Enabled LDAP, Disabled Native Login, Now Unable to login to built-in Administrator!

BlockhouseIT · December 27, 2022, 2:41pm

Hello all!

I just completed my first install and setup of this incredible system, and am very impressed. I went through configuring SMTP and LDAP without much issue. I noticed that after LDAP was successfully setup, there were 2 login buttons. I saw that there was an option under the System Settings to essentially force LDAP-only authentication, so I did just that!

Unfortunately, my dumb self didn’t realize enforcing only LDAP login would immediately lock me out of the application from signing into the native built-in Administrator account…

There MUST be someway to easily reverse this right? Is there a config file where I can reverse this option? Or maybe I can keep my config the same and there exists a hidden login page URI I can use to workaround this?

We run this ERPNext server ourselves on Ubuntu v22 LTS, and the latest versions of all the underlying dependencies. Please let me know, really appreciate any insight into this!

Josh
BH IT

snv · December 27, 2022, 3:00pm

You can get the login URI for administrator by running this command:

bench browse --user Administrator

BlockhouseIT · December 27, 2022, 3:11pm

Hi @snv, thanks so much for your response!

I attempted your command, this was what it did:

Not sure why http://site_name:8000 is specified, however I changed that to our actual site URL:
https://dash.blockhouse.com/app?sid=xxx
And it let me right in! Which is awesome, very glad that this functionality exists.

Any idea how I can clean that up? Maybe have a parameter somewhere in my config that is wrong. I recently implemented SSL on this, so maybe I missed something in the nginx.conf?

snv · December 27, 2022, 3:28pm

I hope that’s not the actual URI / sid. You should probably edit your reply to sanitise the values if that’s the case.

For the domain name showing correctly:

is the dns_multitenant config set?
is the folder name of your site correct? you can just mv to the correct domain name if the folder name is wrong. alternatively, you can set the host_name site config.

If you’re interested in how the works under the hood, read the following function:

github.com

frappe/frappe/blob/a72fdcbd8900af3a2f4c07c9636a2f208b735816/frappe/utils/data.py#L1543


      
          			return format("\n ".join(some_list))
          	else:
          		return some_list
          
          

          
def filter_strip_join(some_list: list[str], sep: str) -> list[str]:
          	"""given a list, filter None values, strip spaces and join"""
          	return (cstr(sep)).join(cstr(a).strip() for a in filter(None, some_list))
          
          

          
def get_url(uri: str | None = None, full_address: bool = False) -> str:
          	"""get app url from request"""
          	host_name = frappe.local.conf.host_name or frappe.local.conf.hostname
          
          
	if uri and (uri.startswith("http://") or uri.startswith("https://")):
          		return uri
          
          
	if not host_name:
          		request_host_name = get_host_name_from_request()
          
          
		if request_host_name:

BlockhouseIT · December 27, 2022, 4:11pm

What sid?? Thanks for pointing that out, did not realize that was a sensitive field. Nonetheless, our systems are not exposed to the public Web in any way.

Yes absolutely!

Yes, site_name and site directory are identical.

When I look at …/frappe-bench/config/nginx.conf, I see these values:

Would it break any other functionality in the web app if I just removed these 2 site_names from the web server config?

Sorry, I know I am kinda taking us off-topic a bit.

BlockhouseIT · January 3, 2023, 4:58pm

I see you’re a mod @snv, are you able to edit my post to sanitize it of the sensitive SID? I’m no longer able to edit my post here it seems like…