Error when searching using "Include users with no Indico account"

Hi,

When searching for users, whenever we check the box for “Include users with no Indico account”, we get an exception. It does not matter if we are searching the “Family name” or “Given name”.

2024-03-29 16:56:21,846  19a5b251d27c4123  3763    indico.flask - ERROR errors.py:110 -- 'mail'

Traceback (most recent call last):
  File "/opt/indico/.venv/lib/python3.9/site-packages/flask/app.py", line 1484, in full_dispatch_request
    rv = self.dispatch_request()
  File "/opt/indico/.venv/lib/python3.9/site-packages/flask/app.py", line 1469, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
  File "/opt/indico/.venv/lib/python3.9/site-packages/indico/web/flask/util.py", line 79, in wrapper
    return obj().process()
  File "/opt/indico/.venv/lib/python3.9/site-packages/indico/web/rh.py", line 285, in process
    res = self._do_process()
  File "/opt/indico/.venv/lib/python3.9/site-packages/indico/web/rh.py", line 256, in _do_process
    rv = self._process()
  File "/opt/indico/.venv/lib/python3.9/site-packages/webargs/core.py", line 594, in wrapper
    return func(*args, **kwargs)
  File "/opt/indico/.venv/lib/python3.9/site-packages/indico/modules/users/controllers.py", line 853, in _process
    matches = search_users(exact=exact, include_pending=True, external=external, **criteria)
  File "/opt/indico/.venv/lib/python3.9/site-packages/indico/modules/users/util.py", line 309, in search_users
    for ident in _deduplicate_identities(identities):
  File "/opt/indico/.venv/lib/python3.9/site-packages/indico/modules/users/util.py", line 243, in _deduplicate_identities
    for ident in identities:
  File "/opt/indico/.venv/lib/python3.9/site-packages/flask_multipass/core.py", line 363, in search_identities
    yield from provider.search_identities(provider.map_search_criteria(criteria), exact=exact)
  File "/opt/indico/.venv/lib/python3.9/site-packages/flask_multipass/providers/ldap/providers.py", line 200, in search_identities
    yield IdentityInfo(self, identifier=user_data[self.ldap_settings['uid']][0], **user_data)
KeyError: 'mail'

{'data': {'get': {'external': 'true',
                  'favorites_first': 'true',
                  'first_name': 'michele'},

          'headers': {'Accept': 'application/json, text/plain, */*',
                      'Accept-Encoding': 'gzip, deflate, br, zstd',
                      'Accept-Language': 'en-US,en;q=0.9',
                      'Connection': 'keep-alive',
                      'Cookie': 'xxx'
                      'Host': 'x.x.com',
                      'Referer': 'https://x.x.com/event/1064/manage/timetable/',
                      'Sec-Ch-Ua': '"Google Chrome";v="123", '
                                   '"Not:A-Brand";v="8", "Chromium";v="123"',
                      'Sec-Ch-Ua-Mobile': '?0',
                      'Sec-Ch-Ua-Platform': '"Windows"',
                      'Sec-Fetch-Dest': 'empty',
                      'Sec-Fetch-Mode': 'cors',
                      'Sec-Fetch-Site': 'same-origin',
                      'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) '
                                    'AppleWebKit/537.36 (KHTML, like Gecko) '
                                    'Chrome/123.0.0.0 Safari/537.36',
                      'X-Csrf-Token': 'c039e008-907a-4243-96df-94ff43153119',
                      'X-Requested-With': 'XMLHttpRequest'},
          'json': None,
          'post': {},
          'url': {}},
 'endpoint': 'users.user_search',
 'id': '19a5b251d27c4123',
 'ip': 'x.x.x.x,
 'method': 'GET',
 'referrer': 'https://x.x.com/event/1064/manage/timetable/',
 'rh': 'RHUserSearch',
 'time': '2024-03-29T16:56:22.199274',
 'url': 'https://x.x.com/user/search/?external=true&first_name=michele&favorites_first=true',

Does anyone else have this issue or know how to fix this? Thank you.

please share your IDENTITY_PROVIDERS config from indico.conf

IDENTITY_PROVIDERS = {
    'ldap': {
        'type': 'ldap',
        'title': 'LDAP',
        'ldap': _ldap_config,
        'mapping': {
            'first_name': 'givenName',
            'last_name': 'sn',
            'email': 'mail',
            'phone': 'xxxPrimaryTelephoneNumber'
        },
        'trusted_email': True,
        'default_group_provider': False,
        'synced_fields': {'first_name', 'last_name', 'phone', 'address'},
        'identifier_field': 'mail'
    }
}

Also, I left off the first line in the Exception email earlier:

2024-03-29 16:54:14,278  9deab65f431a4c5a  3763    indico.flask - ERROR errors.py:110 -- 'mail'

So some configuration is wrong with Flask-Mail?

No, we do not use Flask-Mail (it’s a dead and unmaintained project), and the error has nothing to do with that. The error simply means that one of your search results from LDAP is missing the mail field, but since that’s your unique identifier it’s required.

Please also share the _ldap_config. But most likely you need to configure your LDAP filters in there in such a way such entries without this attribute are not returned. Most likely you need to adapt user_base and/or user_filter for this purpose.

I also just realized that we fixed a similar bug for group members recently, but not for users. The fixed version of our flask-multipass library will be included in Indico v3.3 which will be released very soon.

If you do not want to wait, you can apply this patch yourself. The path to this file is /opt/indico/.venv/lib/python3.9/site-packages/flask_multipass/providers/ldap/providers.py

v3.3 containing the bugfix (among MANY other improvements) is out now: Indico 3.3 released

Here is the ldap config:

_ldap_config = {
    'uri': 'ldaps://host.x.com:636',
    'bind_dn': 'cn=indico-user,cn=operational,cn=other',
    'bind_password': '************',
    'timeout': 30,
    'verify_cert': False,
    'page_size': 1500,
    'uid': 'mail',
    'user_base': 'ou=People,dc=x,dc=com',
    'user_filter': '(&(objectClass=xxxAccount)(xxxempnum=*))',
}

We are running CentOS 7 with Apache due to SSO using Shibboleth so I can’t upgrade to 3.3 yet. I will try the patch. After I replace the providers.py file in the existing directory, is a restart of the system or a service required?

Another question. Since we will need to change the OS to use 3.3, we may move Indico to GCP. Are you aware of any issues with running Indico as a GCP VM?

Thank you.

Just restart indico-uwsgi.service and indico-celery.service after applying the patch and it should be fine.

Apache due to SSO using Shibboleth so I can’t upgrade to 3.3 yet.

While updating our docs I tested Shibboleth and it works fine with Apache and 3.3. So no need to worry about that part.

we may move Indico to GCP. Are you aware of any issues with running Indico as a GCP VM?

I never used GCP myself but if you can get a “normal” VM there (ie k8s or whatever) I’d expect it to work fine. Even more so if you use a cloud image of an operating system that we tested with (in fact, all testing I did for the updated setup instructions were on an OpenStack VM using the Cloud images downloaded from the websites of the various Linux distributions).

So is there something I should change in _ldap_config to fix the “indico.flask - ERROR errors.py:110 – ‘mail’” error?

_ldap_config = {
    'uri': 'ldaps://host.x.com:636',
    'bind_dn': 'cn=indico-user,cn=operational,cn=other',
    'bind_password': '************',
    'timeout': 30,
    'verify_cert': False,
    'page_size': 1500,
    'uid': 'mail',
    'user_base': 'ou=People,dc=x,dc=com',
    'user_filter': '(&(objectClass=xxxAccount)(xxxempnum=*))',
}

I also applied the patch but not sure what that fixed.

The patch should fix the error you’re getting, no need to change the config… If not, please provide the full traceback of the error again.

That fixed it. Thank you for your help!