ERPNext Foundation ERPNext Cloud User Manual Blog Discuss Frappé* Donate

SSO Login via LDAP

customization

#1

Does ERPNext support any sort of SSO authentication?

I have all my users authenticating via LDAP and that’s working well. We’re in the process of building an intranet/dashboard for clients and employees to login to, with the same LDAP credentials. My question is: does ERPNext support any sort of SSO? So that way when users login to the Intranet they can click on a link to ERPNext and automatically be authenticated with the same credentials. (We’re also using this with Nextcloud - my goal is to only make users login once, instead of into every application, because everything is using LDAP/Active Directory.)


#2

Check the following link


#3

Thanks! I have LDAP configured and working great! I trying to figure out if ERPNext can use SSO via SAML or something. That way I can use OneLogin or ADFS.


#4

I think some work is in progress for an IDP (issue on github), you can see if it meets your requirements or extend and contribute to it.


#5

Thanks!


#6

Did you ever get an SSO solution working for ERPNext? I need one too.


#7

We are in the same situation and I’ve searched the net and this forum extensively but there doesn’t seem to be any information on exactly how to implement SSL/TLS security for LDAP other than the link posted above which merely points to a couple of dropdowns on the LDAP Integration page. For me, setting these dropdowns only results in a dialog telling me that StartTLS is not supported. We are using Active Directory LDAP and our SonicWall is using its StartTLS with no problem so we understand the configuration on that end. What I can’t seem to figure out is what to configure on the ERPNext side. It seems to me that there should be an entry in site_config.json but the information on this is pretty scant as well. For example, where does the local copy of the certificate go? I have https working just fine. Is this supposed to be using the same certificate and key?

I’d love to hear from anyone out there that has this working. Thanks.


#8

Welcome to ERPNext Rich,

Quite possibly what you have stumbled on is a bug :slight_smile:

edit: A note here gives a code workaround? https://github.com/frappe/frappe/issues/6101

Perhaps someone with LDAP access or knowhow can add to the conversation?


#9

We use ERPNext LDAP StartTLS with an OpenLDAP server, and it works correctly using only the two dropdowns (although, we are on v10 - I can’t comment on v11).

Usually, if someone gets this error, it is a problem with the LDAP/AD server and its configuration. However, since you are already using the SonicWall with it, then that’s likely not the issue.

If there is a problem/bug, it’s likely the problem will be related to the code and Active Directory. Someone who uses (or has tried to use) LDAP with StartTLS with AD will most likely need to respond.


#10

I checked out this test site https://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/

Apparently LDAPS (SSL/TLS) is not enabled there so that is no help to debug.

queries like these work for me but neither does that help your issue.

ldapsearch -W -h ldap.forumsys.com -D 'uid=tesla,dc=example,dc=com' -b 'dc=example,dc=com'

I am not openssl savvy but this session may give you ideas Can't set up email in local environment


#11

Hi Rich, Yeah we had found the same thing. I just rewrote the ldap module tonight using the ldap3 python module. Much nicer, can use ssl/tls to your hearts content and its pure python, so then you don’t need to worry about any dependancies.
I just tested it out against AD 2016 forest tonight and it is working a ok. If you want to try it out I will get a PR set up and you can pull the changes to test.

Things tested: Connect on port 389, then start a tls session, then do a bind (works)
connect on port 389, no tls session, bind
connect via ldaps on port 636, ignore cert -
connect via ldaps on port 636 with cert validation on and it fails as it should (i don’t have a real cert on my domain controller)

I will submit a PR to frappe as well, but I don’t know if they will be interested in merging it in.
Thanks


#12

Excellent cjpit,

I can’t speak for Frappe, but to include a test or two to exercise and prove that your code works, that would help expedite their review approval process.

I am not aware of any LDAP connection tests, so whatever you can contribute would be a big benefit to the community.

thanks!


#13

The ldap connection tests are covered by the ldap3 python module itself (it has its own testing framework). I will submit some unit tests for the frappe project to go with it though, to ensure certs are passed to the ldap3 module etc, that the fields are updated on the appropriate user on login etc etc.


#14

@clarkej, @rmehta
I’ve submitted a PR at https://github.com/frappe/frappe/pull/7378

This includes a new test framework based of pytest with 16 tests for the functionality.
Let me know what you think.

Thank you


#15

Excellent work cjpit. I just pulled it and it’s working without a hitch. Thank you!

And, to answer my own question about the certificate, I just followed the directions found here.


#16

Ok, so today it’s mysteriously broken. It was working perfectly until now. I did a bench update yesterday which is about the only thing I can think of that has changed.

bench version = 11.1.32/11.1.30

When I try to login via LDAP, I get a dialog telling me to install the ldap3 library, which is already installed:

image

Also, I don’t see where anything is getting logged so I’m a bit clueless as to where to start looking.
I can issue ldapsearch from the terminal and still talk to my ldap server so I know that’s working. I’ve verified the ldap3 installation via pip and even forced a reinstall. Also, the same dialog box above appears if I go to the ldap settings on the integration page and just hit save, without changing anything.


#17

Hi Rich, sorry I’m out ill at the moment, but I will take a look - in the meantime, in your frappe bench directory, as the user frappe, can you run this command
./env/bin/pip3 list | grep ldap
and let me know what the output is

Thanks


#18

Thanks Cameron, It’s not a rush though and I hope you get better soon. The data you asked for is:

python-ldap 3.2.0


#19

Hi Rich, ok so thats the problem! - That’s the old ldap package, and isn’t used anymore.
Please do a
./env/bin/pip3 install ldap3


#20

Was also surprised for LDAP to stop working after update. The message was informative enough to hint the solution, but still too critical. There should be a mechanism to install necessary dependencies automatically during update (and possibly uninstall redundant ones) if the update needs those like in this case .