Frappe Based App: LDAP login

kirthi · August 17, 2015, 8:18am

@saurabh6790 This is the error text -
Traceback (innermost last):
File “/home/frappe/frappe-bench/apps/frappe/frappe/app.py”, line 54, in application
response = frappe.api.handle()
File “/home/frappe/frappe-bench/apps/frappe/frappe/api.py”, line 50, in handle
return frappe.handler.handle()
File “/home/frappe/frappe-bench/apps/frappe/frappe/handler.py”, line 69, in handle
execute_cmd(cmd)
File “/home/frappe/frappe-bench/apps/frappe/frappe/handler.py”, line 92, in execute_cmd
ret = frappe.call(method, **frappe.form_dict)
File “/home/frappe/frappe-bench/apps/frappe/frappe/init.py”, line 754, in call
return fn(*args, **newargs)
File “/home/frappe/frappe-bench/apps/frappe_ldap/frappe_ldap/templates/pages/ldap_login.py”, line 11, in ldap_login
user=ldap_authentication(user, pwd)
File “/home/frappe/frappe-bench/apps/frappe_ldap/frappe_ldap/templates/pages/ldap_login.py”, line 27, in ldap_authentication
user, user_id, status, role = ldap_auth(user,pwd,server_details)
File “/home/frappe/frappe-bench/apps/frappe_ldap/frappe_ldap/templates/pages/ldap_login.py”, line 61, in ldap_auth
frappe.msgprint(“Incorrect UserId or Password”, raise_exception=1)
File “/home/frappe/frappe-bench/apps/frappe/frappe/init.py”, line 245, in msgprint
_raise_exception()
File “/home/frappe/frappe-bench/apps/frappe/frappe/init.py”, line 232, in _raise_exception
raise ValidationError, encode(msg)
ValidationError: Incorrect UserId or Password

saurabh6790 · August 17, 2015, 9:21am

Hi kirthi ,

I am using Online LDAP Test Server for testing.
I have configured LDAP Settings as,

and its working correctly.

May be issue is due to LDAP Server field, instead of “URL:port” i.e. ldap://ldap.testathon.net:389/ configure it to only “URL” i.e ldap://ldap.testathon.net/

kirthi · August 18, 2015, 4:17am

@saurabh6790 The port number is correct. System is not able to connect to the ldap server without the port…

I’m getting the error code 52e which says the credentials are invalid. This happens when the system tried to bind with LDAP. Maybe the syntax for bind is wrong - in your case, cn=read-only-admin is the admin user?
I’m giving the Administrator password in the password field, but where do I give the administrator user id?

kirthi · August 18, 2015, 4:26am

Summary of my errors -

Scheduler log:
Method: all, Handler: frappe_ldap.sync_profile.check_profiles_daily
Traceback (innermost last):
File “/home/frappe/frappe-bench/apps/frappe/frappe/tasks.py”, line 79, in scheduler_task
frappe.get_attr(handler)()
File “/home/frappe/frappe-bench/apps/frappe_ldap/frappe_ldap/sync_profile.py”, line 8, in check_profiles_daily
check_profiles_if(“Daily”)
File “/home/frappe/frappe-bench/apps/frappe_ldap/frappe_ldap/sync_profile.py”, line 18, in check_profiles_if
ldap_connect()
File “/home/frappe/frappe-bench/apps/frappe_ldap/frappe_ldap/sync_profile.py”, line 40, in ldap_connect
result = connect.search_s(base_dn, 2,filters)
File “/home/frappe/frappe-bench/env/local/lib/python2.7/site-packages/ldap/ldapobject.py”, line 591, in search_s
return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
File “/home/frappe/frappe-bench/env/local/lib/python2.7/site-packages/ldap/ldapobject.py”, line 584, in search_ext_s
msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
File “/home/frappe/frappe-bench/env/local/lib/python2.7/site-packages/ldap/ldapobject.py”, line 580, in search_ext
timeout,sizelimit,
File “/home/frappe/frappe-bench/env/local/lib/python2.7/site-packages/ldap/ldapobject.py”, line 106, in _ldap_call
result = func(*args,**kwargs)
LDAPError: LDAP connection invalid

my LDAP settings -
User DN
cn=Admnistrator,dc=mydomain,dc=local
Base DN
dc=mydomain,dc=local
Password
Administrator’s password

And, this is my error when I try to login with ldap -

Traceback (innermost last):
File “/home/frappe/frappe-bench/apps/frappe/frappe/app.py”, line 54, in application
response = frappe.api.handle()
File “/home/frappe/frappe-bench/apps/frappe/frappe/api.py”, line 50, in handle
return frappe.handler.handle()
File “/home/frappe/frappe-bench/apps/frappe/frappe/handler.py”, line 69, in handle
execute_cmd(cmd)
File “/home/frappe/frappe-bench/apps/frappe/frappe/handler.py”, line 92, in execute_cmd
ret = frappe.call(method, **frappe.form_dict)
File “/home/frappe/frappe-bench/apps/frappe/frappe/init.py”, line 754, in call
return fn(*args, **newargs)
File “/home/frappe/frappe-bench/apps/frappe_ldap/frappe_ldap/templates/pages/ldap_login.py”, line 11, in ldap_login
user=ldap_authentication(user, pwd)
File “/home/frappe/frappe-bench/apps/frappe_ldap/frappe_ldap/templates/pages/ldap_login.py”, line 27, in ldap_authentication
user, user_id, status, role = ldap_auth(user,pwd,server_details)
File “/home/frappe/frappe-bench/apps/frappe_ldap/frappe_ldap/templates/pages/ldap_login.py”, line 56, in ldap_auth
frappe.msgprint(e, raise_exception=1)
File “/home/frappe/frappe-bench/apps/frappe/frappe/init.py”, line 245, in msgprint
_raise_exception()
File “/home/frappe/frappe-bench/apps/frappe/frappe/init.py”, line 232, in _raise_exception
raise ValidationError, encode(msg)
ValidationError: {‘info’: ‘80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1’, ‘desc’: 'Invalid credentials"

saurabh6790 · August 18, 2015, 4:38am

Can you share LDAP Server, if possible?

kirthi · August 18, 2015, 5:21am

I cannot. It is behind firewall and is not accessible from outside.
my server address is - ldap://192.168.1.3:389

kirthi · August 18, 2015, 6:09am

@saurabh6790 I thnk the error is somewhere related to the usage of pwd variable. The pwd that is used for bindng as well as to authenticate seem to be same. Since the test server you used has same password for all users, it might have authenticated without an issue. My guess, so far.

saurabh6790 · August 18, 2015, 6:32am

May be, will check this by setting up LDAP locally and update you soon. Thank You.

kirthi · August 18, 2015, 8:10am

@saurabh6790 I changed the settings of User DN to cn=Administrator,cn=Users,dc=mydomain,dc=local and now it moved on to next error -

Traceback (innermost last):
File “/home/frappe/frappe-bench/apps/frappe/frappe/app.py”, line 54, in application
response = frappe.api.handle()
File “/home/frappe/frappe-bench/apps/frappe/frappe/api.py”, line 50, in handle
return frappe.handler.handle()
File “/home/frappe/frappe-bench/apps/frappe/frappe/handler.py”, line 69, in handle
execute_cmd(cmd)
File “/home/frappe/frappe-bench/apps/frappe/frappe/handler.py”, line 92, in execute_cmd
ret = frappe.call(method, **frappe.form_dict)
File “/home/frappe/frappe-bench/apps/frappe/frappe/init.py”, line 754, in call
return fn(*args, **newargs)
File “/home/frappe/frappe-bench/apps/frappe_ldap/frappe_ldap/templates/pages/ldap_login.py”, line 11, in ldap_login
user=ldap_authentication(user, pwd)
File “/home/frappe/frappe-bench/apps/frappe_ldap/frappe_ldap/templates/pages/ldap_login.py”, line 27, in ldap_authentication
user, user_id, status, role = ldap_auth(user,pwd,server_details)
File “/home/frappe/frappe-bench/apps/frappe_ldap/frappe_ldap/templates/pages/ldap_login.py”, line 67, in ldap_auth
user_id = str(r[“uid”][0])
TypeError: list indices must be integers, not unicode

Any ideas?

kirthi · August 18, 2015, 8:12am

by the way, I changed a line in ldap_login.py in ldap_auth function -

old line: conn.simple_bind_s(user_dn, pwd)
new line: conn.simple_bind_s(user, pwd)

With this change and the chnage in user dn as mentioned in prev post, I have moved on to the next error.

antilopa · October 9, 2015, 8:56pm

Hi,
I’ve been trying to implement this ldap plugin in my ERPnext installation. I am also getting the following error:
Traceback (innermost last):

File “/home/frappe/frappe-bench/apps/frappe/frappe/app.py”, line 70, in application
response = frappe.api.handle()
File “/home/frappe/frappe-bench/apps/frappe/frappe/api.py”, line 50, in handle
return frappe.handler.handle()
File “/home/frappe/frappe-bench/apps/frappe/frappe/handler.py”, line 75, in handle
execute_cmd(cmd)
File “/home/frappe/frappe-bench/apps/frappe/frappe/handler.py”, line 109, in execute_cmd
ret = frappe.call(method, **frappe.form_dict)
File “/home/frappe/frappe-bench/apps/frappe/frappe/init.py”, line 767, in call
return fn(*args, **newargs)
File “/home/frappe/frappe-bench/apps/frappe_ldap/frappe_ldap/templates/pages/ldap_login.py”, line 11, in ldap_login
user=ldap_authentication(user, pwd)
File “/home/frappe/frappe-bench/apps/frappe_ldap/frappe_ldap/templates/pages/ldap_login.py”, line 27, in ldap_authentication
user, user_id, status, role = ldap_auth(user,pwd,server_details)
File “/home/frappe/frappe-bench/apps/frappe_ldap/frappe_ldap/templates/pages/ldap_login.py”, line 61, in ldap_auth
frappe.msgprint(“Incorrect UserId or Password”, raise_exception=1)
File “/home/frappe/frappe-bench/apps/frappe/frappe/init.py”, line 250, in msgprint
_raise_exception()
File “/home/frappe/frappe-bench/apps/frappe/frappe/init.py”, line 237, in _raise_exception
raise ValidationError, encode(msg)
ValidationError: Incorrect UserId or Password

When I look at the Ldap server’s logs it returns do_bind: invalid dn(USER_NAME)
My users are identified by attribute cn, could that be the reason for the error? If so, how would I edit ldap_login.py to look for the right attribute instead of the attribute dn?

Appriciate any help.

saurabh6790 · October 10, 2015, 4:55am

@antilopa Thanks for reporting.

Now we have an idea about two attributes like dn and cn.

Can you provide more information on user identification attribute, so that we can make it configurable and it will not break for next time.

Yes, you can fix this by editing ldap_login.py and send a pull request

antilopa · October 12, 2015, 1:14pm

@saurabh6790 I am still trying to check what the problems is, I am not sure if it has anything to do with the ldap_login.py or the attributes being used. It might just be our setup. I will update you when I have more info.

as for our user identification atribute, users DN’s are composed of
cn=USER_NAME,ou=people,dc=example,dc=local

antilopa · October 16, 2015, 12:51pm

I got a bit further but there are few issues still.
The plugin only works against the uid attribute, unlike other ldap software that allows you to choose which attribute you want to autenticate against. Adding uid to a user solved that.
The big issue though, is that you can only autenticate a user that has the exact same password as the ldap administrator used in the ldap server setings. Users cannot autenticate with a unique password!
Where and how to change that?

As a small side note, the plugin does not disable user profile editing in ERPnext, so user might try to unsuccefuly change their settings. This is just a feature request…

muppeth · October 16, 2015, 2:11pm

it looks like variable ‘pwd’ is used for both users and admin.

saurabh6790 · October 16, 2015, 5:26pm

@antilopa thank you. I will check that authetication issue. Actually a testing ldap domain have same password for all users.

Please create a github issue for suggestion and authentication issue.

@muppeth, yes pwd is used for both.

muppeth · October 16, 2015, 8:23pm

So it means that currently all users (including admin) have to have the same passwords?

antilopa · October 16, 2015, 9:46pm

@saurabh6790 i made an issue report about the password problem. So far I cannot find the solution to it.

Another thing I noticed while I get the ldap errors is that the url is
http://…/api/method/frappe_ldap.templates.pages.ldap_login.ldap_login?user=user_name&pwd=password
So… login information is being sent in plain text?

saurabh6790 · October 17, 2015, 3:13am

@muppeth, its not designed in that way but Some how its working in that way.

@muppeth @antilopa will fix this and update you soon.