SSO Login via LDAP

I think some work is in progress for an IDP (issue on github), you can see if it meets your requirements or extend and contribute to it.

Thanks!

Did you ever get an SSO solution working for ERPNext? I need one too.

2 Likes

We are in the same situation and I’ve searched the net and this forum extensively but there doesn’t seem to be any information on exactly how to implement SSL/TLS security for LDAP other than the link posted above which merely points to a couple of dropdowns on the LDAP Integration page. For me, setting these dropdowns only results in a dialog telling me that StartTLS is not supported. We are using Active Directory LDAP and our SonicWall is using its StartTLS with no problem so we understand the configuration on that end. What I can’t seem to figure out is what to configure on the ERPNext side. It seems to me that there should be an entry in site_config.json but the information on this is pretty scant as well. For example, where does the local copy of the certificate go? I have https working just fine. Is this supposed to be using the same certificate and key?

I’d love to hear from anyone out there that has this working. Thanks.

Welcome to ERPNext Rich,

Quite possibly what you have stumbled on is a bug :slight_smile:

https://github.com/frappe/frappe/issues/6178

https://github.com/frappe/frappe/pull/6181

edit: A note here gives a code workaround? False "Start_TLS is not supported" error exception raised while logging in with LDAP · Issue #6101 · frappe/frappe · GitHub

Perhaps someone with LDAP access or knowhow can add to the conversation?

We use ERPNext LDAP StartTLS with an OpenLDAP server, and it works correctly using only the two dropdowns (although, we are on v10 - I can’t comment on v11).

Usually, if someone gets this error, it is a problem with the LDAP/AD server and its configuration. However, since you are already using the SonicWall with it, then that’s likely not the issue.

If there is a problem/bug, it’s likely the problem will be related to the code and Active Directory. Someone who uses (or has tried to use) LDAP with StartTLS with AD will most likely need to respond.

I checked out this test site Online LDAP Test Server - Forum Systems

Apparently LDAPS (SSL/TLS) is not enabled there so that is no help to debug.

queries like these work for me but neither does that help your issue.

ldapsearch -W -h ldap.forumsys.com -D 'uid=tesla,dc=example,dc=com' -b 'dc=example,dc=com'

I am not openssl savvy but this session may give you ideas Can't set up email in local environment

Hi Rich, Yeah we had found the same thing. I just rewrote the ldap module tonight using the ldap3 python module. Much nicer, can use ssl/tls to your hearts content and its pure python, so then you don’t need to worry about any dependancies.
I just tested it out against AD 2016 forest tonight and it is working a ok. If you want to try it out I will get a PR set up and you can pull the changes to test.

Things tested: Connect on port 389, then start a tls session, then do a bind (works)
connect on port 389, no tls session, bind
connect via ldaps on port 636, ignore cert -
connect via ldaps on port 636 with cert validation on and it fails as it should (i don’t have a real cert on my domain controller)

I will submit a PR to frappe as well, but I don’t know if they will be interested in merging it in.
Thanks

2 Likes

Excellent cjpit,

I can’t speak for Frappe, but to include a test or two to exercise and prove that your code works, that would help expedite their review approval process.

I am not aware of any LDAP connection tests, so whatever you can contribute would be a big benefit to the community.

thanks!

The ldap connection tests are covered by the ldap3 python module itself (it has its own testing framework). I will submit some unit tests for the frappe project to go with it though, to ensure certs are passed to the ldap3 module etc, that the fields are updated on the appropriate user on login etc etc.

1 Like

@clarkej, @rmehta
I’ve submitted a PR at feat: Ldap rewrite/upgrade by cjpit · Pull Request #7378 · frappe/frappe · GitHub

This includes a new test framework based of pytest with 16 tests for the functionality.
Let me know what you think.

Thank you

1 Like

Excellent work cjpit. I just pulled it and it’s working without a hitch. Thank you!

And, to answer my own question about the certificate, I just followed the directions found here.

Ok, so today it’s mysteriously broken. It was working perfectly until now. I did a bench update yesterday which is about the only thing I can think of that has changed.

bench version = 11.1.32/11.1.30

When I try to login via LDAP, I get a dialog telling me to install the ldap3 library, which is already installed:

image

Also, I don’t see where anything is getting logged so I’m a bit clueless as to where to start looking.
I can issue ldapsearch from the terminal and still talk to my ldap server so I know that’s working. I’ve verified the ldap3 installation via pip and even forced a reinstall. Also, the same dialog box above appears if I go to the ldap settings on the integration page and just hit save, without changing anything.

Hi Rich, sorry I’m out ill at the moment, but I will take a look - in the meantime, in your frappe bench directory, as the user frappe, can you run this command
./env/bin/pip3 list | grep ldap
and let me know what the output is

Thanks

Thanks Cameron, It’s not a rush though and I hope you get better soon. The data you asked for is:

python-ldap 3.2.0

Hi Rich, ok so thats the problem! - That’s the old ldap package, and isn’t used anymore.
Please do a
./env/bin/pip3 install ldap3

Was also surprised for LDAP to stop working after update. The message was informative enough to hint the solution, but still too critical. There should be a mechanism to install necessary dependencies automatically during update (and possibly uninstall redundant ones) if the update needs those like in this case .

When I rewrote it, I used the same mechanism that was already in place. It’s an optional feature so you wouldn’t want to install it if it isn’t necessary. I can see the documentation needs to be updated anyway, so I will ensure that the directions there indicate how to install.

1 Like

Agree. I wonder if it bench could condition installation based on the presence of older ldap dependency. But I guess that would over-complicate problem.

Thanks Cameron, that did the trick.