Proper settings for LDAP auth using either login or email to connect

[bmaurybouet]

In the UI of weblate the sign-in page invites user to use either their username or email to connect.
I wanted to replicate this in my LDAP auth settings by setting (in docker environment)

WEBLATE_AUTH_LDAP_USER_SEARCH_FILTER='(|(sAMAccountName=%(user)s)(mail=%(user)s))'
WEBLATE_AUTH_LDAP_USER_ATTR_MAP='full_name:name,email:mail'

So this kinda works as it validate the passwords properly but it then create an issue as Weblate is trying to create another user
so either I get an error because the username or email endsup being duplicated
Here's the result on a test instance:

<html>
<body>
<!--StartFragment--><h1 style="padding: 0px; margin: 0px; font-weight: normal; color: rgb(0, 0, 0); font-family: sans-serif; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">IntegrityError at /accounts/login/</h1><pre class="exception_value" style="padding: 0px; margin: 10px 0px; font-size: 1.5rem; white-space: pre-wrap; word-break: break-word; font-family: sans-serif; color: rgb(87, 87, 87); font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;">duplicate key value violates unique constraint "weblate_auth_user_email_aaabd769_uniq"
DETAIL:  Key (email)=(benoit.maurybouet@buildarocketboy.com) already exists.</pre>
Request Method: | POST
-- | --
http://localhost:8181/accounts/login/
5.1.7
IntegrityError
duplicate key value violates unique constraint "weblate_auth_user_email_aaabd769_uniq" DETAIL:  Key (email)=(XXXXX@YYYYY.com) already exists.
/app/venv/lib/python3.13/site-packages/psycopg/cursor.py, line 97, in execute
weblate.accounts.views.WeblateLoginView
/app/venv/bin/python3
3.13.2
['/',  '/',  '/app/venv/bin',  '/usr/local/lib/python313.zip',  '/usr/local/lib/python3.13',  '/usr/local/lib/python3.13/lib-dynload',  '/app/venv/lib/python3.13/site-packages',  '/app/data/python']
Thu, 27 Mar 2025 10:26:53 +0000

<!--EndFragment-->
</body>
</html>

I also tried to force attributes to try the map the username

WEBLATE_AUTH_LDAP_USER_SEARCH_FILTER='(|(sAMAccountName=%(user)s)(mail=%(user)s))'
WEBLATE_AUTH_LDAP_USER_ATTR_MAP='full_name:name,email:mail,username:sAMAccountName'

but then it's the username that gets duplicated
Am I missing something ? or is this how it's supposed to work ?

[nijel]

This works with native login and I don't think it works with LDAP. LDAP backend always uses the passed string as username, thus when authenticating by e-mail it doesn't match an authenticated user to an existing one and tries to create another one with the same e-mail.