Content
View differences
Updated by Oliver Günther about 9 hours ago
### Steps to reproduce
1. On first install, seed an LDAP auth source from env vars: `OPENPROJECT_SEED_LDAP_<name>_<key>`.
2. Use keys following the usual `OPENPROJECT_*` double-underscore convention (e.g. `..._TLS__MODE`, `..._ACCOUNT`, `..._BASE__DN`) and single-underscore mapping keys (e.g. `..._LOGIN_MAPPING`).
3. Run the seeder (`db:seed`).
### What is the buggy behavior?
* Keys not matching the **literal options-hash name** are silently ignored:
* `..._TLS__MODE` ignored → seeder fails with **"TLS mode is invalid or missing"** (the correct key is `SECURITY`).
* `..._LOGIN_MAPPING` (single underscore) → `options["login_mapping"]` is nil → **"Username attribute can't be blank"** (must be `LOGIN__MAPPING`, doubled).
* The convention is undocumented and internally inconsistent: single-token keys stay single (`BINDUSER`, `BINDPASSWORD`, `BASEDN`, `SECURITY`), but underscore-bearing keys must be doubled (`LOGIN__MAPPING`, `TLS__VERIFY`). `..._NAME` is a silent no-op.
### What is the expected behavior?
* Document the exact keys (`BINDUSER`, `BINDPASSWORD`, `BASEDN`, `SECURITY`, `TLS_VERIFY`, `*_MAPPING`) and the single-vs-double-underscore rule; validate/warn on unknown keys at seed time instead of silently ignoring them; ideally accept intuitive aliases (`ACCOUNT`, `BASE__DN`, `TLS__MODE`, …).
### Root cause / proposed fix
* `LdapSeeder` reads `Setting.seed_ldap[<name>][<key>]` where `<key>` is the literal options-hash key, while the env-var → nested-hash parser splits the nested portion on single underscores. Verified against v17.4.0 `app/seeders/env_data/ldap_seeder.rb`.
<br>
* The LDAP seeder should run a test connection, and output warning if the connection cannot be established
### Logs
```text
TLS mode is invalid or missing
Username attribute can't be blank
```
### Environment information
**OpenProject installation type**
* [x] Other (please specify): **Kubernetes — official OpenProject Helm chart (opf/helm-charts 13.5.1), deployed via ArgoCD on EC DIGIT CaaS (private cloud)**
**OpenProject version**
v17.3.1 (chart 13.5.1). Verified still present on v17.4.0.
**Browser**
* [x] Other (please specify): **N/A — server-side (seeder)**
**Operating System**
* [x] Linux (please specify distro): **Debian (OpenProject slim container base), on Kubernetes**
**Language**
Browser English (en); OpenProject user language English.
1. On first install, seed an LDAP auth source from env vars: `OPENPROJECT_SEED_LDAP_<name>_<key>`.
2. Use keys following the usual `OPENPROJECT_*` double-underscore convention (e.g. `..._TLS__MODE`, `..._ACCOUNT`, `..._BASE__DN`) and single-underscore mapping keys (e.g. `..._LOGIN_MAPPING`).
3. Run the seeder (`db:seed`).
### What is the buggy behavior?
* Keys not matching the **literal options-hash name** are silently ignored:
* `..._TLS__MODE` ignored → seeder fails with **"TLS mode is invalid or missing"** (the correct key is `SECURITY`).
* `..._LOGIN_MAPPING` (single underscore) → `options["login_mapping"]` is nil → **"Username attribute can't be blank"** (must be `LOGIN__MAPPING`, doubled).
* The convention is undocumented and internally inconsistent: single-token keys stay single (`BINDUSER`, `BINDPASSWORD`, `BASEDN`, `SECURITY`), but underscore-bearing keys must be doubled (`LOGIN__MAPPING`, `TLS__VERIFY`). `..._NAME` is a silent no-op.
### What is the expected behavior?
* Document the exact keys (`BINDUSER`, `BINDPASSWORD`, `BASEDN`, `SECURITY`, `TLS_VERIFY`, `*_MAPPING`) and the single-vs-double-underscore rule; validate/warn on unknown keys at seed time instead of silently ignoring them; ideally accept intuitive aliases (`ACCOUNT`, `BASE__DN`, `TLS__MODE`, …).
### Root cause / proposed fix
* `LdapSeeder` reads `Setting.seed_ldap[<name>][<key>]` where `<key>` is the literal options-hash key, while the env-var → nested-hash parser splits the nested portion on single underscores. Verified against v17.4.0 `app/seeders/env_data/ldap_seeder.rb`.
<br>
* The LDAP seeder should run a test connection, and output warning if the connection cannot be established
### Logs
```text
TLS mode is invalid or missing
Username attribute can't be blank
```
### Environment information
**OpenProject installation type**
* [x] Other (please specify): **Kubernetes — official OpenProject Helm chart (opf/helm-charts 13.5.1), deployed via ArgoCD on EC DIGIT CaaS (private cloud)**
**OpenProject version**
v17.3.1 (chart 13.5.1). Verified still present on v17.4.0.
**Browser**
* [x] Other (please specify): **N/A — server-side (seeder)**
**Operating System**
* [x] Linux (please specify distro): **Debian (OpenProject slim container base), on Kubernetes**
**Language**
Browser English (en); OpenProject user language English.