current best way to authenticate using openLDAP

[Dale Scott]

Hi list, I'm using a local openLDAP server as the source of authentication
for various server apps. What's the best way (module?) for Tryton to
authenticate users using the OpenLDAP server?

Dale

[Dale Scott]

I'm guessing I need *both* trytond_ldap_connection and
trytod_ldap_authentication modules. I try pip install
trytond_ldap_connection and get following include error. I am running Tryton
on FreeBSD-10 (and understand I may be the only one), but does thing obvious
jump out at anyone? Any suggestions? Fwiw, I'm not using virtualenv.

...
building '_ldap' extension

creating build/temp.freebsd-10.0-RELEASE-p7-i386-2.7

creating build/temp.freebsd-10.0-RELEASE-p7-i386-2.7/Modules

cc -fno-strict-aliasing -O2 -pipe -fno-strict-aliasing -DNDEBUG -fPIC
-DHAVE_SASL -DHAVE_TLS -DHAVE_LIBLDAP_R -DHAVE_LIBLDAP_R
-DLDAPMODULE_VERSION=2.4.15 -IModules -I/opt/openldap-RE24/include
-I/usr/include/sasl -I/usr/include -I/usr/local/include/python2.7 -c
Modules/LDAPObject.c -o
build/temp.freebsd-10.0-RELEASE-p7-i386-2.7/Modules/LDAPObject.o

In file included from Modules/LDAPObject.c:9:

Modules/errors.h:8:10: fatal error: 'lber.h' file not found

#include "lber.h"

^

1 error generated.

error: command 'cc' failed with exit status 1

----------------------------------------
Cleaning up...
Command /usr/local/bin/python2.7 -c "import setuptools,
tokenize;__file__='/tmp/pip_build_root/python-ldap/setup.py';exec(compile(ge
tattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'),
__file__, 'exec'))" install --record
/tmp/pip-Ax0362-record/install-record.txt
--single-version-externally-managed --compile failed with error code 1 in
/tmp/pip_build_root/python-ldap
Storing debug log for failure in /root/.pip/pip.log
root@whizzer:~ #

[Mark Hayden]

On 16 Aug 2014 19:37, "Dale Scott" <dale...@shaw.ca> wrote:
>
> > Hi list, I'm using a local openLDAP server as the source of authentication
> for
> > various server apps. What's the best way (module?) for Tryton to
> authenticate
> > users using the OpenLDAP server?
>
> I'm guessing I need *both* trytond_ldap_connection and
> trytod_ldap_authentication modules. I try pip install
> trytond_ldap_connection and get following include error. I am running Tryton
> on FreeBSD-10 (and understand I may be the only one), but does thing obvious
> jump out at anyone? Any suggestions? Fwiw, I'm not using virtualenv.

I had this working in debian at one point. If i recall i did need mire than one module. I had to have some dev packages in debian to build it if i recall too. This was in version 2.4 though the setup might have changed a bit. Will see if i can find notes on what i did then.

[Dale Scott]

On Saturday, 16 August 2014 19:42:19 UTC-6, Mark Hayden wrote:

On 16 Aug 2014 19:37, "Dale Scott" <dale...@shaw.ca> wrote:
>
> > Hi list, I'm using a local openLDAP server as the source of authentication
> for
> > various server apps. What's the best way (module?) for Tryton to
> authenticate
> > users using the OpenLDAP server?
>
> I'm guessing I need *both* trytond_ldap_connection and
> trytod_ldap_authentication modules. I try pip install
> trytond_ldap_connection and get following include error. I am running Tryton
> on FreeBSD-10 (and understand I may be the only one), but does thing obvious
> jump out at anyone? Any suggestions? Fwiw, I'm not using virtualenv.

I had this working in debian at one point. If i recall i did need mire than one module. I had to have some dev packages in debian to build it if i recall too. This was in version 2.4 though the setup might have changed a bit. Will see if i can find notes on what i did then.

<snip>

> Modules/errors.h:8:10: fatal error: 'lber.h' file not found

<snip>

It seems py_ldap doesn't get installed by pip as a prerequisite to trytond_ldap_connection. I installed py_ldap ("# pkg install py27-ldap2-2.4.15_1", then "pip install trytond_ldap_connection" (followed by trytond_ldap_authentication) - no errors and moving on...

[Dale Scott]

Hmmm, no ldap modules in modules list in Tryton client. Do I have to upgrade the database? Just edit trytond.conf? README and INSTALL in the module tarballs unfortunately don't say much. What next? 

Thanks,

Dale

[Luis Falcon]

Hi Dale

On Sat, 16 Aug 2014 20:58:20 -0700 (PDT)
Dale Scott <da...@dalescott.net> wrote:

> On Saturday, 16 August 2014 21:43:25 UTC-6, Dale Scott wrote:
> >
> > On Saturday, 16 August 2014 19:42:19 UTC-6, Mark Hayden wrote:
> >>
> >>
> >> On 16 Aug 2014 19:37, "Dale Scott" <dale...@shaw.ca> wrote:
> >> >
> >> > > Hi list, I'm using a local openLDAP server as the source of
> >> authentication
> >> > for
> >> > > various server apps. What's the best way (module?) for Tryton
> >> > > to
> >> > authenticate
> >> > > users using the OpenLDAP server?
> >> >
> >> > I'm guessing I need *both* trytond_ldap_connection and
> >> > trytod_ldap_authentication modules. I try pip install
> >> > trytond_ldap_connection and get following include error. I am
> >> > running
> >> Tryton
> >> > on FreeBSD-10 (and understand I may be the only one), but does
> >> > thing
> >> obvious
> >> > jump out at anyone? Any suggestions? Fwiw, I'm not using
> >> > virtualenv.
> >>

Please check the references on configuring LDAP on GNU Health
https://en.wikibooks.org/wiki/GNU_Health/Central_Authentication

I use it on FreeBSD 10, but I have configured and run it also under
Archlinux.

Hope it helps

Best,

[Dale Scott]

Hi Luis,

Looks like a great reference. I'll let you know later if I have success. Thanks.

[Dale Scott]

Now I'm really confused. I still can't get an LDAP menu selection to appear in the Tryton client. I've installed trytond_ldap_connection and trytond_ldap_authentication using pip, but if I try to init the trytond_ldap_connection module in my database ("scc") I get a "module not found" error. I'm also confused by why I install e.g. trytond_ldap_connection but pip shows trytond-ldap-connection is installed (underscores vs hyphens). Can anyone shed some light?

root@whizzer:~ # pip list | grep trytond
trytond (3.2.2)
trytond-account (3.2.1)
trytond-account-invoice (3.2.1)
trytond-account-invoice-stock (3.2.0)
trytond-account-product (3.2.0)
trytond-company (3.2.0)
trytond-company-work-time (3.2.0)
trytond-country (3.2.0)
trytond-currency (3.2.0)
trytond-dashboard (3.2.0)
trytond-ldap-authentication (3.2.1)
trytond-ldap-connection (3.2.0)
trytond-party (3.2.0)
trytond-product (3.2.0)
trytond-product-attribute (3.2.0)
trytond-production (3.2.0)
trytond-project (3.2.0)
trytond-project-plan (3.2.0)
trytond-purchase (3.2.0)
trytond-sale (3.2.0)
trytond-stock (3.2.2)
trytond-stock-lot (3.2.0)
trytond-stock-split (3.2.0)
trytond-timesheet (3.2.0)
root@whizzer:~ #

root@whizzer:~ # trytond -c /usr/local/etc/trytond.conf -i trytond_ldap_connection -d scc
[Mon Aug 18 22:13:34 2014] INFO:server:using /usr/local/etc/trytond.conf as configuration file
[Mon Aug 18 22:13:34 2014] INFO:server:initialising distributed objects services
[Mon Aug 18 22:13:35 2014] INFO:database:connect to "scc"
[Mon Aug 18 22:13:35 2014] INFO:modules:ir:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:res:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:webdav:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:tests:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:currency:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:product:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:country:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:ldap_connection:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:dashboard:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:party:registering classes
[Mon Aug 18 22:13:35 2014] WARNING:party:Unable to import vatnumber. VAT number validation disabled.
[Mon Aug 18 22:13:35 2014] INFO:modules:product_attribute:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:ldap_authentication:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:company:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:company_work_time:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:stock:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:account:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:stock_split:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:stock_lot:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:account_product:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:production:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:timesheet:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:account_invoice:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:project:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:account_invoice_stock:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:project_plan:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:sale:registering classes
[Mon Aug 18 22:13:35 2014] INFO:modules:purchase:registering classes
[Mon Aug 18 22:13:36 2014] INFO:pool:init pool for "scc"
Traceback (most recent call last):
  File "/usr/local/bin/trytond", line 113, in <module>
    trytond.server.TrytonServer(options).run()
  File "/usr/local/lib/python2.7/site-packages/trytond/server.py", line 123, in run
    Pool(db_name).init(update=update, lang=lang)
  File "/usr/local/lib/python2.7/site-packages/trytond/pool.py", line 151, in init
    lang=lang)
  File "/usr/local/lib/python2.7/site-packages/trytond/modules/__init__.py", line 429, in load_modules
    _load_modules()
  File "/usr/local/lib/python2.7/site-packages/trytond/modules/__init__.py", line 394, in _load_modules
    graph = create_graph(module_list)[0]
  File "/usr/local/lib/python2.7/site-packages/trytond/modules/__init__.py", line 159, in create_graph
    raise Exception('Module %s not found' % module)
Exception: Module trytond_ldap_connection not found
root@whizzer:~ #
 

 

[Dale Scott]

P.s. Same behaviour with "trytond -c /usr/local/etc/trytond.conf -i trytond-ldap-connection -d scc" ("Exception: Module trytond-ldap-connection not found").

[Guillem Barba Domingo]

El 19/08/2014 2:22, "Dale Scott" <dale...@shaw.ca> va escriure:

The module name is ldap_connection
"trytond" is a prefix for the Python package

[Dale Scott]

On Tuesday, 19 August 2014 00:12:07 UTC-6, Guillem Barba Domingo wrote:

El 19/08/2014 2:22, "Dale Scott" <dale...@shaw.ca> va escriure:
>
> On Aug 18, 2014, at 4:24 PM, Dale Scott <da...@dalescott.net> wrote:
>
>> On Sunday, 17 August 2014 05:23:12 UTC-6, Luis Falcon wrote:
>>>
>>> Hi Dale
>>> On Sat, 16 Aug 2014 20:58:20 -0700 (PDT)
>>> Dale Scott <da...@dalescott.net> wrote:
>>>
>>> > On Saturday, 16 August 2014 21:43:25 UTC-6, Dale Scott wrote:
>>> > >
>>> > > On Saturday, 16 August 2014 19:42:19 UTC-6, Mark Hayden wrote:
>>> > >>
>>> > >>
>>> > >> On 16 Aug 2014 19:37, "Dale Scott" <dale...@shaw.ca> wrote:
>>> > >> >
>>> > >> > > Hi list, I'm using a local openLDAP server as the source of
>>> > >> authentication
>>> > >> > for
>>> > >> > > various server apps. What's the best way (module?) for Tryton
>>> > >> > > to
>>> > >> > authenticate
>>> > >> > > users using the OpenLDAP server?
>>> > >> >

<snip>

>>> > >>
>>> Please check the references on configuring LDAP on GNU Health
>>> https://en.wikibooks.org/wiki/GNU_Health/Central_Authentication
>>>
>> Now I'm really confused. I still can't get an LDAP menu selection to appear in the Tryton client. I've installed trytond_ldap_connection and trytond_ldap_authentication using pip, but if I try to init the trytond_ldap_connection module in my database ("scc") I get a "module not found" error. I'm also confused by why I install e.g. trytond_ldap_connection but pip shows trytond-ldap-connection is installed (underscores vs hyphens). Can anyone shed some light?
>>

<snip>

The module name is ldap_connection
"trytond" is a prefix for the Python package

Thanks Guillem, good things happen when the correct name is used!  I initialized the ldap_connection and ldap_authentication modules and then updated without errors, and configured LDAP parameters in LDAP > Connection ("Test Connection" button results in "Test Connection Succeed!"). However, Tryton users do not seem to be authenticated using the LDAP server.

1. users created in Tryton before configuring the LDAP server must login using their original password (I can tell because I used different passwords for several users when creating them in LDAP server).

2. I created a new user "tuser" (Test User) in the LDAP server (password: "appleton"), and then logged to Tryton as "admin" using Tryton client and created a corresponding user "tuser" (password: "notappleton"). This is as per the process in the GNU Health reference https://en.wikibooks.org/wiki/GNU_Health/Central_Authentication  (if I understand it correctly). Logging in to Tryton as user "tuser" with password "appleton" fails, but logging in with password "notappleton" is accepted.

Am I missing a step, or doing steps in the wrong order? Does module ldap_authentication require configuration in some way?

3. I saw this bug report: https://bugs.tryton.org/issue3975? Do I need to get updated ldap modules from a source code repository (and not pip)? Under what conditions is the reported issue a problem? My naive reading of the bug report makes it appear an LDAP connection would never have worked, which does not seem correct. 

4. Here are the commands I used to install the Tryton LDAP modules, is this correct? (i.e. first "init" a new module, then "update" all modules). Is there a general rule that can always be followed, even if not always required?

# /usr/local/bin/trytond -c /usr/local/etc/trytond.conf -i ldap_connection -d scc

# /usr/local/bin/trytond -c /usr/local/etc/trytond.conf -i ldap_authentication -d scc

# /usr/local/bin/trytond -c /usr/local/etc/trytond.conf -u all -d scc

Thanks,

Dale

[Mark Hayden]

I am not certain but it may be that if the password field is not null in the database it takes precedence over ldap. Problem is if you set any password the salted hash is stored. Even if you set it to blank after is makes a salted hash for the field representing a blank string. As i said before i only played with ldap back in 2.4, but part of the solution seemed to be to go into psql and make the password field null in the table directly.

[Pierre-Louis Bonicoli]

>> 2. I created a new user "tuser" (Test User) in the LDAP server
>> (password: "appleton"), and then logged to Tryton as "admin" using
>> Tryton client and created a corresponding user "tuser" (password:
>> "notappleton"). This is as per the process in the GNU Health
>> reference
>> https://en.wikibooks.org/wiki/GNU_Health/Central_Authentication (if
>> I understand it correctly). Logging in to Tryton as user "tuser"
>> with password "appleton" fails, but logging in with password
>> "notappleton" is accepted.

It means LDAP authentication fails. You should:
- check the OpenLDAP logs
- in order to test LDAP parameters: query the LDAP server using
'ldapsearch' and 'tuser' on the computer running the tryton server


You could increase the log level of OpenLDAP with the following command:

ldapmodify -QY EXTERNAL -H ldapi:/// <<EOF
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: any
EOF

>> Am I missing a step, or doing steps in the wrong order? Does
>> module ldap_authentication require configuration in some way?
>
> I am not certain but it may be that if the password field is not null
> in the database it takes precedence over ldap.

When the module 'ldap_authentication' is installed:
- first trytond try to authenticate using LDAP [1]
- if the LDAP authentication fails then a 'normal' authentication is tried

>> 4. Here are the commands I used to install the Tryton LDAP modules,
>> is this correct? (i.e. first "init" a new module, then "update" all
>> modules). Is there a general rule that can always be followed, even
>> if not always required?

'init' is only necessary the first time the database is initialized
('trytond -d db -u all' fails with an empty database). Once database is
created, in order to install a new module, you could use 'init' ('-i')
or 'update' ('-i'), the behavior is the same for both. You could use the
Tryton client (menu Administration/Modules/Modules) too.

Using the Tryton client: note that if you create the directory
containing the Tryton module after the initialization of the database,
you need to update an installed and up-to-date module in order to update
the list of modules displayed in the tryton client [2].

[1]
http://hg.tryton.org/modules/ldap_authentication/file/fd3bd9417ce3/res.py#l116
[2] https://bugs.tryton.org/issue2638

--

Pierre-Louis

[Dale Scott]

On Thursday, 21 August 2014 17:38:26 UTC-6, Pierre-Louis Bonicoli wrote:

>> 2. I created a new user "tuser" (Test User) in the LDAP server
>> (password: "appleton"), and then logged to Tryton as "admin" using
>> Tryton client and created a corresponding user "tuser" (password:
>> "notappleton"). This is as per the process in the GNU Health
>> reference
>> https://en.wikibooks.org/wiki/GNU_Health/Central_Authentication (if
>> I understand it correctly). Logging in to Tryton as user "tuser"
>> with password "appleton" fails, but logging in with password
>> "notappleton" is accepted.

It means LDAP authentication fails. You should:
- check the OpenLDAP logs
- in order to test LDAP parameters: query the LDAP server using
'ldapsearch' and 'tuser' on the computer running the tryton server

Fixed! :-) In slapd log I could see the BIND statement did not show an error, but SEARCH RESULT did not return any entries (nentries=0). I changed Authentication Scope in the Tryton menu [Administration > LDAP > Connection Tryton] from "Base" to "Subtree" and now nentries=1. Thanks for suggestion.

I was performing "trytond --update all" to make LDAP sub-menu appear in Tryton menu. If I understand you correctly, it is only required to update one module, not all. Is that correct? Is the only downside of "update all" the extra time it takes to execute?