Module LDAP En

LDAP
Numero/ID of module 200
User doc. of module This page
Developer doc. of module Module LDAP (developer)

Introduction

The LDAP module must be used if you want to synchronize somer Dolibarr entities with a LDAP database. The entities and direction you can synchronize are:

This assumes that you already have an LDAP server. If this is not the case, you can Install and configure OpenLDAP.

Installation

This module is included with the Dolibarr distribution, so there is no need to install it.


Google LDAP

If you need to use Google LDAP, you may need to install STunnel on a server to use a client LDAP certificate when connecting to Google LDAP. Dolibarr will connect to this server and stunnel will connect to Google using the required LDAP client certificate:

  • Install stunnel. For example, on Ubuntu:
sudo apt-get install stunnel4
  • Create a configuration file /etc/stunnel/google-ldap.conf (that will contain the location of the certificates) with the following contents (assuming ldap-client.crt is the cert, and ldap-client.key is the key)
[ldap]
client = yes
accept = ip.of.stunnel:1636
connect = ldap.google.com:636
cert = ldap-client.crt
key = ldap-client.key''
  • To enable stunnel, edit /etc/default/stunnel4 and set ENABLED=1
  • Restart stunnel.
sudo /etc/init.d/stunnel4 restart
  • Configure your application to point to ldap://ip.of.stunnel:1636. You can replace “1636” with any unused port if you also change the accept line in the configuration file above.

On Dolibarr LDAP Setup (see later), you will need to use "plaintext LDAP without StartTLS/SSL/TLS enabled" between the Dolibarr and Stunnel.

Note: If you choose to run stunnel on a separate server, you must configure your firewalls so that only the necessary applications can access your stunnel server. You can also configure stunnel to listen with TLS so that data between your application and stunnel servers is encrypted. The details of both of these configurations depend on your environment.

Configuration

To use this module, you must first enable it using an administrator account, via the menu option "Home - Setup - Modules".

Choose the tab where the module is listed. Then click on "Activate".

The module is now activated.

If a cog icon appears   on module thumb or at end of the line of the module, click on it to access the setup page specific to the module.

Setup to allow Dolibarr - LDAP manual synchronisation

Information you must supply in the LDAP module setup are:

  • Choose what you want to synchronize
  • LDAP server information (ip, port...)

 

Once datas are filled, make a test by using button "Test LDAP connection" to be sure they are correct.

  • Enter the organization of your LDAP tree
  • Make matching between Dolibarr fields and LDAP fields.

 

Once datas are filled, make a test by using button "Test synchronization" to be sure they are correct.

Setup to login in Dolibarr using the password in LDAP

Modify your configuration file of application htdocs/conf/conf.php to ask Dolibarr to test tha validity of password into the LDAP server, this is an example working with openLDAP :

[...]
// Authentication settings
//$dolibarr_main_authentication='dolibarr';
$dolibarr_main_authentication='ldap,dolibarr';   // To be able to login with both the LDAP or the Dolibarr password (if there is problem with the LDAP server, keep a non LDAP password for one admin user !)
$dolibarr_main_auth_ldap_host='<ldap>ou<ldaps>:  //<hostname>';  // Plusieurs serveurs peuvent être ajouter en séparant par une virgule.
$dolibarr_main_auth_ldap_port='<389>ou<636>';    // Port
$dolibarr_main_auth_ldap_version='3';
$dolibarr_main_auth_ldap_servertype='openldap';  // openldap, activedirectory or egroupware
$dolibarr_main_auth_ldap_login_attribute='uid';  // Ex: uid or samaccountname for active directory
$dolibarr_main_auth_ldap_dn='dc=company,dc=com'; // Ex: ou=users,dc=my-domain,dc=com
$dolibarr_main_auth_ldap_filter = '';            // If defined, two previous parameters are not used to find a user into LDAP. Ex: (uid=%1%) or &(uid=%1%)(isMemberOf=$
$dolibarr_main_auth_ldap_admin_login='uid=admin,dc=company,dc=com';     // Required only if anonymous bind disabled. Ex: cn=admin,dc=example,dc=com
$dolibarr_main_auth_ldap_admin_pass='secret';            // Required only if anonymous bind disabled. Ex: secret
$dolibarr_main_auth_ldap_debug='false';
[...]

Usage

For synchronization from Dolibarr to LDAP, once your setup is done, there is nothing to do. Each time you make a change in Dolibarr, the change is also saved into your LDAP.

If you experience an error during LDAP synchronization, all Dolibarr transaction will be canceled and an error message will be shown. Note that LDAP returned error message in PHP are not always accurate. So if message is not clear enough to help you to know what's wrong, take a look a chapter "Errors".

You can however run initial or mass synchronization with some scripts (See chapter Scripts).

Errors

Because error message returned by PHP function are not accurate, if you experience a message and don't known what's wrong, this is what you can do:

  • Just after error occurs, a file ldap/temp/ldapinput.in is created into your dolibarr documents directory. Go into directory ldap/temp.
  • Open file ldapintput.in, you will find into first lines (as comments), the full ldap command you can run from command line to emulate the same action that PHP send to LDAP server.
  • Run this command. You need to have ldap utilities (ldapadd, ldapmodify and ldapdelete) installed on your computer.
  • Analyze the result. You should get more information on error reason.

Scripts