Struggling to Setting up Active Directory with LDAP

Install / Update Setup
1

Hello,

I’ve been following the guide trying to get a local deployment of ERPNext to use the local Windows Server’s Active Directory to login but it doesn’t seem to recognise any user/password combinations that work.

I have gotten Active Directory setup with another Linux based app (Snipe-IT) but not having much luck with ERPNext.

So…a few questions, step by step as the page settings go :

  • Does the ldap address need a port or is just the IP address sufficient? (Snipe-IT works with just the server IP).
  • Is the Base Distinguished Name just the username in form ldapuser@domain.local of an account setup specifically for LDAP, or is it in another form?
  • I’m using the entry OU=MC Users,OU=MC Group,DC=local-domain,DC=local for search path for both Users and Groups, as shortening either to just Users or Group is not liked by ERPNext and it refuses to save.
  • I’m using the following Search String, that works well in Snipe-IT, to show only active accounts. Will it cause an issue with ERPNext’s LDAP settings?
    (&(uid={0})(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
  • The other fields for email, name etc. seem quite straight forward.

For logging in to the system, do you need to provide an email address that matches the domain, i.e. user.name@local-domain.local, or can you instruct ERPNext to check only the user.name instead?

Any help would be great!

Thanks,
Paul

2

Ok, have used the following settings to get things working. They might be of help to others.
This setup is for internal lan use only, not visible to the outside world.

LDAP Server Url: just the ip address with ldap:// as a prefix seems to work, without needing to specify the port.
Base Distinguished Name (DN): the username of an Active Directory account setup specifically for LDAP, i.e. ldap@domain.local
LDAP search path for Users & LDAP search path for Groups: I had to use the same entry for both, obviously replacing Lan Users and LAN Group with your own
OU=LAN Users,OU=LAN Group,DC=domain,DC=local
LDAP Search String: (&(objectClass=user)(sAMAccountName={0}))
LDAP Username Field: sAMAccountname
LDAP First Name Field: givenname

All other settings as standard.

I have not yet tried to create new accounts, instead I imported a user list. I have also no yet tried to use AD groupings to match users to roles yet.

Note that you need to specify an email address in the Active Directory entry, other wise ERPNext will warn of an error. I was able to login using the Active Directory username, and not use the email address.

Cheers,
Paul