Quite urgent: Accessing Cloudron LDAP from an external instance of EspoCRM
-
Managed to expose LDAP to VPN by amending iptables on the cloudron host:
$ iptables -I CLOUDRON 4 -s 10.100.10.0/16 -i tun0 -p tcp -m tcp --dport 3002 -j ACCEPTBut when I try to connect to ldap using ldapsearch, it returns an error.
ldapsearch -x -b "ou=users,dc=cloudron" -D "cn=0111a111b-111-1111-1111-1111111,ou=apps,dc=cloudron" -W${CLOUDRON_LDAP_BIND_PASSWORD} -H ldap://10.100.10.1:3002Error:
# extended LDIF # # LDAPv3 # base <ou=users,dc=cloudron> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error matchedDN: ou=users, dc=cloudron text: App not found # numResponses: 1The same DN and password work well in the application.
-
@marcusquinn the LDAP on the Cloudron will only serve to localhost, so there is no way currently to expose it to the public internet. Even if we patch it to listen to 0.0.0.0 it will not be secure and you will leak passwords.
Since you linked all those forum issues, what exactly is the issue? Apache simply stops responding at some point and you don't see the logs?
In similar environments like passenger through apache, this usually means that some requests take too long, exhausting the pool of request handlers or they get even stuck indefinitely. Could this be the issue?
@nebulon And herein lies another layer of blockage we have to circumnavigate.
It is business-critical these issues are solved, and the costs of not solving them are astronomical.
So, for every can't or won't, we have to find a can and will, we simply have no option but to solve this.
Now, what I need to know is who can or is willing to persevere through to a resolution.
For the many things people have commented in guesswork, we are still lacking evidence, the lack of evidence encourages further speculation and the merry-go-round continues without a solution.
So what can we do? And, what will anyone do?
-
Managed to expose LDAP to VPN by amending iptables on the cloudron host:
$ iptables -I CLOUDRON 4 -s 10.100.10.0/16 -i tun0 -p tcp -m tcp --dport 3002 -j ACCEPTBut when I try to connect to ldap using ldapsearch, it returns an error.
ldapsearch -x -b "ou=users,dc=cloudron" -D "cn=0111a111b-111-1111-1111-1111111,ou=apps,dc=cloudron" -W${CLOUDRON_LDAP_BIND_PASSWORD} -H ldap://10.100.10.1:3002Error:
# extended LDIF # # LDAPv3 # base <ou=users,dc=cloudron> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error matchedDN: ou=users, dc=cloudron text: App not found # numResponses: 1The same DN and password work well in the application.
@vladimir-d Good thinking and progress!
@nebulon & @girish we have the need, appetite and commitment to solve this, will you help with that please?
Every and any solutions we find or create, we willingly share with the community, there's a lot of investment on the line for our commitments to share here, whatever you can help with is highly appreciated. If you need something for this time, please do let me know.
Web Design https://www.evergreen.je
Development https://brandlight.org
Life https://marcusquinn.com -
@vladimir-d Good thinking and progress!
@nebulon & @girish we have the need, appetite and commitment to solve this, will you help with that please?
Every and any solutions we find or create, we willingly share with the community, there's a lot of investment on the line for our commitments to share here, whatever you can help with is highly appreciated. If you need something for this time, please do let me know.
@marcusquinn so the ldap server will also validated the source IP address to verify that it actually comes from the docker container of the app as well as identifying the app for access control checks. See https://git.cloudron.io/cloudron/box/-/blob/6.3/src/ldap.js#L32
Not sure how to easily solve this there without hardcoding IP addresses in that function. Especially patching your local version just leads to problems on updates of course.
-
Our current workaround for a multi-cloudron setup is to use an external LDAP for the user base and external LDAP-connected Cloudrons. We use UCS for this purpose. Because of the complexity of UCS, this is not ideal. Therefore, we are working on an identity provider based on Drupal to connect other applications via oauth, openID and later id4me.
Do you know if EspoCRM is able to use any of these protocols? -
@nebulon could you suggest a workaround of
App not foundto connect to LDAP?Could you amend the code so it reads the allowed IPs from a config file or Cloudron console?
@vladimir-d is this happening on your instance I have SSH access to? If so, can you send me the IPs via support@cloudron.io, then I can see if I can hack this. However really this is only a temporary solution, as in we wont add support for that case into the platform like a config option or such.
-
@vladimir-d is this happening on your instance I have SSH access to? If so, can you send me the IPs via support@cloudron.io, then I can see if I can hack this. However really this is only a temporary solution, as in we wont add support for that case into the platform like a config option or such.
@nebulon Yes, it's the instance you have SSH access.
We understand it's a temporary workaround and there could be upgrade issues (re-applying the patch), just need this done as soon as possible.
Later we can look at packaging of some LDAP proxy app or using external LDAP or wait when you implement a solution in the mainstream.Thanks a lot!
ps. just sent details by email. -
Our current workaround for a multi-cloudron setup is to use an external LDAP for the user base and external LDAP-connected Cloudrons. We use UCS for this purpose. Because of the complexity of UCS, this is not ideal. Therefore, we are working on an identity provider based on Drupal to connect other applications via oauth, openID and later id4me.
Do you know if EspoCRM is able to use any of these protocols?@luckow Sounds fun! Espo currently only offers self-auth or LDAP.
We still need to look into UCS more as well and might have more questions on that. SSO is still quite a leap of endeavour more than is should be. I'd be very happy if we can solve all of that with open-source.
-
@vladimir-d is this happening on your instance I have SSH access to? If so, can you send me the IPs via support@cloudron.io, then I can see if I can hack this. However really this is only a temporary solution, as in we wont add support for that case into the platform like a config option or such.
@nebulon Never say never! We wouldn't be jumping through all these obstacles if it weren't that we are forced to for lack of practical alternatives. These are very valuable solutions for everyone to have both reliable and debuggable apps, and LDAP across multiple servers where one server stack cannot fulfil needs.
