跳到主要内容
版本:V14

配置LDAP

LDAP被许多中小组织用于做集中访问控制的管理。 通过设置LDAP的服务, 你能够通过LDAP的认证信息作为账号访问ERPNext。

1. 前提

为了使用LDAP, 首先要安装 ldap3的Python模块. 首先是要先打开ERPNext实例的主机终端。

进入到 frappe-bench目录, 运行:./env/bin/pip install ldap3

安装完成可以通过如下的方式验证:

./env/bin/pip freeze | grep ldap3
ldap3==2.9.1

现在你就可以在ERPNext中启用LDAP服务。

2. 配置LDAP

为了配置LDAP,首先需要进入:

首页 > 集成 > LDAP 配置

为了 ERPNext 能够连接到 LDAP, 许多参数都是必须的. 主要包括:

  • LDAP Server URL: LDAP 服务器地址. 地址的格式 ldap://yourserver:port 或者 ldaps://yourserver:port

  • Base Distinguished Name (DN): This is the distinguished name of the user that has permissions to look up user details on your LDAP server. This should be a user that only has read-only permissions on your LDAP Server.

  • Password for Base DN: This is the password for the user above, that is used to look up user details on your LDAP server.

  • Organization Unit of Users: This is the DN of the Organizational Unit that all users in your LDAP server must be part of to be able to log into ERPNext.

  • Default Role on Creation: When the user is created in ERPNext, they will be assigned with this default role, the first time they log in.

  • LDAP Search String: This field allows ERPNext to match the user/email entered in the ERPNext login screen, with the LDAP Server. For example, you could use email address, or username depending on your preference.

    It must be entered in the format: LDAPFIELD={0}

    Active Directory username example: sAMAccountName={0}

    Open LDAP username example: uid={0}

  • LDAP Email Field: Specifies the LDAP field that contains the email address of the user.

    Active Directory and Open LDAP example: mail

  • LDAP Username Field: Specifies the LDAP field that contains the username of the user.

    Active Directory example : sAMAccountName

    Open LDAP example: uid

  • LDAP First Name Field: Specifies the LDAP field that contains the first name of the user.

    Active Directory example: givenName

    Open LDAP example: sn

There are many other non-mandatory fields that you can use to map your LDAP user fields to the ERPNext user fields. They are:

  • Middle Name
  • Phone
  • Mobile

Once your settings are correct, you can click the Enabled checkbox at the top. When attempting to enable LDAP, ERPNext will try and connect to the LDAP server to ensure the settings are correct. If it fails, you will not be able to enable LDAP and will receive an error message.

The error message will indicate the issue that needs to be resolved to continue.

After setting enabling LDAP, on the login screen, the system enables Login Via LDAP option.

2.1 LDAP Security

In the LDAP Security section, You have many options to connect securely to your LDAP server.

  • SSL/TLS Mode

    Specifies whether you want to start a TLS session on initial connection to the LDAP server.

  • Require Trusted Certificate

    Specifies if you require a trusted certificate to connect to the LDAP server

    If you are specifying a trusted certificate, you will need to specify the paths to your certificate files. These files are to be placed on your ERPNext server, and the following fields should be an absolute path to the files on your server. The certificate fields are:

  • Path to private Key File

  • Path to Server Certificate

  • Path to CA Certs File

2.2 LDAP Group Mappings

ERPNext also allows you to automatically map multiple LDAP groups to the appropriate ERPNext roles. For example, you may want all of your Accounting employees, to automatically have the Accounts User Role.

Ensure that you fill out the LDAP Group Field to allow this. This is the LDAP field that is found on a user object in LDAP, that has all of the groups the user is a member of.

For Active Directory and Open LDAP, this field should be set to memberOf.

Open LDAP may need this field to be enabled on your LDAP server. Please see examples on the internet for more details.

Note that all ERPNext roles will be checked each time a user logs on and will be removed or added to the user's permissions.

In the LDAP Settings area, there are two dropdowns. 1. SSL/TLS Mode - set this to StartTLS to connect to your LDAP server using StartTLS. If your LDAP server does not support StartTLS, setting this to StartTLS will result in an error StartTLS is not supported. Check the configuration on your LDAP server if you receive this error. 2. Require Trusted Certificate - if you change this to Yes then the certificate provided by the LDAP server must be trusted by the Frappe/ERPNext server. If you would rather use StartTLS with a self-signed (untrusted) certificate, set this to No. If you do not use StartTLS, this setting is ignored.