Full LDAP integration

[madmath03]

Feature Request

As a user, I want to be able to connect to Dolibarr with my LDAP credentials without requesting any external user intervention to reduce the support needed by administrators.

Use case

When LDAP authentication and LDAP to Dolibarr user synchronization are enabled, I expect my first login to Dolibarr to automatically create the user with my LDAP attributes and LDAP groups (which should be created if not already present). The need to manually create the user and manually add him to his groups is not acceptable.

If it is already implemented, I would be glad to know how to enable this behavior. So far, I have tested with Dolibarr 5, 6 and 7, linked to an OpenLdap 2.4 and always get this really bothering mode.

Suggested implementation

Nearly all applications that are linked to a LDAP work like that so I guess there must be plenty of choice.

I could be interested to develop this, if someone takes the time to indicate me the core classes that would be impacted.

Suggested steps

• [ ] Share LDAP information between LDAP authentication form and LDAP synchronization module - [ ] Enable the LDAP authentication from the LDAP module instead of conf.php only
• [x] Do not store passwords in Dolibarr for users originated from LDAP (#6295)
• [ ] When user authenticates from LDAP but does not exist in Dolibarr, create him automatically
• [ ] When user authenticates from LDAP but his group(s) don't exist in Dolibarr, create the group(s) automatically and add him to it
• [ ] Rework the form to add a user when LDAP 2 Dolibarr synchro is enabled: displaying every LDAP fields in a combo is kind of ugly and a search field with a list of results to choose from would be a lot better
• [ ] Add a similar field in the form to add a group when LDAP 2 Dolibarr synchro is enabled

[eldy]

I don't understand the point "Share LDAP information between LDAP authentication form and LDAP synchronization module"

For the point "Enable the LDAP authentication from the LDAP module instead of conf.php only", it is not possible as it is a security conflict. The conf.php decide which security system we use to allow access to application. It is read before we enter the application. Having the option inside the application has no sense because it means that we must be authorized to decide how we can be authorized. So the authentication system will always be defined into the conf.php because it must be known before we are inside the application.

The point of #6295 will be fixed for 8.0 (the reason why we stored even when authentication is ldap is because we can use 2 different authentication system, for example "dolibarr"+"ldap". But this will be better managed in 8.0 and field is visible only if authentication is dolibarr+ldap and not when using ldap only.

For the point "When user authenticates from LDAP but does not exist, create him", it is ok. We can add such an option. We must find a developer ready to develop this. The idea is to have a "sample user" so the creation of a new user will get same permission and groups than the sample user.

For the point "When user authenticates from LDAP but his group(s) don't exist in Dolibarr, create the group(s) automatically and add him to it", it is "as it is describe", useless. What will be the permission of the new group ? Group into a LDAP is rarely the same granularity than group in Dolibarr, so matching is rarely possible. I don't know ERP that works like by default without development by an integrator.

Point "Rework the form to add a user when..." looks easy to implement. Need a developer for that. Point "Add a similar field in the form ..." seems ok to do too.

[madmath03]

@eldy Thanks for your time to review this.

To give a bit more details about what I mean... The first point was about the fact that we currently need to enter the LDAP connection info in 2 places : the conf.php file and the LDAP module. The redundancy seems weird and unsafe since those 2 information should always be the same.

Even if I do understand that the application currently reads the conf.php to define the authorization, my whole point is that authorization could also be defined in the database. The conf contains the database information, so it wouldn't be impossible to use those information to connect to DB, retrieve the authorization info to override the default values in the conf, and follow up as before. This would give more flexibility to an admin as to how authorization is managed. I do not understand why you say that you would need to be authorized to get authorization info but this might come from my lack of knowledge of how Dolibarr handle requests against the DB. Should I understand that ALL SQL queries are filtered based on user authorization ? This obviously cannot be true since you do not need to be authenticated to run the install, retrieve the logo on login page and such... Looking forward to understand what you mean there.

Regarding the user and group creation on login, I disagree about a few things. There is no reason to define a "sample user", only define default permissions and/or a default group in which to add the new users. Maybe I am just playing on words and that's already what you had in mind, it's just that I hope to never see a dummy user in the user list. The LDAP goups automatic creation is not as rare as you seem to think. I know at least one ERP that works like that by default and, besides ERP, several other solutions that automatically create or retrieve the LDAP groups. What will be the permission of the new group ? Simple: none ! The point is not to provide default permissions to a group, but to automatically retrieve the groups and add users to it. Instead of manually creating a group, setting its permissions and adding the users to it, the admin only has to set the permissions of the group and users will be added to it automatically. It's true that the granularity of LDAP groups do not always match Dolibarr granularity, but it's not as rare you might think. I've actually worked with companies that managed all their permissions through LDAP groups, which can quite hard to manage for big companies but quite easy with small ones.

[finalbeta]

Hello, I want to add something to this.

For the point "When user authenticates from LDAP but his group(s) don't exist in Dolibarr, create the group(s) automatically and add him to it", it is "as it is describe", useless. What will be the permission of the new group ? Group into a LDAP is rarely the same granularity than group in Dolibarr, so matching is rarely possible. I don't know ERP that works like by default without development by an integrator.

As it stands, I don't understand how the LDAP groups integration works, or it doesn't make sense.

Practical example: I can link dolibarr to ldap, I can see the groups, but the users are not added to the groups. So in my active directory (where I want to manage my usergroups), I have a group "StockManager" with users inside it. So I import the group into dolibarr, and then I manually have to add the same users to the group inside dolibarr.

Letting dolibarr detect active directory groups and it's users would allow you to do all rights management inside active directory (while indeed you would need to set up permissions for the group inside dolibarr at least once)

(I am talking specificly about the groups part in this issue, perhaps a seperate issue would me more apropriate)

[github-actions[bot]]

This issue is stale because it has been open 1 year with no activity. If this is a bug, please comment to confirm it is still present on latest stable version. if this is a feature request, please comment to notify the request is still relevant and not yet covered by latest stable version. Without comment, this issue will be closed automatically by stale bot in 15 days.