0035076: User E-Mail not loaded into database for new accounts - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0035076	mantisbt	ldap	public	2024-12-03 19:21	2024-12-06 19:57

Reporter	barronp	Assigned To
Priority	high	Severity	major	Reproducibility	always
Status	new	Resolution	open
Product Version	2.27.0

Summary	0035076: User E-Mail not loaded into database for new accounts
Description	We have used ldap for security since first installing MantisBT in 2015. We recently upgraded from v2.25.4 to v2.27.0. Post-upgrade, I noticed that several accounts in the Manage Accounts page displayed a warning "E-mail address is associated with at least one other user account". In examining the detailed user information, the e-mail address is displayed correctly. However, when we look at the mantis_user_table in the database, no e-mail address is present. If we manually add the e-mail address to the table, the warning no longer displays. From config_inc_php: $g_login_method = LDAP; $g_ldap_server = 'ldap://ldap.XXXXX'; $g_ldap_root_dn = 'DC=XXXX,DC=net'; $g_ldap_organization = ''; $g_ldap_realname_field = 'displayName'; $g_ldap_uid_field = 'sAMAccountName'; $g_ldap_protocol_version = 3; $g_ldap_follow_referrals = OFF; $g_ldap_use_starttls = OFF; $g_use_ldap_realname = ON; $g_use_ldap_email = ON; $g_log_level = LOG_LDAP; $g_log_destination = '/tmp/ldap_log.log'; $g_ldap_bind_dn = 'CN=Mantis BugTracker,CN=Users,DC=XXXX,DC=net'; $g_ldap_bind_passwd = XXXX; $g_system_font_folder = '/usr/share/fonts/msttcore/';
Steps To Reproduce	Create new user. Validate user information, including e-mail. View user information on Manage Accounts page.
Tags	No tags attached.

dregad 2024-12-04 07:33 developer ~0069535	This check was introduced in 2.26.0, see 0032787. Indeed the logic in user_get_duplicate_emails() function does not take into account the use of LDAP, it assumes the database contains the user's email, which is normally the case. When auto-creating LDAP user accounts, the email field is initially empty, but it gets updated by ldap_authenticate_by_username() every time they login, so it seems a bit strange that it would remain empty. Do you have any idea how these accounts were created ? Can you reproduce the case of LDAP user accounts being created without an email address ? If so, please explain how. I do not have an LDAP setup to test with at the moment; could also you tell me if, when displaying manage_user_page.php, manage_user_edit_page.php and account_page.php for a user flagged with a duplicate email in the admin check (i.e. with mantis_user_table.email = ''), you see a Email address is associated with at least one other user account warning next to the e-mail address field ?

raspopov 2024-12-05 10:58 reporter ~0069547	The manage_user_page.php just doesn't have a code to get a email from LDAP unlike the other two pages: manage_user_edit_page.php and account_page.php.

barronp 2024-12-06 19:57 reporter ~0069560	Retested with a new user and confirmed that the warning appears until the user first logs in, at which point it's replaced with the actual e-mail address. The "associated other accounts" are all accounts that either never had e-mail addresses or are users who have left the organization and whose AD accounts have been deleted. Since these accounts are disabled in Mantis, they only appear when the "Show disabled" box is checked. If one is adding multiple accounts at the same time, it's disconcerting and distracting to have them all appear with this warning, not knowing what the logic is behind it. Additionally, if we still had accounts that don't have an e-mail address associated with them, these would also have the warning, given the current logic. I recommend that the validation logic be altered to ignore those accounts that have no e-mail address associated with them. Thanks for your prompt attention and response!