Need some help with the LDAP Url

philipp.ludwig · April 26, 2024, 8:55am

I need some help with specifying the correct LDAP URL. I have a working installation of the UCS Server, which uses slapd internally, and I can authenticate over LDAP from other applications (e.g. dokuwiki) just fine. However, with Tryton I struggle to build the correct LDAP URL.

My configuration is:

[session]
authentications=ldap,password

[ldap_authentication]
uri=ldaps://ucs.<company>.de:7636/cn=users,dc=<company>,dc=de?bindname=uid=ldapquery,cn=users,dc=<company>,dc=de
bind_pass=****************
create_user=true

I am using these settings in dokuwiki, where it works fine. Furthermore, these work with the ldapsearch terminal utility. However, in Tryton I just get a generic ERROR trytond.security login failed message, even with the logging level set to DEBUG. I have tried to change some parts of the LDAP URL by copying things like ?sAMAccountName?subtree?? from other posts in this forum, but this just results in the error message ldap3.core.exceptions.LDAPBindError: unable to bind.

So I have looked for tools to build/validate this LDAP URL but could not find anything. Any help or hints would be appreciated.

ced · April 26, 2024, 9:54am

I suggest you to add some debugging print statement in _login_ldap to see where it stops the authentication.
I suspect that con.bind() does not succeed.
Once we know we could add more logging message to catch such case.

philipp.ludwig · April 26, 2024, 12:28pm

I have added a logger.info("Hello from LDAP") snippet in the global section of the file, which is shown like this:

10 140244333154368 [2024-04-26 12:15:27,561] INFO trytond.modules.ldap_authentication.res Hello from LDAP

Then I added a logger statement in _login_ldap:

def _login_ldap(cls, login, parameters):
        logger.info("_login_ldap")
        if 'password' not in parameters:

But this is not printed in the logs. I have added logger statements in other parts of the code, but with no success.

However, I can see that this part of the code is indeed executed, because I can see the requests in the logs of slapd.

Is there anything that I need to do to make the logger print this?

By the way, plain printdid not yield any output, either.

ced · April 26, 2024, 12:51pm

If there is no output it means the code is not executed.
So probably that ldap is not configured as authentication method.

edbo · April 26, 2024, 3:06pm

There are a few things:

you are using ldaps (SSL) make sure your certificates are right and exists in the OS store. Also you can try ldap+tls://
you are missing the LDAP attribute in the [ldap_authentication] section so Tryton doesn’t know which attribute to take for the user
you are running on a different port than normal. The ports are hardcoded in the code, for TLS / normal 389, for SSL 636 (modules/ldap_authentication/res.py · fa8f759f834b66c68081c5b3941e2068f445cab2 · Tryton / Tryton · GitLab)

Personally I think you have to tackle point 3 first before going the others.

philipp.ludwig · April 29, 2024, 9:08am

Thank you, after lots of print statements I made it work now. The port was one problem; the other aspect was that Tryton does not parse LDAP URLs like other LDAP tools do, which caused it to interpret my LDAP bind user DN as a filter. The solution was to use two questionmarks:

uri=ldaps://server/cn=users,dc=company,dc=de??subtree??bindname=uid=bindusername,cn=users,dc=company,dc=de

system · April 29, 2024, 9:08pm

This topic was automatically closed 12 hours after the last reply. New replies are no longer allowed.