unusual ldap / user workflow

luckow

What is the reason to login as an admin, select ldap users from a dropdown and add them to the userbase in dolibarr? Without that workflow it isn't possible to login as an allowed user (from the cloudron app/dashboard perspective).

Tested with a fresh installation.

robi

Apparently in the LDAP Setup > Global parameteres > LDAP synchronisation module, LDAP-Dolibarr sync isn't working.

Testing the LDAP connection:

 TCP connect to LDAP server successful (Server=172.18.0.1, Port=3002)
 No administrator or password provided. LDAP access will be anonymous and in read only mode.
 LDAP server configured for version 3

girish

I think @erics is on vacation and he will fix things up when he is back.

erics

@girish @robi and @luckow sorry for the delay, vacation was sooooo goood i want to stay on hollidays

So, now i'm back and i will have a look to LDAP, thanks for your tests and reports !

BrutalBirdie

@erics hope you had a great and refreshing vacation!
Welcome back

erics

Hello,
LDAP preconfiguration is now ok, could you please make some tests ?
Thanks

erics

@brutalbirdie thanks

luckow

@erics the two form fields Administrator DN and Administrator password on global parameters are not prefilled with the values from the env.
That's why you get a

 TCP connect to LDAP server successful (Server=172.18.0.1, Port=3002)
 No administrator or password provided. LDAP access will be anonymous and in read only mode.
 LDAP server configured for version 3

instead of a

TCP connect to LDAP server successful (Server=172.18.0.1, Port=3002)
Connect/Authenticate to LDAP server successful (Server=172.18.0.1, Port=3002, Admin=cn=LONGID,ou=apps,dc=cloudron, Password=*****)
LDAP server configured for version 3

if you fill in the values manually. But to be fair, I do not know if this is really necessary

On the Groups tab, there is a wrong value in Groups' DN. The current value is

ou=groups,dc=example,dc=com

the correct value has to be

ou=groups,dc=cloudron

Same with above. I don't know if Cloudron LDAP promotes the groups to Dolibarr. IMHO not.

Ups. In the tab Users in the LDAP Mapping you put in a wrong mapping at the Name. It's not displayName it has to be sn That why last name is the value of first and last name in one field.

erics

@luckow said in unusual ldap / user workflow:

Administrator DN and Administrator password

Hello @luckow

at first : thanks a lot for all your tests !!!

Then, for Admin DN and pass are from env parameters from cloudron world so we don't put it in dolibarr config files and don't store it (good idea in case of backup then restore dolibarr in an other cloudron server).

But for group and users mapping i think i made a mistake, really thank you, i will make some updates as soon as possible.

Éric

erics

@girish or @nebulon what about LDAP group mapping ?

there is no informations about that on documentation (https://docs.cloudron.io/custom-apps/addons/#ldap)

so could you please help me ? thanks

Éric

nebulon

Generally groups within apps and Cloudron groups should not be mixed. We found that they usually have different meanings.

The ldap server only exposes two groups and that is only a workaround for apps which need to find admins (which we are not sure if that is even a good idea). So there is an LDAP group for Cloudron admins and one for other users.

To summarize this, do not configure LDAP groups in the app

erics

@nebulon nice i like this sort of reply