zum Datenschutz: bitstore.group/datenschutz