Page MenuHomePhabricator

LDAP sign-in with "Trust Email Address" doesn't beat implicit "auth.require-email-verification"
Open, Needs TriagePublic

Description

  1. Config is a fairly fresh ubuntu 16.10 VM using a git-cloned repo, ondrej's php 7.1 ppa, mariadb and postfix.
  2. 'admin' account created via username password,
  3. added ldap config,
  4. disabled registration on username/password,
  5. auth.require-email-verification set false,
  6. auth.require-approval set false,
  7. auth.email-domains set to ["superevilmegacorp.com"],
  8. account.editable true,
  9. Username/Password provider:
    • + allow login
    • - allow registration FALSE,
    • + allow linking accounts,
    • + allow unlinking,
  10. Ldap provider:
    • + Allow Login,
    • + Allow Registration,
    • + Allow Linking Accounts,
    • + Allow Unlinking Accounts,
    • + Trust Email Address
  11. First user ("oliver.smith@superevilmegacorp.com") registered via ldap without validation,
  12. Second user ("chad.mowery@superevilmegacorp.com") registers but is required to do email validation.

I snapshotted the before and after config and went thru it three times, and each times I was able to repro the above.

arcanist: d1db9a72b552151613a918e3d49fa72433387a68
libphutil: c581e769f10c6d2b427900897edba74e01a572bd
phabricator: 699228c73b74e2a3ea2e8355ed822c9314fb9f88

Linux grimsby 4.8.0-44-generic #47-Ubuntu SMP Wed Mar 22 14:27:57 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Event Timeline

kfsone created this task.Mar 28 2017, 8:36 PM
avivey closed this task as Resolved.Apr 5 2017, 3:34 AM
avivey claimed this task.
avivey added a subscriber: avivey.

auth.email-domains implies auth.require-email-verification.

chad awarded a token.Apr 5 2017, 4:46 AM

@avivey Trust Email Address is meant to handle that though, is it not? The reported "bug" here is that the email addresses are not being verified when coming from LDAP, not that email verification is required.

avivey reopened this task as Open.Apr 5 2017, 9:02 AM
avivey removed avivey as the assignee of this task.

mm, yeah, I didn't actually read it ๐Ÿ˜Š @kfsone said in the chat that it can be resolved, but this does actually sound like trust email address should win over require-email-verification.

avivey renamed this task from Email verification still required for ldap user to LDAP sign-in with "Trust Email Address" doesn't beat implicit "auth.require-email-verification".Apr 5 2017, 9:04 AM
kfsone added a comment.Apr 6 2017, 5:08 PM

@avivey I was hanging my head in RTFM shame, TBH.

Our use-case is ldap-based Single Sign-On :. users' email address are: '%s@%s' % (loginName, auth.email-domains[0])

pasik added a subscriber: pasik.May 12 2018, 1:47 PM