[PR #1273] Allow email-based login for web UI only (LDAP bind remains username-only) #1221

New issue

Open

opened 2026-02-27 09:11:23 +03:00 by kerem · 0 comments

kerem commented

2026-02-27 09:11:23 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/lldap/lldap/pull/1273
Author: @Copilot
Created: 9/4/2025
Status: 🔄 Open

Base: main ← Head: copilot/fix-727

📝 Commits (3)

6032004 Initial plan
2d899d5 Implement email login functionality - allow login with email address
a825334 Fix LDAP bind to not support email login - only allow email login for web UI

📊 Changes

1 file changed (+86 additions, -9 deletions)

View changed files

📝 crates/sql-backend-handler/src/sql_opaque_handler.rs (+86 -9)

📄 Description

This PR implements email-based login functionality for the web UI to provide consistent behavior between the login form and password reset form, while maintaining LDAP standards compliance.

Problem

Users could reset their password using either their username or email address, but the login form only accepted usernames. This created an inconsistent user experience where users might receive a password reset email but then be unable to log in using the same email address they used for the reset.

Solution

Modified the web UI login system to support email-based authentication while keeping LDAP bind operations username-only:

LDAP bind operations: Continue to only support username authentication (maintains LDAP standards compliance)
Web UI login: Now supports both username and email authentication with a fallback approach:
- Try username first: Attempt to find and authenticate the user by the provided name as a user ID
- Fallback to email: If no user found by user ID, search for a user with the provided name as an email address
- Authenticate with actual user ID: If found by email, use the actual user ID for password verification

Implementation Details

Enhanced the OpaqueHandler::login_start method (used for web UI) to support email login
Added find_user_id_by_email helper method that uses existing UserRequestFilter::Equality(UserColumn::Email, ...)
The LoginHandler::bind method (used for LDAP operations) remains unchanged and username-only
Enhanced logging to show the authentication flow for debugging
Handles edge cases like multiple users with the same email (logs warning and denies login)

Example Usage

LDAP clients (unchanged behavior):

Username: admin
Password: password

Web UI can now use either format:

Username: admin
Password: password

Username: admin@example.com
Password: password

The email-based login works for:

Web UI login form
API OPAQUE login endpoints

Testing

✅ LDAP bind only supports username login (email login properly rejected)
✅ Web UI supports both username and email login
✅ Non-existent emails are properly rejected
✅ Server builds and starts successfully
✅ No breaking changes to existing functionality

Fixes #727.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/lldap/lldap/pull/1273 **Author:** [@Copilot](https://github.com/apps/copilot-swe-agent) **Created:** 9/4/2025 **Status:** 🔄 Open **Base:** `main` ← **Head:** `copilot/fix-727` --- ### 📝 Commits (3) - [`6032004`](https://github.com/lldap/lldap/commit/6032004f84b3f48c678fe85d0666f8c9cacd811b) Initial plan - [`2d899d5`](https://github.com/lldap/lldap/commit/2d899d56728896e12be1ef1614a8d805ac00db30) Implement email login functionality - allow login with email address - [`a825334`](https://github.com/lldap/lldap/commit/a82533498cc542d6be9563547b418ee4bbc2f618) Fix LDAP bind to not support email login - only allow email login for web UI ### 📊 Changes **1 file changed** (+86 additions, -9 deletions) <details> <summary>View changed files</summary> 📝 `crates/sql-backend-handler/src/sql_opaque_handler.rs` (+86 -9) </details> ### 📄 Description This PR implements email-based login functionality for the web UI to provide consistent behavior between the login form and password reset form, while maintaining LDAP standards compliance. ## Problem Users could reset their password using either their username or email address, but the login form only accepted usernames. This created an inconsistent user experience where users might receive a password reset email but then be unable to log in using the same email address they used for the reset. ## Solution Modified the web UI login system to support email-based authentication while keeping LDAP bind operations username-only: 1. **LDAP bind operations**: Continue to only support username authentication (maintains LDAP standards compliance) 2. **Web UI login**: Now supports both username and email authentication with a fallback approach: - Try username first: Attempt to find and authenticate the user by the provided name as a user ID - Fallback to email: If no user found by user ID, search for a user with the provided name as an email address - Authenticate with actual user ID: If found by email, use the actual user ID for password verification ## Implementation Details - Enhanced the `OpaqueHandler::login_start` method (used for web UI) to support email login - Added `find_user_id_by_email` helper method that uses existing `UserRequestFilter::Equality(UserColumn::Email, ...)` - The `LoginHandler::bind` method (used for LDAP operations) remains unchanged and username-only - Enhanced logging to show the authentication flow for debugging - Handles edge cases like multiple users with the same email (logs warning and denies login) ## Example Usage **LDAP clients** (unchanged behavior): ``` Username: admin Password: password ``` **Web UI** can now use either format: ``` Username: admin Password: password ``` OR ``` Username: admin@example.com Password: password ``` The email-based login works for: - Web UI login form - API OPAQUE login endpoints ## Testing - ✅ LDAP bind only supports username login (email login properly rejected) - ✅ Web UI supports both username and email login - ✅ Non-existent emails are properly rejected - ✅ Server builds and starts successfully - ✅ No breaking changes to existing functionality Fixes #727.  --- 💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click [here](https://survey3.medallia.com/?EAHeSx-AP01bZqG0Ld9QLQ) to start the survey. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>