Crashing when encountering users without an email address

[ViViDboarder]

Additional information for someone who tries to achieve the same as I.
The invite of the users can fail with the following message:

Try to invite user: 
Error inviting users from ldap. Count 0: Failed to invite user 

Caused by:
    0: http error making request reqwest::Error { kind: Status(500), url: Url { scheme: "http", cannot_be_a_base: false, username: "", password: None, host: Some(Domain("vaultwarden")), port: None, path: "/admin/invite", query: None, fragment: None } }
    1: HTTP status server error (500 Internal Server Error) for url (http://vaultwarden/admin/invite)

This is caused because authentik has users for the outposts as service accounts. Those are sent if a search query from vaultwarden_ldap is done. This service users hve an empty mail field. So the vaultwarden_ldap fails to send new invites, because the mail is empty. I fixed this by editing the search_filter to check for empt mails: ldap_search_filter = "(&(objectClass=user)(mail=*@*))".
This works now.

@ViViDboarder To prevent this error and crash of the whole program, could you add a check if the mail is empty in the function invite_from_ldap to simply go further and log it.

Originally posted by @Rufmord in #99 (comment)

[ViViDboarder]

@Rufmord To be clear, these users have the email field present, but it is blank, correct? I’ve already got an integration test for missing fields but not an empty field.

Actually, thinking more about this, since this is really failing on the Vaultwarden side we’re not going to be able to validate every address (some invalid but non-blank). Perhaps logging all failed Vaultwarden calls and not crashing is the best course of action.

[Rufmord]

Correct, here is an example:
(made with ldapsearch on CLI)

dn: cn=ak-outpost-id,ou=users,dc=ldap,dc=domain,dc=tld
goauthentik.io/user/service-account: true
goauthentik.io/user/override-ips: true
displayName: Outpost LDAP Outpost Service-Account
objectClass: user
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: goauthentik.io/ldap/user
goauthentik.io/ldap/active: true
cn: ak-outpost-id
sAMAccountName: ak-outpost-id
uidNumber: id
gidNumber: id
goauthentik.io/ldap/superuser: false
uid: id
name: Outpost LDAP Outpost Service-Account
mail:

[Rufmord]

I do not have the logs of vaultwarden any more, but the error was 500 on /admin/invite. Vaultwarden should also return an error message that the mail is empty.

[ViViDboarder]

I'm going to close this because I haven't heard anything since.

[Rufmord]

Yeah, I used ldap_search_filter = "(&(objectClass=user)(mail=*@*))", to filter accounts with valid mails. If you could merge !101 it would be more resilient for future usage.