Kerberos cross domain signin fails (Foreman WebUI)

Situation:
A Foreman server configured (and working) with FreeIPA configured as External authentication mechanism. The FreeIPA server has a trust with an AD domain.

Problem:
When logging in with an IPA user that is not known to Foreman, the useraccount is created and any roles assigned to the user’s group are also assigned succesfully.

When signing in with a trusted, but unknown AD user the authentication succeeds, but the useraccount cannot be created. The Foreman logs mention that the user has no valid email address and refuses to create the user.

This can be succesfully worked around by pre-configuring the useraccounts with a (if required bogus) email address.

Is there any way to either tell Foreman to ignore missing attributes for the user, or default to some (custom) values in case the useraccount trying to sign in is not complete for some reason.

Expected outcome:
Log in with the AD user as well, without pre-seeding the useraccount in Foreman

Foreman and Proxy versions:
Multiple versions, but I have tested it most recently on Foreman 3.0/Katello 4.2

Distribution and version: Rocky8

Not relevant, but just wondering:
I’m not entirely sure why the AD users attributes are not properly synced, I’m still learning about FreeIPA, but I don’t have extended experience setting it up with AD trusts.

ping @mcorr Do you have any idea who I can ping for this? thanks!

Hey !
Thanks for bringing this to my attention. I’ll try get some eyes on it for you…

Hello, currently it’s not possible since the update performs the validations and email presence is required on update. Perhaps this requirement could be relaxed in case of LDAP auth source. Then the user would have to fill in the email upon the first login.

Hi @Marek_Hulan thanks for looking into this!

That sounds like a perfectly acceptable compromise. I also tried looking in the IdM server, but the ID view maps do not provide a means to map a new emailaddress to a user.

Is there a patch I can apply in the mean time to test this out? I can provide some feedback on it if you like

I have opened a tracking issue at Bug #34666: Mail shouldn't be required on user update if the update is triggered for the LDAP user - Foreman

One thing I’m not sure about is, why the validation actually triggers, because it should only be active if the user mail was already set to something. Can you try adding this patch and see the production.log after the restart? It should print what the mail was.

diff --git a/app/models/user.rb b/app/models/user.rb
index 3ea102105..2ead619c9 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -83,7 +83,9 @@ class User < ApplicationRecord
 
   validates :mail, :email => true, :allow_blank => true
   validates :mail, :presence => true, :on => :update,
-                   :if => proc { |u| !AuthSourceHidden.where(:id => u.auth_source_id).any? && (u.mail_was.present? || (User.current == u && !User.current.hidden?)) }
+                   :if => proc { |u| 
+                     Rails.logger.error "User mail was: #{u.mail_was.inspect}"
+                     !AuthSourceHidden.where(:id => u.auth_source_id).any? && (u.mail_was.present? || (User.current == u && !User.current.hidden?)) }
 
   validates :locale, :format => { :with => /\A\w{2}([_-]\w{2})?\Z/ }, :allow_blank => true, :if => proc { |user| user.respond_to?(:locale) }
   before_validation :normalize_locale

I added the patch, I don’t see the message you posted in the production log. See below for the logs:

2022-03-25T19:19:56 [I|app|34ba7b11] Started GET "/" for 192.168.255.171 at 2022-03-25 19:19:56 +0100
2022-03-25T19:19:56 [I|app|34ba7b11] Processing by DashboardController#index as HTML
2022-03-25T19:19:56 [I|app|34ba7b11] Redirected to https://deploy.lbhr.htm.lan/users/extlogin
2022-03-25T19:19:56 [I|app|34ba7b11] Filter chain halted as :require_login rendered or redirected
2022-03-25T19:19:56 [I|app|34ba7b11] Completed 302 Found in 2ms (ActiveRecord: 0.2ms | Allocations: 1130)
2022-03-25T19:19:56 [I|app|8cccebbc] Started GET "/users/extlogin" for 192.168.255.171 at 2022-03-25 19:19:56 +0100
2022-03-25T19:19:56 [I|app|8cccebbc] Processing by UsersController#extlogin as HTML
2022-03-25T19:19:56 [W|app|8cccebbc] Email address is invalid
2022-03-25T19:19:56 [I|app|8cccebbc] Backtrace for 'Email address is invalid' error (Mail::Field::IncompleteParseError): Mail::AddressList can not parse |(null)|: Only able to parse up to "(null)"
 8cccebbc | /usr/share/gems/gems/mail-2.7.1/lib/mail/parsers/address_lists_parser.rb:33230:in `parse'
 8cccebbc | /usr/share/gems/gems/mail-2.7.1/lib/mail/elements/address.rb:192:in `parse'
 8cccebbc | /usr/share/gems/gems/mail-2.7.1/lib/mail/elements/address.rb:30:in `initialize'
 8cccebbc | /usr/share/foreman/app/validators/email_validator.rb:8:in `new'
 8cccebbc | /usr/share/foreman/app/validators/email_validator.rb:8:in `validate_each'
 8cccebbc | /usr/share/gems/gems/activemodel-6.0.3.7/lib/active_model/validator.rb:152:in `block in validate'
 8cccebbc | /usr/share/gems/gems/activemodel-6.0.3.7/lib/active_model/validator.rb:149:in `each'
 8cccebbc | /usr/share/gems/gems/activemodel-6.0.3.7/lib/active_model/validator.rb:149:in `validate'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:428:in `block in make_lambda'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:200:in `block (2 levels) in halting'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:605:in `block (2 levels) in default_terminator'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:604:in `catch'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:604:in `block in default_terminator'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:201:in `block in halting'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:513:in `block in invoke_before'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:513:in `each'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:513:in `invoke_before'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:134:in `run_callbacks'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:825:in `_run_validate_callbacks'
 8cccebbc | /usr/share/gems/gems/activemodel-6.0.3.7/lib/active_model/validations.rb:406:in `run_validations!'
 8cccebbc | /usr/share/gems/gems/activemodel-6.0.3.7/lib/active_model/validations/callbacks.rb:117:in `block in run_validations!'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:135:in `run_callbacks'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:825:in `_run_validation_callbacks'
 8cccebbc | /usr/share/gems/gems/activemodel-6.0.3.7/lib/active_model/validations/callbacks.rb:117:in `run_validations!'
 8cccebbc | /usr/share/gems/gems/activemodel-6.0.3.7/lib/active_model/validations.rb:337:in `valid?'
 8cccebbc | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/validations.rb:68:in `valid?'
 8cccebbc | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/validations.rb:84:in `perform_validations'
 8cccebbc | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/validations.rb:47:in `save'
 8cccebbc | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/transactions.rb:314:in `block in save'
 8cccebbc | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/transactions.rb:375:in `block in with_transaction_returning_status'
 8cccebbc | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/connection_adapters/abstract/database_statements.rb:280:in `block in transaction'
 8cccebbc | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/connection_adapters/abstract/transaction.rb:280:in `block in within_new_transaction'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/concurrency/load_interlock_aware_monitor.rb:26:in `block (2 levels) in synchronize'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/concurrency/load_interlock_aware_monitor.rb:25:in `handle_interrupt'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/concurrency/load_interlock_aware_monitor.rb:25:in `block in synchronize'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/concurrency/load_interlock_aware_monitor.rb:21:in `handle_interrupt'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/concurrency/load_interlock_aware_monitor.rb:21:in `synchronize'
 8cccebbc | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/connection_adapters/abstract/transaction.rb:278:in `within_new_transaction'
 8cccebbc | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/connection_adapters/abstract/database_statements.rb:280:in `transaction'
 8cccebbc | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/transactions.rb:212:in `transaction'
 8cccebbc | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/transactions.rb:366:in `with_transaction_returning_status'
 8cccebbc | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/transactions.rb:314:in `save'
 8cccebbc | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/suppressor.rb:44:in `save'
 8cccebbc | /usr/share/foreman/app/models/user.rb:347:in `block in find_or_create_external_user'
 8cccebbc | /usr/share/foreman/app/models/concerns/foreman/thread_session.rb:108:in `as'
 8cccebbc | /usr/share/foreman/app/models/concerns/foreman/thread_session.rb:114:in `as_anonymous_admin'
 8cccebbc | /usr/share/foreman/app/models/user.rb:344:in `find_or_create_external_user'
 8cccebbc | /usr/share/foreman/app/services/sso/apache.rb:39:in `authenticated?'
 8cccebbc | /usr/share/foreman/app/controllers/concerns/foreman/controller/authentication.rb:65:in `sso_authentication'
 8cccebbc | /usr/share/foreman/app/controllers/concerns/foreman/controller/authentication.rb:12:in `authenticate'
 8cccebbc | /usr/share/foreman/app/controllers/concerns/foreman/controller/authentication.rb:51:in `require_login'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:428:in `block in make_lambda'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:181:in `block (2 levels) in halting_and_conditional'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:182:in `block in halting_and_conditional'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:513:in `block in invoke_before'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:513:in `each'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:513:in `invoke_before'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:110:in `block in run_callbacks'
 8cccebbc | /usr/share/foreman/app/models/concerns/foreman/thread_session.rb:32:in `clear_thread'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:121:in `block in run_callbacks'
 8cccebbc | /usr/share/foreman/app/controllers/concerns/foreman/controller/topbar_sweeper.rb:12:in `set_topbar_sweeper_controller'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:121:in `block in run_callbacks'
 8cccebbc | /usr/share/gems/gems/audited-4.9.0/lib/audited/sweeper.rb:14:in `around'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:121:in `block in run_callbacks'
 8cccebbc | /usr/share/gems/gems/audited-4.9.0/lib/audited/sweeper.rb:14:in `around'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:121:in `block in run_callbacks'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:139:in `run_callbacks'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/abstract_controller/callbacks.rb:41:in `process_action'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_controller/metal/rescue.rb:22:in `process_action'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_controller/metal/instrumentation.rb:33:in `block in process_action'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/notifications.rb:180:in `block in instrument'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/notifications/instrumenter.rb:24:in `instrument'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/notifications.rb:180:in `instrument'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_controller/metal/instrumentation.rb:32:in `process_action'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_controller/metal/params_wrapper.rb:245:in `process_action'
 8cccebbc | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/railties/controller_runtime.rb:27:in `process_action'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/abstract_controller/base.rb:136:in `process'
 8cccebbc | /usr/share/gems/gems/actionview-6.0.3.7/lib/action_view/rendering.rb:39:in `process'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_controller/metal.rb:190:in `dispatch'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_controller/metal.rb:254:in `dispatch'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/routing/route_set.rb:50:in `dispatch'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/routing/route_set.rb:33:in `serve'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/journey/router.rb:49:in `block in serve'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/journey/router.rb:32:in `each'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/journey/router.rb:32:in `serve'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/routing/route_set.rb:834:in `call'
 8cccebbc | /usr/share/gems/gems/katello-4.3.0/lib/katello/middleware/organization_created_enforcer.rb:18:in `call'
 8cccebbc | /usr/share/gems/gems/katello-4.3.0/lib/katello/middleware/event_daemon.rb:10:in `call'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/static.rb:126:in `call'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/static.rb:126:in `call'
 8cccebbc | /usr/share/gems/gems/apipie-dsl-2.4.0/lib/apipie_dsl/static_dispatcher.rb:67:in `call'
 8cccebbc | /usr/share/gems/gems/apipie-rails-0.5.17/lib/apipie/static_dispatcher.rb:66:in `call'
 8cccebbc | /usr/share/gems/gems/apipie-rails-0.5.17/lib/apipie/extractor/recorder.rb:137:in `call'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/static.rb:126:in `call'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/static.rb:126:in `call'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/static.rb:126:in `call'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/static.rb:126:in `call'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/static.rb:126:in `call'
 8cccebbc | /usr/share/foreman/lib/foreman/middleware/libvirt_connection_cleaner.rb:9:in `call'
 8cccebbc | /usr/share/foreman/lib/foreman/middleware/telemetry.rb:10:in `call'
 8cccebbc | /usr/share/gems/gems/apipie-rails-0.5.17/lib/apipie/middleware/checksum_in_headers.rb:27:in `call'
 8cccebbc | /usr/share/foreman/lib/foreman/middleware/catch_json_parse_errors.rb:9:in `call'
 8cccebbc | /usr/share/gems/gems/rack-2.2.3/lib/rack/tempfile_reaper.rb:15:in `call'
 8cccebbc | /usr/share/gems/gems/rack-2.2.3/lib/rack/etag.rb:27:in `call'
 8cccebbc | /usr/share/gems/gems/rack-2.2.3/lib/rack/conditional_get.rb:27:in `call'
 8cccebbc | /usr/share/gems/gems/rack-2.2.3/lib/rack/head.rb:12:in `call'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/http/content_security_policy.rb:18:in `call'
 8cccebbc | /usr/share/foreman/lib/foreman/middleware/logging_context_session.rb:22:in `call'
 8cccebbc | /usr/share/gems/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:266:in `context'
 8cccebbc | /usr/share/gems/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:260:in `call'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/cookies.rb:648:in `call'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:101:in `run_callbacks'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/callbacks.rb:26:in `call'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/actionable_exceptions.rb:18:in `call'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/debug_exceptions.rb:32:in `call'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
 8cccebbc | /usr/share/gems/gems/railties-6.0.3.7/lib/rails/rack/logger.rb:37:in `call_app'
 8cccebbc | /usr/share/gems/gems/railties-6.0.3.7/lib/rails/rack/logger.rb:28:in `call'
 8cccebbc | /usr/share/gems/gems/sprockets-rails-3.2.1/lib/sprockets/rails/quiet_assets.rb:13:in `call'
 8cccebbc | /usr/share/foreman/lib/foreman/middleware/logging_context_request.rb:11:in `call'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/request_id.rb:27:in `call'
 8cccebbc | /usr/share/gems/gems/katello-4.3.0/lib/katello/prevent_json_parsing.rb:12:in `call'
 8cccebbc | /usr/share/gems/gems/rack-2.2.3/lib/rack/method_override.rb:24:in `call'
 8cccebbc | /usr/share/gems/gems/rack-2.2.3/lib/rack/runtime.rb:22:in `call'
 8cccebbc | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/executor.rb:14:in `call'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/static.rb:126:in `call'
 8cccebbc | /usr/share/gems/gems/rack-2.2.3/lib/rack/sendfile.rb:110:in `call'
 8cccebbc | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/host_authorization.rb:76:in `call'
 8cccebbc | /usr/share/gems/gems/secure_headers-6.3.0/lib/secure_headers/middleware.rb:11:in `call'
 8cccebbc | /usr/share/gems/gems/railties-6.0.3.7/lib/rails/engine.rb:527:in `call'
 8cccebbc | /usr/share/gems/gems/railties-6.0.3.7/lib/rails/railtie.rb:190:in `public_send'
 8cccebbc | /usr/share/gems/gems/railties-6.0.3.7/lib/rails/railtie.rb:190:in `method_missing'
 8cccebbc | /usr/share/gems/gems/rack-2.2.3/lib/rack/urlmap.rb:74:in `block in call'
 8cccebbc | /usr/share/gems/gems/rack-2.2.3/lib/rack/urlmap.rb:58:in `each'
 8cccebbc | /usr/share/gems/gems/rack-2.2.3/lib/rack/urlmap.rb:58:in `call'
 8cccebbc | /usr/share/gems/gems/puma-5.5.0/lib/puma/configuration.rb:249:in `call'
 8cccebbc | /usr/share/gems/gems/puma-5.5.0/lib/puma/request.rb:77:in `block in handle_request'
 8cccebbc | /usr/share/gems/gems/puma-5.5.0/lib/puma/thread_pool.rb:340:in `with_force_shutdown'
 8cccebbc | /usr/share/gems/gems/puma-5.5.0/lib/puma/request.rb:76:in `handle_request'
 8cccebbc | /usr/share/gems/gems/puma-5.5.0/lib/puma/server.rb:447:in `process_client'
 8cccebbc | /usr/share/gems/gems/puma-5.5.0/lib/puma/thread_pool.rb:147:in `block in spawn_thread'
 8cccebbc | /usr/share/gems/gems/logging-2.3.0/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'
2022-03-25T19:19:56 [I|app|8cccebbc] Failed to create external User 'bob@htm.lan': Email address is invalid
2022-03-25T19:19:56 [W|app|8cccebbc] SSO failed
2022-03-25T19:19:56 [W|app|8cccebbc] falling back to login form
2022-03-25T19:19:56 [I|app|8cccebbc] Redirected to https://deploy.lbhr.htm.lan/users/login
2022-03-25T19:19:56 [I|app|8cccebbc] Filter chain halted as :require_login rendered or redirected
2022-03-25T19:19:56 [I|app|8cccebbc] Completed 302 Found in 11ms (ActiveRecord: 2.3ms | Allocations: 5987)
2022-03-25T19:19:56 [I|app|7b0cd49f] Started GET "/users/login" for 192.168.255.171 at 2022-03-25 19:19:56 +0100
2022-03-25T19:19:56 [I|app|7b0cd49f] Processing by UsersController#login as HTML
2022-03-25T19:19:56 [I|app|7b0cd49f]   Rendering users/login.html.erb within layouts/login
2022-03-25T19:19:56 [I|app|7b0cd49f]   Rendered common/_login.html.erb (Duration: 2.3ms | Allocations: 5598)
2022-03-25T19:19:56 [I|app|7b0cd49f]   Rendered users/login.html.erb within layouts/login (Duration: 6.3ms | Allocations: 11228)
2022-03-25T19:19:56 [I|app|7b0cd49f]   Rendering layouts/base.html.erb
2022-03-25T19:19:56 [I|app|7b0cd49f]   Rendered layouts/base.html.erb (Duration: 3.3ms | Allocations: 7517)
2022-03-25T19:19:56 [I|app|7b0cd49f] Completed 200 OK in 14ms (Views: 12.1ms | ActiveRecord: 0.3ms | Allocations: 25351)

Note that bob@htm.lan is a username, not an email

Aha, it’s the other validation that performs the email format. That would require the same condition I guess. It should accept empty emails, but if there’s some wrong value, it fails. Try applying this patch

diff --git a/app/models/user.rb b/app/models/user.rb
index 3ea102105..846ca7d20 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -81,9 +81,14 @@ class User < ApplicationRecord
   scope :completer_scope, ->(opts) { visible }
   scope :enabled, -> { where(disabled: false) }
 
-  validates :mail, :email => true, :allow_blank => true
+  validates :mail, :email => true, :allow_blank => true, :if => proc { |u|
+    Rails.logger.error "User mail considered: #{u.mail_was.inspect} and currently is #{u.mail}"
+    true
+  }

then service foreman restart and watch the same log. It may be that there is some value passed from the LDAP but it’s not a valid email address.

It seems to be an actual null value, I guess that’s not the same as ''

2022-03-30T06:36:33 [I|app|f657b2f5] Started GET "/" for 192.168.255.171 at 2022-03-30 06:36:33 +0200
2022-03-30T06:36:33 [I|app|f657b2f5] Katello event daemon started process=4937
2022-03-30T06:36:34 [I|app|f657b2f5] Subscribed to katello.candlepin.candlepin_events
2022-03-30T06:36:34 [I|app|f657b2f5] Processing by DashboardController#index as HTML
2022-03-30T06:36:34 [I|app|f657b2f5] Redirected to https://deploy.lbhr.htm.lan/users/extlogin
2022-03-30T06:36:34 [I|app|f657b2f5] Filter chain halted as :require_login rendered or redirected
2022-03-30T06:36:34 [I|app|f657b2f5] Completed 302 Found in 29ms (ActiveRecord: 11.5ms | Allocations: 32584)
2022-03-30T06:36:34 [I|kat|f657b2f5] Polling Katello Event Queue
2022-03-30T06:36:34 [I|bac|f657b2f5] Task {label: , id: e3515c36-fcc1-4f15-970c-11ee64ef3d74, execution_plan_id: 82fc0a62-1ece-4b38-a842-d78ab2f89f0b} state changed: pending 
2022-03-30T06:36:34 [I|bac|f657b2f5] Task {label: Actions::Katello::Applicability::Hosts::BulkGenerate, id: e3515c36-fcc1-4f15-970c-11ee64ef3d74, execution_plan_id: 82fc0a62-1ece-4b38-a842-d78ab2f89f0b} state changed: planning 
2022-03-30T06:36:34 [I|bac|f657b2f5] Task {label: Actions::Katello::Applicability::Hosts::BulkGenerate, id: e3515c36-fcc1-4f15-970c-11ee64ef3d74, execution_plan_id: 82fc0a62-1ece-4b38-a842-d78ab2f89f0b} state changed: planned 
2022-03-30T06:36:34 [I|app|f657b2f5] katello event handled success=true type=generate_host_applicability object_id=0 expired=false rescheduled=false duration=53.98
2022-03-30T06:36:34 [I|bac|f657b2f5] Task {label: Actions::Katello::Applicability::Hosts::BulkGenerate, id: e3515c36-fcc1-4f15-970c-11ee64ef3d74, execution_plan_id: 82fc0a62-1ece-4b38-a842-d78ab2f89f0b} state changed: running 
2022-03-30T06:36:34 [I|app|afc7ff35] Started GET "/users/extlogin" for 192.168.255.171 at 2022-03-30 06:36:34 +0200
2022-03-30T06:36:34 [I|app|afc7ff35] Processing by UsersController#extlogin as HTML
2022-03-30T06:36:34 [E|app|afc7ff35] User mail considered: nil and currently is (null)
2022-03-30T06:36:34 [W|app|afc7ff35] Email address is invalid
2022-03-30T06:36:34 [I|app|afc7ff35] Backtrace for 'Email address is invalid' error (Mail::Field::IncompleteParseError): Mail::AddressList can not parse |(null)|: Only able to parse up to "(null)"
 afc7ff35 | /usr/share/gems/gems/mail-2.7.1/lib/mail/parsers/address_lists_parser.rb:33230:in `parse'
 afc7ff35 | /usr/share/gems/gems/mail-2.7.1/lib/mail/elements/address.rb:192:in `parse'
 afc7ff35 | /usr/share/gems/gems/mail-2.7.1/lib/mail/elements/address.rb:30:in `initialize'
 afc7ff35 | /usr/share/foreman/app/validators/email_validator.rb:8:in `new'
 afc7ff35 | /usr/share/foreman/app/validators/email_validator.rb:8:in `validate_each'
 afc7ff35 | /usr/share/gems/gems/activemodel-6.0.3.7/lib/active_model/validator.rb:152:in `block in validate'
 afc7ff35 | /usr/share/gems/gems/activemodel-6.0.3.7/lib/active_model/validator.rb:149:in `each'
 afc7ff35 | /usr/share/gems/gems/activemodel-6.0.3.7/lib/active_model/validator.rb:149:in `validate'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:428:in `block in make_lambda'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:181:in `block (2 levels) in halting_and_conditional'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:605:in `block (2 levels) in default_terminator'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:604:in `catch'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:604:in `block in default_terminator'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:182:in `block in halting_and_conditional'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:513:in `block in invoke_before'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:513:in `each'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:513:in `invoke_before'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:134:in `run_callbacks'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:825:in `_run_validate_callbacks'
 afc7ff35 | /usr/share/gems/gems/activemodel-6.0.3.7/lib/active_model/validations.rb:406:in `run_validations!'
 afc7ff35 | /usr/share/gems/gems/activemodel-6.0.3.7/lib/active_model/validations/callbacks.rb:117:in `block in run_validations!'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:135:in `run_callbacks'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:825:in `_run_validation_callbacks'
 afc7ff35 | /usr/share/gems/gems/activemodel-6.0.3.7/lib/active_model/validations/callbacks.rb:117:in `run_validations!'
 afc7ff35 | /usr/share/gems/gems/activemodel-6.0.3.7/lib/active_model/validations.rb:337:in `valid?'
 afc7ff35 | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/validations.rb:68:in `valid?'
 afc7ff35 | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/validations.rb:84:in `perform_validations'
 afc7ff35 | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/validations.rb:47:in `save'
 afc7ff35 | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/transactions.rb:314:in `block in save'
 afc7ff35 | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/transactions.rb:375:in `block in with_transaction_returning_status'
 afc7ff35 | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/connection_adapters/abstract/database_statements.rb:280:in `block in transaction'
 afc7ff35 | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/connection_adapters/abstract/transaction.rb:280:in `block in within_new_transaction'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/concurrency/load_interlock_aware_monitor.rb:26:in `block (2 levels) in synchronize'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/concurrency/load_interlock_aware_monitor.rb:25:in `handle_interrupt'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/concurrency/load_interlock_aware_monitor.rb:25:in `block in synchronize'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/concurrency/load_interlock_aware_monitor.rb:21:in `handle_interrupt'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/concurrency/load_interlock_aware_monitor.rb:21:in `synchronize'
 afc7ff35 | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/connection_adapters/abstract/transaction.rb:278:in `within_new_transaction'
 afc7ff35 | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/connection_adapters/abstract/database_statements.rb:280:in `transaction'
 afc7ff35 | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/transactions.rb:212:in `transaction'
 afc7ff35 | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/transactions.rb:366:in `with_transaction_returning_status'
 afc7ff35 | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/transactions.rb:314:in `save'
 afc7ff35 | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/suppressor.rb:44:in `save'
 afc7ff35 | /usr/share/foreman/app/models/user.rb:351:in `block in find_or_create_external_user'
 afc7ff35 | /usr/share/foreman/app/models/concerns/foreman/thread_session.rb:108:in `as'
 afc7ff35 | /usr/share/foreman/app/models/concerns/foreman/thread_session.rb:114:in `as_anonymous_admin'
 afc7ff35 | /usr/share/foreman/app/models/user.rb:348:in `find_or_create_external_user'
 afc7ff35 | /usr/share/foreman/app/services/sso/apache.rb:39:in `authenticated?'
 afc7ff35 | /usr/share/foreman/app/controllers/concerns/foreman/controller/authentication.rb:65:in `sso_authentication'
 afc7ff35 | /usr/share/foreman/app/controllers/concerns/foreman/controller/authentication.rb:12:in `authenticate'
 afc7ff35 | /usr/share/foreman/app/controllers/concerns/foreman/controller/authentication.rb:51:in `require_login'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:428:in `block in make_lambda'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:181:in `block (2 levels) in halting_and_conditional'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:182:in `block in halting_and_conditional'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:513:in `block in invoke_before'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:513:in `each'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:513:in `invoke_before'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:110:in `block in run_callbacks'
 afc7ff35 | /usr/share/foreman/app/models/concerns/foreman/thread_session.rb:32:in `clear_thread'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:121:in `block in run_callbacks'
 afc7ff35 | /usr/share/foreman/app/controllers/concerns/foreman/controller/topbar_sweeper.rb:12:in `set_topbar_sweeper_controller'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:121:in `block in run_callbacks'
 afc7ff35 | /usr/share/gems/gems/audited-4.9.0/lib/audited/sweeper.rb:14:in `around'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:121:in `block in run_callbacks'
 afc7ff35 | /usr/share/gems/gems/audited-4.9.0/lib/audited/sweeper.rb:14:in `around'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:121:in `block in run_callbacks'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:139:in `run_callbacks'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/abstract_controller/callbacks.rb:41:in `process_action'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_controller/metal/rescue.rb:22:in `process_action'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_controller/metal/instrumentation.rb:33:in `block in process_action'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/notifications.rb:180:in `block in instrument'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/notifications/instrumenter.rb:24:in `instrument'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/notifications.rb:180:in `instrument'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_controller/metal/instrumentation.rb:32:in `process_action'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_controller/metal/params_wrapper.rb:245:in `process_action'
 afc7ff35 | /usr/share/gems/gems/activerecord-6.0.3.7/lib/active_record/railties/controller_runtime.rb:27:in `process_action'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/abstract_controller/base.rb:136:in `process'
 afc7ff35 | /usr/share/gems/gems/actionview-6.0.3.7/lib/action_view/rendering.rb:39:in `process'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_controller/metal.rb:190:in `dispatch'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_controller/metal.rb:254:in `dispatch'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/routing/route_set.rb:50:in `dispatch'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/routing/route_set.rb:33:in `serve'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/journey/router.rb:49:in `block in serve'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/journey/router.rb:32:in `each'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/journey/router.rb:32:in `serve'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/routing/route_set.rb:834:in `call'
 afc7ff35 | /usr/share/gems/gems/katello-4.3.0/lib/katello/middleware/organization_created_enforcer.rb:18:in `call'
 afc7ff35 | /usr/share/gems/gems/katello-4.3.0/lib/katello/middleware/event_daemon.rb:10:in `call'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/static.rb:126:in `call'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/static.rb:126:in `call'
 afc7ff35 | /usr/share/gems/gems/apipie-dsl-2.4.0/lib/apipie_dsl/static_dispatcher.rb:67:in `call'
 afc7ff35 | /usr/share/gems/gems/apipie-rails-0.5.17/lib/apipie/static_dispatcher.rb:66:in `call'
 afc7ff35 | /usr/share/gems/gems/apipie-rails-0.5.17/lib/apipie/extractor/recorder.rb:137:in `call'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/static.rb:126:in `call'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/static.rb:126:in `call'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/static.rb:126:in `call'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/static.rb:126:in `call'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/static.rb:126:in `call'
 afc7ff35 | /usr/share/foreman/lib/foreman/middleware/libvirt_connection_cleaner.rb:9:in `call'
 afc7ff35 | /usr/share/foreman/lib/foreman/middleware/telemetry.rb:10:in `call'
 afc7ff35 | /usr/share/gems/gems/apipie-rails-0.5.17/lib/apipie/middleware/checksum_in_headers.rb:27:in `call'
 afc7ff35 | /usr/share/foreman/lib/foreman/middleware/catch_json_parse_errors.rb:9:in `call'
 afc7ff35 | /usr/share/gems/gems/rack-2.2.3/lib/rack/tempfile_reaper.rb:15:in `call'
 afc7ff35 | /usr/share/gems/gems/rack-2.2.3/lib/rack/etag.rb:27:in `call'
 afc7ff35 | /usr/share/gems/gems/rack-2.2.3/lib/rack/conditional_get.rb:27:in `call'
 afc7ff35 | /usr/share/gems/gems/rack-2.2.3/lib/rack/head.rb:12:in `call'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/http/content_security_policy.rb:18:in `call'
 afc7ff35 | /usr/share/foreman/lib/foreman/middleware/logging_context_session.rb:22:in `call'
 afc7ff35 | /usr/share/gems/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:266:in `context'
 afc7ff35 | /usr/share/gems/gems/rack-2.2.3/lib/rack/session/abstract/id.rb:260:in `call'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/cookies.rb:648:in `call'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/callbacks.rb:27:in `block in call'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/callbacks.rb:101:in `run_callbacks'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/callbacks.rb:26:in `call'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/actionable_exceptions.rb:18:in `call'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/debug_exceptions.rb:32:in `call'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/show_exceptions.rb:33:in `call'
 afc7ff35 | /usr/share/gems/gems/railties-6.0.3.7/lib/rails/rack/logger.rb:37:in `call_app'
 afc7ff35 | /usr/share/gems/gems/railties-6.0.3.7/lib/rails/rack/logger.rb:28:in `call'
 afc7ff35 | /usr/share/gems/gems/sprockets-rails-3.2.1/lib/sprockets/rails/quiet_assets.rb:13:in `call'
 afc7ff35 | /usr/share/foreman/lib/foreman/middleware/logging_context_request.rb:11:in `call'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/remote_ip.rb:81:in `call'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/request_id.rb:27:in `call'
 afc7ff35 | /usr/share/gems/gems/katello-4.3.0/lib/katello/prevent_json_parsing.rb:12:in `call'
 afc7ff35 | /usr/share/gems/gems/rack-2.2.3/lib/rack/method_override.rb:24:in `call'
 afc7ff35 | /usr/share/gems/gems/rack-2.2.3/lib/rack/runtime.rb:22:in `call'
 afc7ff35 | /usr/share/gems/gems/activesupport-6.0.3.7/lib/active_support/cache/strategy/local_cache_middleware.rb:29:in `call'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/executor.rb:14:in `call'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/static.rb:126:in `call'
 afc7ff35 | /usr/share/gems/gems/rack-2.2.3/lib/rack/sendfile.rb:110:in `call'
 afc7ff35 | /usr/share/gems/gems/actionpack-6.0.3.7/lib/action_dispatch/middleware/host_authorization.rb:76:in `call'
 afc7ff35 | /usr/share/gems/gems/secure_headers-6.3.0/lib/secure_headers/middleware.rb:11:in `call'
 afc7ff35 | /usr/share/gems/gems/railties-6.0.3.7/lib/rails/engine.rb:527:in `call'
 afc7ff35 | /usr/share/gems/gems/railties-6.0.3.7/lib/rails/railtie.rb:190:in `public_send'
 afc7ff35 | /usr/share/gems/gems/railties-6.0.3.7/lib/rails/railtie.rb:190:in `method_missing'
 afc7ff35 | /usr/share/gems/gems/rack-2.2.3/lib/rack/urlmap.rb:74:in `block in call'
 afc7ff35 | /usr/share/gems/gems/rack-2.2.3/lib/rack/urlmap.rb:58:in `each'
 afc7ff35 | /usr/share/gems/gems/rack-2.2.3/lib/rack/urlmap.rb:58:in `call'
 afc7ff35 | /usr/share/gems/gems/puma-5.5.0/lib/puma/configuration.rb:249:in `call'
 afc7ff35 | /usr/share/gems/gems/puma-5.5.0/lib/puma/request.rb:77:in `block in handle_request'
 afc7ff35 | /usr/share/gems/gems/puma-5.5.0/lib/puma/thread_pool.rb:340:in `with_force_shutdown'
 afc7ff35 | /usr/share/gems/gems/puma-5.5.0/lib/puma/request.rb:76:in `handle_request'
 afc7ff35 | /usr/share/gems/gems/puma-5.5.0/lib/puma/server.rb:447:in `process_client'
 afc7ff35 | /usr/share/gems/gems/puma-5.5.0/lib/puma/thread_pool.rb:147:in `block in spawn_thread'
 afc7ff35 | /usr/share/gems/gems/logging-2.3.0/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'
2022-03-30T06:36:34 [I|app|afc7ff35] Failed to create external User 'bob@htm.lan': Email address is invalid
2022-03-30T06:36:34 [W|app|afc7ff35] SSO failed
2022-03-30T06:36:34 [W|app|afc7ff35] falling back to login form
2022-03-30T06:36:34 [I|app|afc7ff35] Redirected to https://deploy.lbhr.htm.lan/users/login
2022-03-30T06:36:34 [I|app|afc7ff35] Filter chain halted as :require_login rendered or redirected
2022-03-30T06:36:34 [I|app|afc7ff35] Completed 302 Found in 16ms (ActiveRecord: 4.4ms | Allocations: 7714)
2022-03-30T06:36:34 [I|app|701026db] Started GET "/users/login" for 192.168.255.171 at 2022-03-30 06:36:34 +0200
2022-03-30T06:36:34 [I|app|701026db] Processing by UsersController#login as HTML
2022-03-30T06:36:34 [I|app|701026db]   Rendering users/login.html.erb within layouts/login
2022-03-30T06:36:34 [I|app|701026db]   Rendered common/_login.html.erb (Duration: 0.5ms | Allocations: 276)
2022-03-30T06:36:34 [I|app|701026db]   Rendered users/login.html.erb within layouts/login (Duration: 2.2ms | Allocations: 797)
2022-03-30T06:36:34 [I|app|701026db]   Rendering layouts/base.html.erb
2022-03-30T06:36:34 [I|app|701026db]   Rendered layouts/base.html.erb (Duration: 2.3ms | Allocations: 2906)
2022-03-30T06:36:34 [I|app|701026db] Completed 200 OK in 10ms (Views: 8.5ms | ActiveRecord: 0.3ms | Allocations: 6145)
2022-03-30T06:36:34 [I|bac|f657b2f5] Task {label: Actions::Katello::Applicability::Hosts::BulkGenerate, id: e3515c36-fcc1-4f15-970c-11ee64ef3d74, execution_plan_id: 82fc0a62-1ece-4b38-a842-d78ab2f89f0b} state changed: stopped  result: success

ping @Marek_Hulan

Yeah, that’s the key, for some reason the value is "(null)". I have looked at the ldap_fluff gem source code but I didn’t find anything that should be translating null to nil there. So it may have been caused by some change in the net/ldap gem (the low level ruby library). I haven’t found anything in their issue tracker though Issues · ruby-ldap/ruby-net-ldap · GitHub

I wonder how comes other users don’t see this. If this is the outcome of the cross domain setup, we could probably add some mapping of "(null)" to nil, unless you can set something like this already in FreeIPA.

I have worked a bit more with IPA/IdM in the mean time, but from what I can see, it looks like (at least when dealing with AD on the other end) none of the user’s AD attributes are available when querying IPA.

So either I’m missing something there, or it’s just not there at all.

I did look into using ‘Trust ID Maps’, but that doesn’t allow overriding a user’s email address.

EDIT: It seems that IdM docs also suggest this: Chapter 32. Installing trust between IdM and AD Red Hat Enterprise Linux 8 | Red Hat Customer Portal

Ignore this, I have hooked up AD to my new home lab with IdM and Satellite

When running getent on a client machine, it shows that the user’s name actually is available:

[ansible@workstation ~]$ getent passwd clarence@ad.lab
clarence@ad.lab:*:1279001104:1279001104:Clarence Oveur:/home/ad.lab/clarence:
[ansible@workstation ~]$ id clarence@ad.lab
uid=1279001104(clarence@ad.lab) gid=1279001104(clarence@ad.lab) groups=1279001104(clarence@ad.lab),1279001107(win_linux_sysadmins@ad.lab),1279000513(domain users@ad.lab),1279001106(win_satellite_admins@ad.lab)

I’m still setting up some stuff with regards to HBAC, when that’s done I’ll continue looking into it

Well, I’m partially right. The name and some other attributes are available, but for whatever reason the mail attribute doesn’t fly over from AD

So I did the following:

• Hook up an AD domain to my IdM server (I also tried this with FreeIPA, but I’m working on a RHEL-based lab right now)
• Create a user, make sure the following attributes are set:
  
• Log in on a workstation machine, verify that the user’s name is there:
  
  

  image843×591 87.2 KB
• Log in to Satellite (Firefox’s set up to attempt Kerberos, which fails)

2022-04-29T18:31:11 [I|app|d5dc52d0] Backtrace for 'Email address is invalid' error (Mail::Field::IncompleteParseError): Mail::AddressList can not parse |(null)|: Only able to parse up to "(null)"

I know Satellite (6.10 btw) lags behind on Foreman, but the error’s the same

And even when I look in AD’s attribute editor, the mail field (which is the same LDAP field IdM uses to store an email address) is there:

So, I’m still a bit lost as to why the mail attribute doesn’t work out for AD users.

It’s not related to whether or not it’s an actual address, as IdM is filled with bogus addresses (all ending in ‘rh.lab’).

If you create a user directly in the IdM, does it work and correctly get the mail attribute?

Yes, that works exactly as advertised

I was actually just looking in app/models/user.rb to see if I can hack something together that would change a null value to either '' or the username (which, because it’s an AD user, looks like an email address).

Before I started ^, I also tried different settings in IdM to change the trust type from Active Directory to Active Directory with POSIX attributes, but that didn’t make a change.

Well, that worked, sort of…

I modified the exception snippet you posted earlier, but it seems there’s more attributes missing:

  validates :mail, :email => true, :allow_blank => true, :if => proc { |u|
    u.mail = 'bla@bla.com'
    Rails.logger.error "User mail considered: #{u.mail_was.inspect} and currently is #{u.mail}"
    true
  }

image612×519 27 KB

EDIT: here’s the log btw:

2022-05-03T17:58:31 [I|app|3d80f7ab] Started POST "/users/login" for 192.168.255.10 at 2022-05-03 17:58:31 +0200
2022-05-03T17:58:31 [I|app|3d80f7ab] Katello event daemon started process=29723
2022-05-03T17:58:31 [I|app|3d80f7ab] Subscribed to katello.candlepin.candlepin_events
2022-05-03T17:58:31 [I|app|3d80f7ab] Processing by UsersController#login as HTML
2022-05-03T17:58:31 [I|app|3d80f7ab]   Parameters: {"login"=>{"login"=>"jeff@ad.lab", "password"=>"[FILTERED]"}, "authenticity_token"=>"juPBxGe7y2QqXP/lmXDAd8/wEMflLFbSz4xXdO2cTdHaQiSuGcznbIKnQj//c9+lVdFX/OR24X4Clwcxr6W4Dg=="}
2022-05-03T17:58:31 [E|app|3d80f7ab] User mail considered: nil and currently is bla@bla.com
2022-05-03T17:58:31 [I|aud|3d80f7ab] User (11) create event on login jeff@ad.lab
2022-05-03T17:58:31 [I|aud|3d80f7ab] User (11) create event on firstname (null)
2022-05-03T17:58:31 [I|aud|3d80f7ab] User (11) create event on lastname (null)
2022-05-03T17:58:31 [I|aud|3d80f7ab] User (11) create event on mail bla@bla.com
2022-05-03T17:58:31 [I|aud|3d80f7ab] User (11) create event on admin false
2022-05-03T17:58:31 [I|aud|3d80f7ab] User (11) create event on auth_source_id 3
2022-05-03T17:58:31 [I|aud|3d80f7ab] User (11) create event on locale 
2022-05-03T17:58:31 [I|aud|3d80f7ab] User (11) create event on avatar_hash 
2022-05-03T17:58:31 [I|aud|3d80f7ab] User (11) create event on default_organization_id 
2022-05-03T17:58:31 [I|aud|3d80f7ab] User (11) create event on default_location_id 
2022-05-03T17:58:31 [I|aud|3d80f7ab] User (11) create event on lower_login jeff@ad.lab
2022-05-03T17:58:31 [I|aud|3d80f7ab] User (11) create event on mail_enabled true
2022-05-03T17:58:31 [I|aud|3d80f7ab] User (11) create event on timezone 
2022-05-03T17:58:31 [I|aud|3d80f7ab] User (11) create event on description 
2022-05-03T17:58:31 [I|aud|3d80f7ab] User (11) create event on disabled false
2022-05-03T17:58:31 [I|aud|3d80f7ab] User (11) create event on password [redacted]
2022-05-03T17:58:31 [I|aud|3d80f7ab] User (11) create event on role_ids []
2022-05-03T17:58:31 [I|aud|3d80f7ab] User (11) create event on usergroup_ids []
2022-05-03T17:58:31 [I|aud|3d80f7ab] User (11) create event on organization_ids []
2022-05-03T17:58:31 [I|aud|3d80f7ab] User (11) create event on location_ids []
2022-05-03T17:58:31 [I|app|3d80f7ab] ForemanWebhooks::EventSubscriber: user_created.event.foreman event received
2022-05-03T17:58:31 [I|app|3d80f7ab] User 'jeff@ad.lab' auto-created from EXTERNAL
2022-05-03T17:58:31 [I|app|3d80f7ab] User 'jeff@ad.lab' logged in from '192.168.255.10'
2022-05-03T17:58:31 [I|kat|3d80f7ab] Polling Katello Event Queue

So the only thing that got populated was the username and it was set to the mail value? I assume that if we add some '(null)' => nil translation somewhere, it would work, but many of the attributes would have to be populated manually. That would be suboptimal I guess.

No, the username is the user@realm foremat. This is user jeff in the ad.lab AD domain, the email address of this user is jeff@somewhere.com. I created this new user to be sure I had a never before seen user when attempting the hack :). See below for the AD properties:

But with regards to populating, just the email address needs to be populated in Foreman, as the validation fails on that specific attribute. Although I feel that if we just put in the username if it contains an @ that would also be fine (as I legitimately don’t know what Foreman/Satellite is going to send me over email )

Suboptimal yes, but at least it works I can’t imaging a lot of users are going to be distraught that their name isn’t fully filled in