Announcement

Collapse
No announcement yet.

Local users beside LDAP

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Local users beside LDAP

    Hi

    I have a question regarding the LDAP authentication.

    If I enable the LDAP authentication, can I still create local users and login using them? Or is it only LDAP-users then? I'm confused because of the select in the settings.

  • #2
    Wow I just had basically the same question earlier today on an older post!! Found here: Fallback authentication mechanism when LDAP fails

    I tried searching for "auth_method" on the Git repo, and found the following commits:It seems like EspoCRM supports the authentications methods Espo, LDAP, ApiKey, and Hmac. What is confusing to me though is in the Administration GUI > Authentication > Authentication Method field is where you set the desired method of authentication application-wide across all users, yet when you look inside the user table within the SQL DB, there is present an auth_method column.

    For our specific use case, we just want LDAP to be the default authentication for all users, with the exception of 2 or more user accounts that leverage Espo's native authentication mechanism - instead of LDAP.

    I did try just forcibly updating the desired user table row from null to `Espo` then rebuilding the application yet it did not make any difference. All users in this table have user.auth_method = null unless they are an API user, in which case their auth_method is `ApiKey`. It seems like only the previously mentioned application-wide Authentication Method Admin field is ever looked at when authenticating a user login. After updating the DB row and rebuilding I can see "ERROR: LDAP: Authentication failed . . ." attempts in the log file. So it appears as though the user table's auth_method is never actually checked, probably only if you're an API User. Maybe this was just reserved for future use? The first commit I linked above appears that Yuri might be trying to address this particular situation.

    To make this matter even more weird, the first user we created when we first setup EspoCRM out-of-the-box is an Admin with user.id = `1`. This user is NOT in our Windows AD, yet we are seemingly able to use Espo-native authentication for this. So maybe there is indeed an authentication method exception for user ID = 1 OR just Admin users in general?

    At this point my technical know-how is exhausted for trying to address this situation! Hopefully this is some good discovery groundwork for the context around this issue/use-case. This probably needs a custom code change OR the attention of someone from the core Espo team for a workaround...

    Comment


    • #3
      I also did find some information, which indicates, that as soon as LDAP is enabled, local authentication won't work anymore, except for API users, portal users and admin/s (it was not clear if all admin users, or only the default admin with the id of "1").

      So it doesn't seem to be possible out of the box. You could adjust it yourself by using the code posted here: https://forum.espocrm.com/forum/gene...2685#post62685
      But this will get reset, at every update of EspoCRM.

      yuri Are there any plans on someting like an local auth fallback (so we could choose between "Espo", "LDAP" and "LDAP + Espo")? Maybe it could be integrated just using the code which I linked above for "LDAP + Espo"?

      Comment


      • #4
        I raise the topic of for "LDAP + Espo" logging, is there any sensible solution or plans to implement such a solution?

        Comment


        • #5
          At this point my technical know-how is exhausted for trying to address this situation! Hopefully this is some good discovery groundwork for the context around this issue/use-case. This probably needs a custom code change

          Comment


          • #6
            Hello,
            I have the same question.
            I want to use both, local Espo authentication and LDAP authentication methode.
            Or all admins enabled after change to LDAP?
            Regards
            Torsten
            Attached Files

            Comment


            • #7
              I have not dared to make the change yet.
              I'm afraid I won't be able to log in anymore.

              Comment

              Working...
              X