Dolibarr no login (LDAP)

Support apps
,
1

My YunoHost server

Hardware:
Server hardware architecture is lxc amd64
Server is running Linux kernel 6.5.11-7-pve
Server is running Debian 11.10
YunoHost version: x.x.x
Server is running YunoHost 11.2.20.1 (stable)
I have access to my server : Through SSH | through the webadmin | direct access via keyboard / screen
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no
If your request is related to an app, specify its name and version: Dolibarr 19.0.0, auto-upgraded by itself to 19.0.2 before first run.

Description of my issue

This confuses me…

image

I thought that means that Yunohost users can access the app.

Instead, I was asked (by Dolibarr first-run) to give a password for the (preselected, read-only) admin user I selected during app install. I gave the same password as for that user on Yunohost; Dolibarr answered with ‘User already exists’.

After that: not any user/password combination works. Not the selected admin user, and not any other user.

Besides that, or actually, before that, the app was locked by /var/www/dolibarr/documents/install.lock, suggesting an upgrade was being carried out. After removing the lock file, the application was available and invited to perform an upgrade (19.0.0 → 19.0.2) before continuing to the first-run wizard.

The password recovery works for normal users, but the admin user does not receive an email. Even so: the password does not match the YNH password for the user.

Lifala gave hints on how to resolve a conflict between Dolibarr and LDAP, but seemingly that was for a working installation.

While installing, I changed accessibility from “Visitors” to “YNH users” (“This can be changed later”, but I don’t see the setting afterwards)

I uninstalled the app, being sure that I did not pay attention or had a mistake while installing.

Second try, this time ‘Available to visitors’, using another user as admin: same process, same symptoms. The password entered for the admin user is not accepted, password recovery for admin does not send an email. Password recovery for other users works, but they don’t have any roles/permissions.

When checking the database, I notice that the admin account does not have an email address configured:

# mariadb
/r dolibarr  ;
select * from llx_user limit 1 ;
update llx_user set email = 'my_mail@domain,tld' where login = 'mylogin'

Now I can request a password reset and log in to Dolibarr. I can find how to generate a new password, but not how change my Dolibarr password to my YNH password, or how to make Dolibarr use LDAP.

I hoped to use a function on the database to hash/encrypt my known YNH password, but the sources use PHP functions for that (which don’t know how to apply manually). The length of the generated pass_crypt is 60.

Edit: I tried to check whether LDAP is queried, but I don’t know where to find the log. There is no entry in /var/log/auth.log. My YNH-users are available in Dolibarr. None of them have a password or encrypted password in the database. All of them get an error when trying to log in.

The LDAP-connection itself seems OK; the LDAP module in Dolibarr can make a connection :
image

It also finds the correct number of users, but the group configuration is not complete. I don’t know what to enter to make it work, or whether it is a cause for not being able to log in.

It seems I’m on the wrong path. Maybe some upgrade of Dolibarr broke the YNH installer?

Any suggestion?

2

No one?

I tried to compare my configuration with solutions for LDAP on the Dolibarr forum. One thread mentions checking /var/www/dolibarr/htdocs/conf/conf.php, to see whether ldap is part of authentication. I only had ‘dolibarr’, which implies password login.

Another thread describes how to enable LDAP login. It starts with installing php-ldap, which I expected to be installed but it is not.

So far, not having LDAP as auth option and no ldap-php installed, everything points to ‘no LDAP support’. The app description tells logins go via Yunohost though, and my Yunohost users are available in the database (table llx_users). None of them have passwords, only the admin user and another user that I gave an emailadress in the table so I could request a new (initial) password via Dolibar’s frontpage.

It feels like I’m breaking things instead of using the app as intended!

Even so, I continued poking around. Not any of my YNH-users are in a group on Dolibarr, so not any (exept the admins) had any access. Perhaps that also prevented login. I added a new group, inserted a user, no go. Checking the group properties, I saw the LDAP page had ‘example’ as dc, instead of ‘yunohost’ as I expected.

Checking LDAP (via menu Setup → Modules/Applications → search LDAP → press gear-icon on the LDAP module, and then ‘Groups’), it turns out that the config for groups has ‘example’ as dc.

image
image844×925 71.6 KB

LDAP always confuses me terribly (phpLDAPadmin helped a bit, but unfortunately it seems broken).

I copied the settings from the users-tab, keeping ‘groups’ as ou.

The ‘TEST A LDAP SEARCH’-button now works:

image

It doesn’t find any results. Not sure whether that was to be expected (there are groups in YNH, after all).

The action didn’t help in enabling logins either. The ‘dolibarr’ permission is set to ‘Visitors’ , but I suppose not all visitors are supposed to enter passwordless; only able to see the login page.
I added the dolibarr-permission to a specific YNH-user and a YNH-group. That also did not help :frowning:

Another idea: the passwords need to be checked one way or another. I expect the hashes of user input at the login to get compared to the hash of the password (supposed by me to be available in LDAP). There’s a number of options available for the password hash. For a moment I thought I found the cause: Dolibarr’s settings say MD5,

image
image556×517 31.7 KB

while /etc/ldap/slapd.ldif says SSHA:

# Hashes to be used in generation of user passwords
olcPasswordHash: {SSHA}
structuralObjectClass: olcDatabaseConfig

Changing the setting on Dolibarr’s side to SSHA and saving the settings did not improve the situation.

I don’t know where to find the LDAP log. In case someone can point me to it, please do!

3

Excuses for my long monologue.

I may have found the culprit, or at least something that points at the cause, in rodinux’ post at the bottom of the Dolibarr-announcement thread!

@rodinux , if I may call your attention, is LDAP still working for you? I’d say those errors would match symptoms when a PHP module is missing, as in my case there is no php-ldap installed.

On a hunch I apt install php-ldap, but it did not magically enable log in for YNH users.

4

well, the connexion with users LDAP works for me…

1 Like
5

Thanks for confirming :slight_smile:

If you have time, could you have a look in the Dolibarr LDAP settings, whether it uses ‘anonymous’ / read-only access to LDAP, and see which hashing is used for the password?

I’ll follow the howto on the Dolibarr forum for manual LDAP connection, see if it starts working after that.

6

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.