Need some help with the LDAP Url

I need some help with specifying the correct LDAP URL. I have a working installation of the UCS Server, which uses slapd internally, and I can authenticate over LDAP from other applications (e.g. dokuwiki) just fine. However, with Tryton I struggle to build the correct LDAP URL.

My configuration is:



I am using these settings in dokuwiki, where it works fine. Furthermore, these work with the ldapsearch terminal utility. However, in Tryton I just get a generic ERROR login failed message, even with the logging level set to DEBUG. I have tried to change some parts of the LDAP URL by copying things like ?sAMAccountName?subtree?? from other posts in this forum, but this just results in the error message ldap3.core.exceptions.LDAPBindError: unable to bind.

So I have looked for tools to build/validate this LDAP URL but could not find anything. Any help or hints would be appreciated.

I suggest you to add some debugging print statement in _login_ldap to see where it stops the authentication.
I suspect that con.bind() does not succeed.
Once we know we could add more logging message to catch such case.

I have added a"Hello from LDAP") snippet in the global section of the file, which is shown like this:

10 140244333154368 [2024-04-26 12:15:27,561] INFO trytond.modules.ldap_authentication.res Hello from LDAP

Then I added a logger statement in _login_ldap:

def _login_ldap(cls, login, parameters):"_login_ldap")
        if 'password' not in parameters:

But this is not printed in the logs. I have added logger statements in other parts of the code, but with no success.

However, I can see that this part of the code is indeed executed, because I can see the requests in the logs of slapd.

Is there anything that I need to do to make the logger print this?

By the way, plain printdid not yield any output, either.

If there is no output it means the code is not executed.
So probably that ldap is not configured as authentication method.

There are a few things:

  1. you are using ldaps (SSL) make sure your certificates are right and exists in the OS store. Also you can try ldap+tls://
  2. you are missing the LDAP attribute in the [ldap_authentication] section so Tryton doesn’t know which attribute to take for the user
  3. you are running on a different port than normal. The ports are hardcoded in the code, for TLS / normal 389, for SSL 636 (modules/ldap_authentication/ · fa8f759f834b66c68081c5b3941e2068f445cab2 · Tryton / Tryton · GitLab)

Personally I think you have to tackle point 3 first before going the others.

Thank you, after lots of print statements I made it work now. The port was one problem; the other aspect was that Tryton does not parse LDAP URLs like other LDAP tools do, which caused it to interpret my LDAP bind user DN as a filter. The solution was to use two questionmarks:


This topic was automatically closed 12 hours after the last reply. New replies are no longer allowed.