Dolibarr and LDAP authentication

Maybe it creates a user in dolibarr and then it has to create the same one in NethServer or vice versa.

I have a VM with dolibarr installed from scratch, tell me what to check and I’ll try it.
https://www.micronator.org/affaires/produit/nethserver-201-cahier-01dolibarr/

Michel-André

1 Like

In fact what I feel weird is that you have no synchronisation when the user login the first time from the LDAP and the MYSQL database. In short you can have the good settings from LDAP, but you cannot login if the user doesn’t exist in the MYSQL database… I lost hours on it :). You have a script to launch when you have created a user inside the LDAP and when you want to populate the MYSQL DB

To be clear to make the LDAP authentication workable you have to do

in /usr/share/dolibarr/htdocs/conf/conf.php add

$dolibarr_main_authentication='ldap';
// Parameters used to setup LDAP authentication.
// Uncomment them if dolibarr_main_authentication = 'ldap'
//
 $dolibarr_main_auth_ldap_host='ldap://127.0.0.1';                  // You can define several servers here separated with a comma.
 $dolibarr_main_auth_ldap_port='389';                        // Port
 $dolibarr_main_auth_ldap_version='3';
 $dolibarr_main_auth_ldap_servertype='openldap';                         // openldap, activedirectory or egroupware
 $dolibarr_main_auth_ldap_login_attribute='uid';          // Ex: uid or samaccountname for active directory
 $dolibarr_main_auth_ldap_dn='ou=People,dc=directory,dc=nh'; // Ex: ou=users,dc=my-domain,dc=com
 //$dolibarr_main_auth_ldap_admin_login='cn=ldapservice,dc=directory,dc=nh';                                        // Required only if anonymous bind disabled. Ex: cn=admin,dc=example,dc=com
//$dolibarr_main_auth_ldap_admin_pass='Z59OUcMHGUaidA_x';                                         // Required only if anonymous bind disabled. Ex: secret

not tested but I think i can restrict only members from the group dolibarr to login

// $dolibarr_main_auth_ldap_filter = ''; // If defined, two previous parameters are not used to find a user into LDAP. Ex: (uid=%1%) or &(uid=%1%)(isMemberOf=cn=Sales,ou=Groups,dc=opencsi,dc=com).

Then inside the LDAP module of dolibarr, you have to fill the good settings


I plan to make a mysql importation to modify the settings you see above and let the magic happens for the end user

REPLACE INTO llx_const (`name`, `value`, `type`) VALUES 
('LDAP_SERVER_TYPE', 'openldap', 'chaine'),
('LDAP_SERVER_PROTOCOLVERSION', '3', 'chaine'),
('LDAP_SERVER_HOST', 'localhost', 'chaine'),
('LDAP_SERVER_PORT', '389', 'chaine'),
('LDAP_SERVER_DN', 'dc=directory,dc=nh', 'chaine'),
('LDAP_USER_DN', 'ou=People,dc=directory,dc=nh', 'chaine'),
('LDAP_USER_OBJECT_CLASS', 'inetOrgPerson', 'chaine'),
('LDAP_FILTER_CONNECTION', '&(objectClass=inetOrgPerson)', 'chaine'),
('LDAP_SYNCHRO_ACTIVE', 'ldap2dolibarr', 'chaine'),
('LDAP_KEY_USERS', 'uid', 'chaine');

the key is an important settings

and an action each time a user is created inside the nethserver panel

scl enable rh-php73 -- /usr/share/dolibarr//scripts/user/sync_users_ldap2dolibarr.php commitiferror --server=localhost -y

It seems easy now, but I did not find really clear documentation, SAMBA AD not tested now

3 Likes

Hi Stéphane,

My version of Dolibarr was 9.0.1
I upgraded to 10.0.7 then to 11.0.3.
I am using MariaDB-10.2 @ port 3312
The root directory for Dolibarr is: /var/www/html/dolibarr/

I added your part of the config to /var/www/html/dolibarr/htdocs/conf/conf.php

My PHP is automatically set to PHP-7.2 with the file /etc/profile.d/activer-php72.sh

COMMAND:

php /var/www/html/dolibarr/scripts/user/sync_users_ldap2dolibarr.php commitiferror --server=localhost -y

RESULT:

commitiferror --server=localhost -y
***** sync_users_ldap2dolibarr.php (11.0.3) pid=5439 *****
Mails sending disabled (useless in batch mode)

----- Synchronize all records from LDAP database:
host=localhost
port=389
login=uid=admin,ou=People,dc=directory,dc=nh
pass=**********
DN to extract=ou=People,dc=directory,dc=nh
Filter=(&(objectClass=inetOrgPerson))
----- To Dolibarr database:
type=mysqli
host=127.0.0.1
port=3312
login=usager_dolibarr
database=DolibarrBD
----- Options:
commitiferror=1
excludeuser=
Mapped LDAP fields=uid,cn,sn,givenname,telephonenumber,facsimiletelephonenumber,mobile,mail

UserCreate # admin: login=admin, fullname=admin --> Created user id=3 login=admin
UserCreate # drukpa: login=drukpa, fullname=drukpa --> Created user id=4 login=drukpa
UserUpdate # michelandre: login=michelandre, fullname=michelandre --> Updated user id=1 login=michelandre
Pas d'erreur, on valide

I was able to login with admin and drukpa without problem.

Dolibarr is the second most downloaded document after Odoo.
For me, Dolibarr is way much better than Odoo.

Thank you very much for this howto,

Michel-André

1 Like

Thank, the openldap is done and I merged the PR, now I am working on the samba AD

For now the rpm is not released, I would like to have both before to release

1 Like