Quite urgent: Accessing Cloudron LDAP from an external instance of EspoCRM
-
Managed to expose LDAP to VPN by amending iptables on the cloudron host:
$ iptables -I CLOUDRON 4 -s 10.100.10.0/16 -i tun0 -p tcp -m tcp --dport 3002 -j ACCEPT
But when I try to connect to ldap using ldapsearch, it returns an error.
ldapsearch -x -b "ou=users,dc=cloudron" -D "cn=0111a111b-111-1111-1111-1111111,ou=apps,dc=cloudron" -W${CLOUDRON_LDAP_BIND_PASSWORD} -H ldap://10.100.10.1:3002
Error:
# extended LDIF # # LDAPv3 # base <ou=users,dc=cloudron> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error matchedDN: ou=users, dc=cloudron text: App not found # numResponses: 1
The same DN and password work well in the application.
-
@nebulon And herein lies another layer of blockage we have to circumnavigate.
It is business-critical these issues are solved, and the costs of not solving them are astronomical.
So, for every can't or won't, we have to find a can and will, we simply have no option but to solve this.
Now, what I need to know is who can or is willing to persevere through to a resolution.
For the many things people have commented in guesswork, we are still lacking evidence, the lack of evidence encourages further speculation and the merry-go-round continues without a solution.
So what can we do? And, what will anyone do?
-
@vladimir-d Good thinking and progress!
@nebulon & @girish we have the need, appetite and commitment to solve this, will you help with that please?
Every and any solutions we find or create, we willingly share with the community, there's a lot of investment on the line for our commitments to share here, whatever you can help with is highly appreciated. If you need something for this time, please do let me know.
-
@marcusquinn so the ldap server will also validated the source IP address to verify that it actually comes from the docker container of the app as well as identifying the app for access control checks. See https://git.cloudron.io/cloudron/box/-/blob/6.3/src/ldap.js#L32
Not sure how to easily solve this there without hardcoding IP addresses in that function. Especially patching your local version just leads to problems on updates of course.
-
Our current workaround for a multi-cloudron setup is to use an external LDAP for the user base and external LDAP-connected Cloudrons. We use UCS for this purpose. Because of the complexity of UCS, this is not ideal. Therefore, we are working on an identity provider based on Drupal to connect other applications via oauth, openID and later id4me.
Do you know if EspoCRM is able to use any of these protocols? -
@nebulon could you suggest a workaround of
App not found
to connect to LDAP?Could you amend the code so it reads the allowed IPs from a config file or Cloudron console?
-
@vladimir-d is this happening on your instance I have SSH access to? If so, can you send me the IPs via support@cloudron.io, then I can see if I can hack this. However really this is only a temporary solution, as in we wont add support for that case into the platform like a config option or such.
-
@nebulon Yes, it's the instance you have SSH access.
We understand it's a temporary workaround and there could be upgrade issues (re-applying the patch), just need this done as soon as possible.
Later we can look at packaging of some LDAP proxy app or using external LDAP or wait when you implement a solution in the mainstream.Thanks a lot!
ps. just sent details by email. -
@luckow Sounds fun! Espo currently only offers self-auth or LDAP.
We still need to look into UCS more as well and might have more questions on that. SSO is still quite a leap of endeavour more than is should be. I'd be very happy if we can solve all of that with open-source.
-
@nebulon Never say never! We wouldn't be jumping through all these obstacles if it weren't that we are forced to for lack of practical alternatives. These are very valuable solutions for everyone to have both reliable and debuggable apps, and LDAP across multiple servers where one server stack cannot fulfil needs.