User Authentication Process

**SharkBait** · 2008-06-03, 06:33 PM

Ok I have been looking into the process of authenticating a user and I would like to ensure i have the thinking correct when it comes to SugarCRM. Assuming auto_create_user is set False.

Code:

1) User enters Username/Password into SugarCRM's login page
2) SugarCRM checks the settings to see if the values for LDAP are entered
   i) Are LDAP Settings Entered?
        a) YES - Check LDAP for user
               Yes - Authenticate, No - Check local Sugar User Table
        b) NO - Check local Sugar User Table
3) Create signed in User (sessions etc)
4) User carries on their normal way

What I am curious about is: Can SugarCRM authenticate against mutliple domains?
According to the settings it seems to only authenticate against 1 domain (unless there is a special DN that can be entered for it to check multiple domains)
In my current project I need to check multiple domains (northamerica.mysite.com, overseas.mysite.com, southpacific.mysite.com) for users to see if they exist so I can authenticate them with their AD (Active Directory) account. I mean if I have to create a user via the local SugarCRM table then what's the point really of checking LDAP in the first place?

Thanks!

**kuske** · 2008-06-04, 11:56 AM

The LDAP authentification has priority before local check.

If LDAP authentification fails - THEN uid/pw are checked against the local useres table. In the practical context this meens that a user has two (!) possible passwords, the LDAP and the local password - nice, isn't it?

If all Salespeople have their own Sugar installation on a notebook, this makes sense - in house check LDAP , out of the house check local.

In all other situations it is only a nice feature for the admin who can set all local passwords to a super-password. (Do you already know all super passwords of your photocopiers?)

If a valid LDAP user authenticates the first time and has no Sugar account yet, a new sugar user will be created - you need not create it by hand - if the auto_create_user is set true.

**SharkBait** · 2008-06-05, 04:28 PM

Though that doesn't answer me if I can use SugarCRM to look up multiple domains for an active directory.

One project I am working on has offices all over the world and for them we have subdomains set up in our active directory:

ireland.mysite.com
us.mysite.com
mysite.com

So if i do a look up for me@mysite.com for the LDAP Authenticaion it works because the DC is set to "dn=mysite,dn=com"

But if I look for fred@mysite.com (who is really in the ireland.mysite.com AD) I cannot use "dn=mysite,dn=com" nor does it seem to work for it to be set to "dn=ireland,dn=mysite,dn=com"

If we had hundreds of employees around the world in an Active Directory and SugarCRM can't look up multiple domains then why bother having it as a feature?

Or is having multiple domains in an active directory nor a normal thing?

I'm just try to create a system where people only need 1 login

**brennanma** · 2011-03-02, 01:47 PM

I know it's a bit late to be replying to this, but I found this post while I was trying to figure out how to do this very thing. And I figured out a solution.

When setting up LDAP authentication, instead of authenticating to one domain you need to authenticate to a global catalog server and use port 3268. Your base DN should also be blank. Bind attribute should still be userPrincipalName and the LoginAttribute should still be sAMAccountName. I imagine this might produce an issue if you have a situation where you have more than one user with the same sAMAccountName (and a different UPN) across multiple domains in your forrest, but otherwise it should work.

HTH,
Matt Brennan