LDAP Authentication & OS X Server

[beckatlanta]

Greetings, Everyone.

I'm having a problem using LDAP authentication in Sugar CRM with OS X Server's "Open Directory" LDAP system. For those who don't know, "Open Directory" is essentially OpenLDAP with Apple's Admin GUI and semi-unique directory structure.

When looking at the setup in the Admin control panel, it looked pretty straight forward... however after HOURS of not being able to get it to work, and reading EVERY thread on this forum containing the word LDAP... I'm still at a loss.

My setup is as follows:

Enable LDAP: CHECKED
Server: ldap.mydomain.com
Port Number: 389
Base DN: cn=users,dc=ldap,dc=mydomain,dc=com
Bind Attribute: dn
Login Attribute: uid
Authenticated User:
Authenticated Password:
Auto Create Users: CHECKED

For "the fun of it" I've certainly tried a whole bunch of different values, including various login attiributes, server IP instead of name, localhost instead of domain, specifying an Authenticated User (which gives me a bad dn format error), etc, etc, etc.

In phpLDAPadmin, when looking at the record for MY user, it clearly states the dn to be:

Distinguished Name: uid=myusername,cn=users,dc=ldap,dc=mydomain,dc=com

When everything is setup as above, I get no errors other than "You must specify a valid username and password." when attempting to login. By default, OS X Server uses a "password server", however I've also tried setting my LDAP password to use Crypt as well as Clear text.

Anyone have any thoughts or brilliant insight?

TIA,
Dustin Tantum

[jstickle]

I am experiencing similar issues. Have you found a solution yet?

Thanks

[beckatlanta]

I have done MUCH testing of my OS X LDAP server, using various address-book-type applications, and simple PHP scripts to perform a more detailed analysis... and determined that it's working fine.

Given that, I have come to the initial conclusion that the SugarCRM LDAP implementation on OS X (using OS X LDAP at least) is broken.

[jstickle]

Dustin,

After exhausting all options for about a day I finally was able to get the LDAP Authentication Support setup on my Xserve. Check out my settings below hopefully they will help.

Server: 127.0.0.1 (ldap and webserver are on same box)
Port Number: 389
Base DN: dc=servername, dc=domain, dc=com
Bind Attribute: dn
Login Attribute: uid
Authenticated User: (blank)
Authenticated Password: (blank)
Auto Create Users: yes

[beckatlanta]

It works!

After looking at your settings, jstickle... reviewing my initial post and my current settings, I figured out why I was having the problem.

1) On the "System Settings" page under the LDAP section it states the following (slightly edited to save space):

Bind Attribute:_____ LDAP Examples: [Mac OS X: uid]
Login Attribute:____ LDAP Examples: [Mac OS X: dn]

2) In my initial post I incorrectly stated that my setup was:

Bind Attribute: dn
Login Attribute: uid

...but they were actually setup like the examples:

Bind Attribute: uid
Login Attribute: dn

3) The whole thing boils down to the fact that the "LDAP Examples for Mac OS X" are WRONG!
I will certainly admit that when I started this research last month... if I knew then what I know about LDAP now... I would have spotted the trouble MUCH sooner.


4) As stated earlier my earlier post, if your settings are as follows... LDAP Authentication SHOULD work just fine:

Enable LDAP: CHECKED
Server: ldap.mydomain.com
Port Number: 389
Base DN: cn=users,dc=ldap,dc=mydomain,dc=com
Bind Attribute: dn
Login Attribute: uid
Authenticated User:
Authenticated Password:
Auto Create Users: CHECKED

[latrew]

No works for me

[cgray]

This works.
OSX Server 10.5.6, SugarCRM 5.2.0d (Build 5604)

enable LDAP: (checked)
server: (the FQDN of your server, ie server1.mydomain.com)
port: 389
Base DN: dc=server1, dc=mydomain, dc=com (see above example and replace server1 and mydomain)
Bind Attribute: dn
Login Attribute: uid
Authenticated User:: (blank)
Authenticated Password: (blank)
Auto create users: (checked)

[ukpbert]

Yeah, looks like the "bind attribute" and "login attribute" are mixed up. i run openldap, swapped the 2 and voila. I recommend under the base DN specifying the exact OU where your users are located to help with security and such .


phil