Does LDAP Group Authentication With AD Even Work ?

**PaulAndersonNRC** · 2012-01-17, 09:43 AM

I've installed SugarCRM CE and can't get LDAP group authentication to work with Active Directory. Has anyone ever been able to get this to work or is it completely broken in the current version ? The forums are littered with reports of the same problem and I can see no indication of resolutions.

The LDAP bind using our SugarCRM service account works, but it can't look the user up in the group in AD.

I feel like I've tried every possible attribute and option with no joy. Here are the details we are currently using:

Enable LDAP: yes
Server: <DC name>.nrc.ac.uk
Port: 389
User DN: ou=<OU name>,ou=<OU name>,ou=<OU name>,ou=<OU name>,ou=<OU name>,dc=nrc,dc=ac,dc=uk
Bind attribute: userPrincipalName
Login attribute: sAMAccountName
Group membership: yes
Group DN: ou=Groups,ou=Staff,dc=nrc,dc=ac,dc=uk
Group Name: cn=<SugarCRM group name>
Group membership user attribute: uid
Group membership group attribute: memberUid
Authentication: yes
Username: <SugarCRM service account>@nrc.ac.uk
Password: <SugarCRM service account password>
Auto Create Users: yes

Here is the log file output:

01/16/12 10:57:47 [2776][-none-][FATAL] ldapauth: uid not found for user sugarcrmtest cannot authenticate against an LDAP group
01/16/12 10:57:47 [2776][-none-][FATAL] SECURITY: User authentication for sugarcrmtest failed
01/16/12 10:57:47 [2776][-none-][FATAL] SECURITY: User authentication for sugarcrmtest failed
01/16/12 10:57:47 [2776][-none-][FATAL] FAILED LOGIN:attempts[9] - sugarcrmtest

SugarCRM: SugarCRM Community Edition v6.3.1
O/S: Windows Server 2003 R2 x86 Std
Web server: Apache v2.2.14
Server code: PHP v5.2.12

Even if you could just confirm if this is a dead feature (Sugar developers), this would save me wasting any more time.

**PaulAndersonNRC** · 2012-01-20, 10:03 AM

LDAP group authentication with AD does work! Thanks to AboveTheLogic and porcupine for posting a solution, along with code, here Securing SugarCRM with AD/LDAP - SugarCRM Forums.

In short, download LDAPAuthenticateUser.php from the above thread, rename your existing file and replace it with this on the server. Then you can remove the Group Membership / Group Attribute field value as you've removed the need for it. Also, for Group Membership / User Attribute, put 'memberOf'. The replacement code checks if the group is in the user memberOf attribute! So, to summarise my current, working, settings for group membership LDAP authentication:

Server: <DC name>.nrc.ac.uk
Port: 389
User DN: ou=<OU name>,ou=<OU name>,ou=<OU name>,ou=<OU name>,ou=<OU name>,dc=nrc,dc=ac,dc=uk
Bind attribute: userPrincipalName
Login attribute: sAMAccountName
Group membership: yes
Group DN: ou=Groups,ou=Staff,dc=nrc,dc=ac,dc=uk
Group Name: cn=<SugarCRM group name>
Group membership user attribute: memberOf
Group membership group attribute: <blank>
Authentication: yes
Username: <SugarCRM service account>@nrc.ac.uk
Password: <SugarCRM service account password>
Auto Create Users: yes

I had actually seen the above thread before, but didn't pick it up as a solution. That's because initially AboveTheLogic reports that he wants to use group membership to provide different roles to SugarCRM users, but let everyone in the OU create an account automatically and log on. What I didn't initially realise is that he goes on to change his mind and instead only allow the members of the group to auto create and log on.

Now to take care of plaintext password transfer! Need to secure traffic between client and CRM server (certificate) and web server and AD (maybe TLS or encryption key) ?