Bug #107
Authenticator returns "User does not have a email address in AD" under specific condition
| Status: | New | Start date: | 02 Nov 2012 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Bryan Heath |
% Done: | 0% |
|
| Category: | - | |||
| Target version: | - |
Description
First of all, thanks for providing this mod - I've been trying to find a reliable multi-domain authenticator for Kayako for too long and yours has been sound.
We've hit a problem which needs your input.
One of our domains is set up to be multitenant which brings a couple of conditions:-- User logon names must be unique for each user
- Customers want usernames that are meaningful to them
To achieve this, we provide each customers user with a UPN name made up of their name and their email address domain as a UPN suffix. To achieve uniqueness on the pre-Windows 2000 user logon name we then append a customer ID number to the user name.
In short, the UPN user logon name and the pre-Windows 2000 user logon name will be different i.e.
- UPN User Logon Name: john.doe
- UPN Suffix: @customerdomain.co.uk
- Pre-Windows 2000 User Logon name: john.doe_CUSTID
Under these circumstances the authenticator will return "User does not have a email address in AD". Maybe after initial authentication the email address lookup is happening using the pre-Windows 2000 logon and the AD object can't be found.
Your authenticator handles UPN's fine, as long as the Pre-Windows 2000 logon name matches the UPN logon name. So using the previous example, our user will have tried to log into Kayako as "john.doe@customerdomain.co.uk".
How do we get around this?
thanks
Matthew
History
Updated by Bryan Heath over 12 years ago
Ok just so I am clear, it logs you in however you get the error that it cannot find the user's email address correct?
Updated by Matthew Dodd over 12 years ago
That's correct - the log files show:
[11-02-12 - 09:32] KAYAKO_LDAP_TEST: false
[11-02-12 - 09:32] Authenticated: true
[11-02-12 - 09:32] Type: Empty (Default to user)
[11-02-12 - 09:32] User does not have a email address in AD
[11-02-12 - 09:32] Session End
There is an email address on the account - in fact I've proved the cause by changing the pre-Windows 2000 logon name between matching and differing and that alone causes the issue.
Let me know if you need more info.
Updated by Bryan Heath over 12 years ago
Sorry I am really sort of stuck on what to do. I don't have anything to even test this on I don't think.
If you were willing to give me access I could at least try somethings out. All I would need is FTP access and an account that matches one that is broken. I will sign an NDA if need.
But beyond that I am not sure even what direction to point you in.
Sorry I wish I could more helpful :(
Updated by Sebastian Cerazy about 12 years ago
Same error happens to EVERY user in my AD (and every account has valid e-mail address filled)
•UPN User Logon Name: jdoe
•UPN Suffix: @part1.part2.local
•Pre-Windows 2000 User Logon name: jdoe
but the e-mail address is john.doe@domain.org
As you can see UPN does not match e-mail at all (that how I have it setup)
Seb