Login Problem Dolibarr with Server 2019 AD

NethServer Version: 7.9.2009
Module: Dolibarr 12.0.4

Hi community,
I’ve installed the dolibarr module from @stephdl on a new virtualized server.
The server is connected to a remote Windows Server 2019 AD. We have 3 branches

• Users
• Verwaltung
• Betrieb

The bind user is at the “Users” branch, which is standard for Windows.
If I try to login with the Bind user I get the error failed to connect to LDAP (Other users also doesn’t work)

dolibarr_login716×506 30.9 KB

account-provider-test dump

with the settings at

/usr/share/dolibarr/htdocs/conf/conf.php

Test Dump

[root@project conf]# account-provider-test dump                                 {
   "BindDN" : "MyBindUser@Jonas.local",
   "LdapURI" : "ldap://dc1.jonas.local",
   "DiscoverDcType" : "dns",
   "StartTls" : "",
   "port" : 389,
   "host" : "dc1.jonas.local",
   "isAD" : "1",
   "isLdap" : "",
   "UserDN" : "DC=Jonas,DC=local",
   "GroupDN" : "DC=Jonas,DC=local",
   "BindPassword" : "MyBindPassword",
   "BaseDN" : "DC=Jonas,DC=local",
   "LdapUriDn" : "ldap:///dc%3Djonas%2Cdc%3Dlocal"

conf.php

<?php
// ================= DO NOT MODIFY THIS FILE =================
// 
// Manual changes will be lost when this file is regenerated.
//
// Please read the developer's guide, which is available
// at NethServer official site: https://www.nethserver.org
//
// 


//
// File generated by nethserver-dolibarr
//
$dolibarr_main_url_root='https://jonas.local/dolibarr';
$dolibarr_main_document_root='//usr/share/dolibarr/htdocs';
$dolibarr_main_url_root_alt='/custom';
$dolibarr_main_document_root_alt='//usr/share/dolibarr/htdocs/custom';
$dolibarr_main_data_root='/usr/share/dolibarr/documents';
$dolibarr_main_db_host='localhost';
$dolibarr_main_db_port='3306';
$dolibarr_main_db_name='dolibarr';
$dolibarr_main_db_prefix='llx_';
$dolibarr_main_db_user='dolibarr';
$dolibarr_main_db_pass='DolibarrDBPassword';
$dolibarr_main_db_type='mysqli';
$dolibarr_main_db_character_set='utf8';
$dolibarr_main_db_collation='utf8_general_ci';


// Authentication settings
$dolibarr_main_authentication='ldap';


// Parameters used to setup LDAP authentication.
//
$dolibarr_main_auth_ldap_host='dc1.jonas.local';           // You can define several servers here separated with a comma.
$dolibarr_main_auth_ldap_port='389';                        // Port
$dolibarr_main_auth_ldap_version='3';
$dolibarr_main_auth_ldap_servertype='activedirectory';             // openldap, activedirectory or egroupware
$dolibarr_main_auth_ldap_login_attribute='cn';             // Ex: uid or samaccountname for active directory
$dolibarr_main_auth_ldap_dn='CN=Users,DC=Jonas,DC=local'; // Ex: ou=users,dc=my-domain,dc=com
//$dolibarr_main_auth_ldap_filter = '';                     // If defined, two previous parameters are not used to find a user into LDAP. Ex: (uid=%1%) or &(uid=%1%)(isMemberOf=cn=Sales,ou=Groups,dc=opencsi,dc=com).
$dolibarr_main_auth_ldap_admin_login='MyBindUser@Jonas.local';     // Required only if anonymous bind disabled. Ex: cn=admin,dc=example,dc=com
$dolibarr_main_auth_ldap_admin_pass='MyBindPassword';                       // Required only if anonymous bind disabled. Ex: secret
//$dolibarr_main_auth_ldap_debug='true';



// Security settings
$dolibarr_main_prod='0';
$dolibarr_main_force_https='1';
$dolibarr_main_restrict_os_commands='mysqldump, mysql, pg_dump, pgrestore';
$dolibarr_nocsrfcheck='0';
$dolibarr_main_instance_unique_id='71df74668b86fa47b1dcfb68932805a9';
$dolibarr_mailing_limit_sendbyweb='0';

//$dolibarr_lib_FPDF_PATH='';
//$dolibarr_lib_TCPDF_PATH='';
//$dolibarr_lib_FPDI_PATH='';
//$dolibarr_lib_TCPDI_PATH='';
//$dolibarr_lib_ADODB_PATH='';
//$dolibarr_lib_GEOIP_PATH='';
//$dolibarr_lib_NUSOAP_PATH='';
//$dolibarr_lib_PHPEXCEL_PATH='';
//$dolibarr_lib_ODTPHP_PATH='';
//$dolibarr_lib_ODTPHP_PATHTOPCLZIP='';
//$dolibarr_js_CKEDITOR='';
//$dolibarr_js_JQUERY='';
//$dolibarr_js_JQUERY_UI='';
//$dolibarr_js_JQUERY_FLOT='';

//$dolibarr_font_DOL_DEFAULT_TTF='';
//$dolibarr_font_DOL_DEFAULT_TTF_BOLD='';

Also I have looked at

messages.log

and found this:

Apr 22 11:27:14 project esmith::event[32255]: PHP Warning:  ldap_start_tls(): Unable to start TLS: Server is unavailable in /usr/share/dolibarr/htdocs/core/class/ldap.class.php on line 205
Apr 22 11:27:14 project esmith::event[32255]: PHP Warning:  ldap_set_option(): supplied resource is not a valid ldap link resource in /usr/share/dolibarr/htdocs/core/class/ldap.class.php on line 391
Apr 22 11:27:14 project esmith::event[32255]: PHP Warning:  ldap_set_option(): supplied resource is not a valid ldap link resource in /usr/share/dolibarr/htdocs/core/class/ldap.class.php on line 215
Apr 22 11:27:14 project esmith::event[32255]: PHP Warning:  ldap_set_option(): supplied resource is not a valid ldap link resource in /usr/share/dolibarr/htdocs/core/class/ldap.class.php on line 403
Apr 22 11:27:14 project esmith::event[32255]: PHP Warning:  ldap_errno(): supplied resource is not a valid ldap link resource in /usr/share/dolibarr/htdocs/core/class/ldap.class.php on line 344
Apr 22 11:27:14 project esmith::event[32255]: PHP Warning:  ldap_error(): supplied resource is not a valid ldap link resource in /usr/share/dolibarr/htdocs/core/class/ldap.class.php on line 345
Apr 22 11:27:14 project esmith::event[32255]: PHP Warning:  ldap_errno(): supplied resource is not a valid ldap link resource in /usr/share/dolibarr/htdocs/core/class/ldap.class.php on line 231
Apr 22 11:27:14 project esmith::event[32255]: PHP Warning:  ldap_error(): supplied resource is not a valid ldap link resource in /usr/share/dolibarr/htdocs/core/class/ldap.class.php on line 231

Starttls is disabled

Can somebody help?

Know I’ve read the following sentence at the wiki:

When you use a remote account provider (not installed on the same server of dolibarr) this synchronisation is not more possible, you have to create each user manually inside the user list.

Is it actually right?

I tried to login with admin, admin, this doesn’t work too. It produces the same error message.

Yes true because each time you create a user a mysql action create the user inside dolibarr

Login admin password admin

Hi Stephane,
I tried with admin admin, it creates the same message.
At the conf.php is the LDAP (AD) connection declared, so I think it tries to get the info from AD-Server which doesn’t work.
I’ve found something at the dolibarr forum. The guy is able to authenticate with an AD server. The conf.php looks like mine.

I never succeed to reproduce but sometime people cannot authenticate, try to look inside /var/log/messages if you can find an error.

Once done I propose to reinstall from zero

remove all rpm nethserver-dolibarr dolibarr
remove the mariadb database
remove the esmith key dolibarr
remove /var/lib/nethserver/secrets/dolibarr

and install again.

The admin admin should work OTB, all others users must be created inside dolibarr else you can do nothing. Indeed when you create a user you have an action do alter the mysql DB, obviously remotely you have to do it yourself.

I only found the dolibarr ldap error I posted above.
So I did the following as you mentioned

Uninstall packages

• yum remove nethserver-dolibarr dolibarr

Deleting the database and control if it is really deleted

• mysql
• show databases;
• drop database dolibarr;
• show databases;
• exit

Deleting the database key

• db esmith delete dolibarr

Deleting the secret key

• rm /var/lib/nethserver/secrets/dolibarr

Try a new installation

• yum install nethserver-dolibarr --enablerepo=stephdl-dolibarr

Unfortunately I get the same error as before.

Edit!!!
Authentication is automatically set to LDAP at the conf.php

// Authentication settings
$dolibarr_main_authentication=‘ldap’;

and ldap settings are set to the remote server.
I didn’t do this manualy.

If I delete the connection to the remote ad at the server-manager the conf.php changes and I can login with admin admin.
So could we say it is a bug @stephdl?

To reproduce:

• connect nethserver to a remote AD (for me Windows Server 2019)
• install dolibarr
• try to login and get failed to connect to LDAP:
• click on Password forgotton and get an info like, you are connected to ldap, you can’t reset your password

Can somebody else try it please?

@stephdl Thanks for your help.

hum I think it comes from

MysqlAuth=disabled

could you try please to enable it and restart the event nethserver-dokuwiki-update

[root@ns7dev13 ~]# config setprop dolibarr MysqlAuth enabled
[root@ns7dev13 ~]# signal-event nethserver-dolibarr-update

I think I missed to make a documentation here, once you can access to the dolibarr application with admin,admin you have to create each user before to login with it

hum playing with the version 13.0.2 I cannot reproduce, I can login directly with admin and the ldap password

I suppose that your bind inside nethserver is correct and you can see all the users ?

I cannot reproduce, I can login with a remote account provider, obviously NethServer

this is my account provider

[root@ns7dev9 ~]# account-provider-test dump
{
   "BindDN" : "NETHSERVERTEST\\NS7DEV9$",
   "LdapURI" : "ldap://nsdc-ns7dev13.ad.nethservertest.org",
   "DiscoverDcType" : "dns",
   "StartTls" : "1",
   "port" : 389,
   "host" : "nsdc-ns7dev13.ad.nethservertest.org",
   "isAD" : "1",
   "isLdap" : "",
   "UserDN" : "DC=ad,DC=nethservertest,DC=org",
   "GroupDN" : "DC=ad,DC=nethservertest,DC=org",
   "BindPassword" : "㲾Ⳋ潈瀨댠斟樦扮⡎먠㥵㯉낷곀㜙ꢇ뀿ﲀ㜌ꌽꐆヤ㎲ㆵ눘慃瞠⌇㽗犽漌湩ⰻﳬ筭㡺牑皡떦汗櫢㋶㠿눌멨廒ㆥ矯ꀵ㑌㳝ꜫ⧐ꐮ⒦괜ꖙ㪺괒粺ꇛ枈㴋⿎⧉ꧫＢﳖꏪ瓃랅눹㊪熧綸ヸ◤סּ⫛櫲繝㮡捵֖먂⦞敄榙磬ﬖﶴ㩰㷐곚㮊ﵭꂡꜧ⮥﹘㲶睐ꕸ敚棽듳뎯枮㈣㣦㉙븩獢羙⾰Ⱇ灷獃糅⿋筰버箯愞⬗瓈檶畤끒疬㴺禒ㅳ⾼稛﯁㞏ꍤ爂ю眭㕯귢樖㾧뵡ꅜ➊ﺏ㩗ꁘ疿⽫罧㍩נּق暨﹗窵㒨֕淇벤ⰷ矒㘻ڄ릍ꊣﰦ绅緡揔₰㸖ﾉ⣣걈㐡ヵ릿껝ﳌ㶬礏ꅚꩄ⠪稕籱ꐎㄘ돇ꅂ擞뽂뼼愡殛Ⓤ涡朆",
   "BaseDN" : "DC=ad,DC=nethservertest,DC=org",
   "LdapUriDn" : "ldap:///dc%3Dad%2Cdc%3Dnethservertest%2Cdc%3Dorg"
}

do you have this

   "StartTls" : "1",
   "port" : 389,

remotely you canot bind something without encryption, at least it is forbidden by NS

your best chance

Set TLS to 0

then signal-event nethserver-dolibarr-update

Yes I can see all of them.

Yes, I will do next week, at the moment some users test dolibarr, so I have to install a new test-server only for me.The actually one is disconneted from AD to get it running.

No, this is mine:

“StartTls” : “”,
“port” : 389,

but sogo at an other nethserver works with the same settings

I will try.

do it because dolibarr expects start tls is a mandatory, I think I will patch it

Well not sure I will go on that direction allow to not encrypt ldap traffic is not a good scenario. Enable tls over your ldap if possible or use mysql authentication because like you see each time you want to add a user, you have to manually create it inside the mysql database.

Hi Stephane,
if I disable TLS the error message changes to user or password incorrect. I think there is a problem with the values set for getting users from LDAP. Tried with administrator, administrator@MyDomain and administrator@MyDomain.local

If I set MysqlAuth to enabled I can login with the dolibarr user admin. If I have a look at the users and groups at dolibarr I can see the users, I have created without connecting nethserver to the AD.

At the user LDAP Tab I see the values of LDAP, but get an error

Failed to connect to LDAP:

As I said the LDAP implementation in Dolibarr is not good, you have to create manually inside the mysql the user, this is done by an action when you create a user, but remotely I cannot do it. I wonder if you use the mysql account is not better, ok you have a password more to manage.

And I have to create users two times, or am I wrong? The ad we are using for domain services for the whole network.

But if dolibarr couldn’t work with a remote ad or ldap, the following value should be set automatically, if remote ad/ldap is choosen:

config setprop dolibarr MysqlAuth enabled

I had to use only the username without domain, that worked for me to logon to the AD…

Thanks for your answer,
after setting to use MysqlAuth I can login like you have written.

could you explain what it works, what idt doesn’t work and what you do to make it works