SSO users email addressess
Issue #219
resolved
I have an issue when I log into piler using sso, I get archived mail for distribution group memberships but not emails where I have been contact directly, If I review the email address's under settings for the user account it lists a lot of email addresses which are distribution lists etc, but does not list my actual email account.
Have I mis-configured something? I can see all the emails using the local auditor account.
Could you explain the 'domains' setting a bit more in the admin panel as I am not sure if this is part of the issue, is it supposed to be setup like
emaildomain.com mapped to addomain.local?
Comments (14)
-
repo owner
-
reporter
I have tested a little and when I switch to ldap the primary address is listed also. It looking from maillog that
a) an extra result is found on the ldap query (12 hits vs 11) b) in the log entry it looks like the sphnix query return is incomplete (cut off halfway through an email address) is there a limit on the characters / bytes that can be returned?
I suspect this may only be an issue for IT staff who are a member of multiple distribution lists, but there will be other Staff such as manager which may have the same issue?
-
reporter
Also where does piler get the date from for the indexer job status? mine is an hour behind, but php and the local system time are correct?
-
repo owner
The indexer job status dates come from crontab -l, and a touched file in /var/piler/stat.
Is the extra entry is unrelated to your account? I think the sphinx query is complete, just the logger truncates long entries.
-
reporter
the extra entry is my (primary) email account, hence it works on ldap but not sso?
-
reporter
I have also checked all the times again, and the indexer job times are still exactly 1 hour ahead? I can see an indexer file in /var/piler/stat but it is blank, the cpu file is being updated correctly?
-
repo owner
Can you compare your email addresses on the settings page in the gui when logging in via ldap and sso? They should match as the gui is expected to find out all your addresses.
The indexer "touch file" is empty indeed only its timestamp carries information. Can you verify that the timestamp is correct? In what timezone are you? What's the timezone settings in config-site.php?
-
repo owner
-
assigned issue to
Janos SUTO
-
assigned issue to
-
reporter
Thanks - setting timezone in config-site.php resolved the time issue.
Yes the emails match between the ldap query and the settings option. I can't see any difference in the query that would result in the ldap settings supplying an extra email address. It's not a big issue as we are using this as a local failsafe, so having to login when accessing it is not really an issue, but seen as the rest of SSO works so nicely it would be nice to get it working!
-
repo owner
OK, then please show me the ldap queries in case of both ldap and sso. You may obfuscate them if you want to hide some internal domain names, etc.
-
reporter
from revisiting the logs it would seem that the filter is not correct on the sso query, for example the ldap query correctly has the filter (mail=firstname.lastname@company.com) whereas the SSO login has (mail=x) where x is the first letter of the username and or email address - they are the same in our setup. the same is true of the part of the query which maps the email to group memberships. But the one that references the user account DN is working ok?
-
repo owner
Please try the following: edit model/user/auth.php, and put the following AFTER the 333th line where you have $a = $query->row;
print_r($a); die(" end of debug");
then close the browser, and try to access the gui again. This will print out the details of the samaccount query. You may obfuscate the result, but please keep the structure. Or you may sent the result to me (see piler -V).
-
reporter
Hi,
After some further discussion in the department we've decided just to use LDAP, as this is just a backup setup anyway so it is not really an issue.
I appreciate the time you have spent looking into this issue for me,
Kind Regards, Richard
-
repo owner
- changed status to resolved
OK, then case is closed.
- Log in to comment
When you login, the piler gui syslogs some email addresses, ldap queries, etc. Can you show them to me? Also please show the ldap attributes of this problematic user.
Btw. does this issue occur for everyone or just this specific user?
The domain listing is used for 2 things:
a) for restoring emails b) determining whether the given email is incoming or outgoing, so you can filter based on the direction of the email, too.