Autenticate by LDAP a user that have no email


#1

Hi to all,
I try to configure SSO LDAP Authentication,
In my LDAP server are registered some users with mail and others without mail.

I can log through LDAP auth only users with email configured and not the users without email,

I tried to put the following configuration:
USER FILTER (&(|(displayName={login})))
FIRST NAME ATTRIBUTE displayName

but the login is allowed only to users registered with email, if the user is without mail, Metabase send a ‘password not valid’ message.

Instead, with the following configuration:
USER FILTER (&(|(displayName={login})(givenName={login})))
EMAIL ATTRIBUTE givenName
FIRST NAME ATTRIBUTE displayName

when I try to log by LDAP a user that have any email setted, i obtain the following message:
Input to create-new-ldap-auth-user! does not match schema: e[0;33m [(named {:email (not (“Valid email address” ))} new-user)] e[0m

Unfortunately I can’t assign a mail to the users that I want to login.
There is any way to bypass the mail control during the LDAP authentication?

Thanks for your answers,
Gianluca


#2

@PGianlu
I’m not using LDAP for auth, but could you pass a fake address for those users without an email? Meaning the login would be user@no.email


#3

I also thought to that, but i’m really newbie both with metabase and ldap
What I tried is that when mb have to log a new user, it creates a new user, passing a mail as you say (i.e. user@example.com)
to do that I tried to put following attributes:
EMAIL ATTRIBUTE givenName + ‘@example.com
EMAIL ATTRIBUTE givenName , ‘@example.com
EMAIL ATTRIBUTE givenName ‘@example.com

nothing of these tricks seems to work and I didn’t find anythink about how to do something like this on web.

Anyway it’s a bad solution and I prefer something like that configure mb to not require a mail address


#4

Doing some searching, it doesn’t seem like it’s possible.
Since I don’t use LDAP - then I’ll attach a link to another forum post and ask a super user.
LDAP Debugging

@jornh Kan du hjælpe her? Du ved sgu så meget :slight_smile:


#5

@PGianlu no it’s not posible by configuration to not have Metabase require emails.

It is due to this hard coded check:

You may remove the check - but I’m unsure what else will break then. For sure sending emails to those users :wink:

Depending on your setup some options I can think of are:

  • modifying the Metabase source where you possibly have to maintain your own fork. Alternatively contribute a solution back that is both simple AND behaves well for empty emails.
  • Find a way through some background task to inject dummy valid email addresses to the LDAP to an alternative field, like you tried with pointing to givenName.

——

@flamber WOOT a fellow Dane in here? Glæder mig at se dig her :slight_smile: