LDAP Authentication
Dear All,
I am running the latest stable version of Tryton (3.8x), with the LDAP module installed.
I have added the required LDAP stanzas to my trytond.conf as follows:
---------------------------------------%<----------------------------
[ldap_authentication]
uri = ldaps://ldap.synalinq.vlan:636/ou=People,o=synaLinQ??sub?(&(objectclass=inetOrgPerson)(memberOf=cn=trytond_erp_synalinq,ou=Groups,o=synaLin
Q))?bindname=cn=LDAPReader,ou=Roles,o=synaLinQ
bind_pass =
active_directory = False
uid = mail
create_user = True
---------------------------------------%<----------------------------
I get the following in my OpenLDAP logs:
---------------------------------------%<----------------------------
Apr 16 06:15:05 ldap slapd[49046]: conn=6460 fd=15 ACCEPT from IP=127.0.1.113:13804 (IP=127.0.1.111:636)
Apr 16 06:15:05 ldap slapd[49046]: conn=6460 fd=15 TLS established tls_ssf=256 ssf=256
Apr 16 06:15:05 ldap slapd[49046]: conn=6460 op=0 BIND dn="cn=LDAPReader,ou=Roles,o=synaLinQ" method=128
Apr 16 06:15:05 ldap slapd[49046]: conn=6460 op=0 BIND dn="cn=LDAPReader,ou=Roles,o=synaLinQ" mech=SIMPLE ssf=0
Apr 16 06:15:05 ldap slapd[49046]: conn=6460 op=0 RESULT tag=97 err=0 text=
Apr 16 06:15:05 ldap slapd[49046]: conn=6460 op=1 UNBIND
Apr 16 06:15:05 ldap slapd[49046]: conn=6460 fd=15 closed
---------------------------------------%<----------------------------
Which I interpret as in: The trytond instance in FreeBSD jail 127.0.1.113 binds successfully using TLS to the OpenLDAP instance in my FreeBSD jail 127.0.1.111, uses LDAPReader as authentication user with the respective password, and does not encounter any errors, but fails to look further for the entry I am interested in, i.e. a mail address (used across the system as user name).
This is what the Gnome GUI throws at me:
---------------------------------------%<----------------------------
Traceback (most recent call last):
File "/site-packages/trytond/protocols/jsonrpc.py", line 162, in _marshaled_dispatch
response['result'] = dispatch_method(method, params)
File "/site-packages/trytond/protocols/jsonrpc.py", line 191, in _dispatch
res = dispatch(*args)
File "/site-packages/trytond/protocols/dispatcher.py", line 41, in dispatch
res = security.login(database_name, user, session)
File "/site-packages/trytond/security.py", line 26, in login
user_id = User.get_login(loginname, password)
File "/site-packages/trytond/modules/ldap_authentication/res.py", line 174, in get_login
users = cls.ldap_search_user(login, con, attrs=[uid])
File "/site-packages/trytond/modules/ldap_authentication/res.py", line 99, in ldap_search_user
result = con.search_s(dn, scope, filter_, attrs)
File "/site-packages/ldap/ldapobject.py", line 597, in search_s
return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
File "/site-packages/ldap/ldapobject.py", line 590, in search_ext_s
msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
File "/site-packages/ldap/ldapobject.py", line 586, in search_ext
timeout,sizelimit,
File "/site-packages/ldap/ldapobject.py", line 106, in _ldap_call
result = func(*args,**kwargs)
TypeError: an integer is required
---------------------------------------%<----------------------------
I fail to make much of this... excuse my ignorance. No errors in trytond logs.
I then tried to simplify my LDAP URL (even took SSL/TLS out, although OpenLDAP did not complain about this).
---------------------------------------%<----------------------------
uri = ldaps://ldap.synalinq.vlan:636/ou=People,o=synaLinQ??sub??bindname=cn=LDAPReader,ou=Roles,o=synaLinQ
---------------------------------------%<----------------------------
Does not give any joy. Same crash. No errors in trytond logs.
Let's leave the definition of scope out:
---------------------------------------%<----------------------------
uri = ldaps://ldap.synalinq.vlan:636/ou=People,o=synaLinQ????bindname=cn=LDAPReader,ou=Roles,o=synaLinQ
---------------------------------------%<----------------------------
I get in the trytond logs this:
---------------------------------------%<----------------------------
79513 34477340672 [2016-04-16 05:34:04,337] INFO trytond.modules ldap_authentication
79513 34477340672 [2016-04-16 05:34:05,419] INFO trytond.protocols.dispatcher bad login or password 'christoph.larsen@synalinq.com' from 127.0.1.105:52488 using JSON-RPC on database 'trytond_erp_caocuero'
---------------------------------------%<----------------------------
Does NOT crash, but gives a wrong password message in the trytond log, which makes sense. The scope has been set to "base" by default, and the user could not be found.
Next I tried:
---------------------------------------%<----------------------------
uri = ldaps://ldap.synalinq.vlan:636/ou=People,o=synaLinQ???(&(objectclass=inetOrgPerson)(memberOf=cn=trytond_erp_synalinq,ou=Groups,o=synaLin
Q))?bindname=cn=LDAPReader,ou=Roles,o=synaLinQ
---------------------------------------%<----------------------------
I get in the trytond logs this:
---------------------------------------%<----------------------------
79513 34477340672 [2016-04-16 05:34:04,337] INFO trytond.modules ldap_authentication
79513 34477340672 [2016-04-16 05:34:05,419] INFO trytond.protocols.dispatcher bad login or password 'christoph.larsen@synalinq.com' from 127.0.1.105:52488 using JSON-RPC on database 'trytond_erp_caocuero'
---------------------------------------%<----------------------------
Does NOT crash, but gives a wrong password message in the trytond log, which makes sense. Filtering seems to work (at least there is no compolaint, but the scope has been set to "base" by default, and the user could not be found.
Summa summarum: There may be something wrong with the scope definition. The crash appear, whenever I insert any of the scope parameters (sub, one or base). Or am I doing something really stupid?
Thanks a lot for your help!
Chris