Setting up LDAP

Edit Page New Page Revisions

Setting up LDAP

Many small and medium-sized businesses employ the centralized access control system known as Lightweight Directory Access Protocol (LDAP).

You can log into your ERPNext account using your LDAP credentials after configuring the LDAP service.

1. Prerequisites

You must first install the ldap3 Python module before you can utilize LDAP. Open a terminal window on the server that is home to your ERPNext instance in order to accomplish this. Go to the frappe-bench directory. run the./env/pip command. set up ldap3

You are now prepared to turn on ERPNext's LDAP service.

2. Setting up LDAP

To setup LDAP, go to

Home > Integrations > LDAP Settings

For ERPNext to connect to LDAP, a number of parameters are necessary. As follows:

  • The URL of your LDAP server can be found here. ldap:/yourserver:port or ldaps:/yourserver:port is required.

  • The user's distinguished name that is authorized to search for user information on your LDAP server is known as the user's base distinguished name (DN). On your LDAP server, this user should only have read-only access.

  • Password for Base DN: This is the password for the aforementioned user, which is required to access your LDAP server's user database.

  • The DN of the Organizational Unit that all users on your LDAP server must be a part of in order to access ERPNext is the Organization Unit of Users.

  • Default Role on Creation: When the user is created in ERPNext, they will be allocated with this default role, the first time they log in.

  • LDAP Search String: With the help of this field, ERPNext may compare the user name or email given on the login screen with the LDAP server. Depending on your preference, you could use an email address or a username.

LDAPFIELD=0 is the format that must be used.

Example of a username in Active Directory: sAMAccountName=0

Example of an open LDAP username: uid=0

  • LDAP Email Field: Identifies the LDAP field containing the user's email address.

Example of Open LDAP and Active Directory: mail

  • Provides information on the LDAP field containing the user's username.

Example from Active Directory: sAMAccountName

Open LDAP illustration: uid

  • LDAP First Name Field: Indicates the LDAP field containing the user's first name.

Example from Active Directory: givenName

Open LDAP illustration: sn

You can map your LDAP user fields to the ERPNext user fields using a variety of other optional fields. As follows:

  • Middle Name
  • Phone
  • Mobile

After your settings are accurate, select Enabled from the top menu. ERPNext will attempt to connect to the LDAP server while attempting to enable LDAP in order to verify the settings. You will get an error message and be unable to enable LDAP if it fails.

The problem that has to be fixed in order to proceed will be described in the error message.

The system activates the Login With LDAP option on the login screen after setting LDAP to enable.

2.1 LDAP Security

You have a variety of options to connect to your LDAP server safely in the LDAP Security section.

  • SSL/TLS Mode Indicates whether you wish to begin a TLS session when connecting to the LDAP server for the first time.

  • Require Trusted Certificate

determines whether a trustworthy certificate is necessary to connect to the LDAP server.

You must mention the paths to your certificate files if you are specifying a trusted certificate. The following fields should include an absolute path to the files on your server, which are to be stored on your ERPNext server. The fields on the certificate are:

  • Path to private Key File

  • Path to Server Certificate

  • Path to CA Certs File

2.2 LDAP Group Mappings

Moreover, you may use ERPNext to automatically map various LDAP groups to the proper ERPNext roles. For instance, you could want to ensure that the Accounts User Role is automatically assigned to all of your Accounting workers.

To enable this, be sure to fill out the LDAP Group Field. This LDAP property, which can be found on an LDAP user object, contains a list of all the groups the user is a part of.

It is recommended to set this field to memberOf for Active Directory and Open LDAP.

Your LDAP server may need to have this field enabled for Open LDAP. For more information, please refer to online examples.

Keep in mind that every time a user login on, all ERPNext roles are reviewed and either removed or added to the user's rights.

There are two dropdown menus in the section for LDAP settings. Set the StartTLS option in the SSL/TLS Mode field to connect to your LDAP server using StartTLS. An error message stating that StartTLS is not supported will appear if your LDAP server does not support it. If you get this issue, check your LDAP server's setup. 2. Need Trusted Certificate - If you set this to Yes, the Frappe/ERPNext server will need to trust the certificate given by the LDAP server. Set this to No if you prefer to utilize StartTLS with a self-signed (untrusted) certificate. This parameter is not applied if StartTLS is not used.

Previous Page

Left

Next Page

Right