ldap error: Invalid Credentials

[erobledo]

I've setup the sugarcrm open source version and everything seems to work. I'm trying to setup ldap authentication and I keep getting an error, "Error: Invalid Credentials" when ever I try to login with a AD account. I installed sugarcrm on windows 2000 with Xampp. Below is the system config for LDAP on sugar:

LDAP Authentication Support
Enable LDAP yes
Server: server.domain.corp
Port Number: 389
Base DN: DC=DomainName,DC=corp
Bind Attribute: userPrincipalName
Login Attribute: sAMAccountName
Authenticated User: UserName
Authenticated Password: Password
Auto Create Users: yes

I tried using domain/username a or username or username @domain.com . And I still get the error. Am I setting up the ldap config wrong or is there anything else i need to do.

Thanks,
Eliud

[Mike220474]

I suffered from the same problem in my current version. Version 4.5.1b (Build 1246)
Got it to work using the following:


LDAP Authentication Support
Enable LDAP yes
Server: server.domain.corp
Port Number: 389
Base DN: ou=Users,dc=companynamet,dc=com
Bind Attribute: uid
Login Attribute: uid
Authenticated User: empty
Authenticated Password: empty
Auto Create Users: yes

EDIT:
I just forgot that I actually found a bug in the Sugar LDAP code which had to be fixed first before the LDAP settings worked:
The error was found in: ./sugarcrm/modules/Users/authentication/LDAPAuthenticate/LDAPAuthenticateUser.php

You need to run the following patch:

Code:

--- LDAPAuthenticateUser.php.org	2007-06-01 15:00:12.000000000 +0200
+++ LDAPAuthenticateUser.php	2007-03-27 14:22:11.000000000 +0200
@@ -72,8 +72,12 @@
 		
 
 		$bind_password = $password;
-		$GLOBALS['log']->info("ldapauth: Binding user " . $bind_user);
-		$bind = ldap_bind($ldapconn, $bind_user, $bind_password);
+                $bind_attr = $GLOBALS['ldap_config']->settings['ldap_bind_attr'];
+                $base_dn = $GLOBALS['ldap_config']->settings['ldap_base_dn'];
+                $GLOBALS['log']->info("ldapauth: Binding user $bind_attr=$bind_user, $base_dn");
+                $bind = ldap_bind($ldapconn, "$bind_attr=$bind_user, $base_dn", $bind_password);
+//		$GLOBALS['log']->info("ldapauth: Binding user " . $bind_user);
+//		$bind = ldap_bind($ldapconn, $bind_user, $bind_password);
 		 $error = ldap_errno($ldapconn);
         if($this->loginError($error)){

Hope it helps

[erobledo]

Thanks for the suggestions. I changed the settings and applied the patch and it's still giving me the same error. I looked at the sugarcrm.log file and this is what is logged:

06/01/07 13:51:37,877 [584] FATAL SugarCRM - [LDAP ERROR][49]Invalid credentials
06/01/07 13:51:37,879 [584] FATAL SugarCRM - SECURITY: ldapauth: failed LDAP bind (login) by erobledo, could not construct bind_user
06/01/07 13:51:37,881 [584] FATAL SugarCRM - SECURITY: User authentication for erobledo failed
06/01/07 13:51:37,891 [584] FATAL SugarCRM - SECURITY: User authentication for erobledo failed
06/01/07 13:51:37,892 [584] FATAL SugarCRM - FAILED LOGIN:attempts[1] - erobledo

[AtlasTC]

I just spent half a day banging my head against this, trying to make LDAP authentication work. I finally succeeded and I thought I'd share what I found:

First, be careful with special characters in the ldap_admin_password field (this is represented in the Admin interface as "Authenticated Password". I had a right angle bracket in my password and it was getting translated to > somewhere along the line before the bind attempt to search for the user RDN. I believe this is a bug, but I'm too frustrated to go chasing through the code to figure out exactly where the password is being escaped. It was much easier to just change the password.

Second, I found that for my environment, the code in 4.5.1e was correct in the released version -- Mike220474's fix (above) actually created a problem that was not present in the original code, because of the following facts:

1. The LDAP entry for the user was not an immediate child of the base DN (it was several levels down).
2. The bind attribute I was using was dn.

I have not done extensive testing but based on my experience today I would recommend that if you are not sure the LDAP entry for the user will be an immediate child of the base DN, you should try using dn as the bind attribute BEFORE applying Mike220474's patch.

---
Patrick Correia
AtlasTC

[bsmithme]

I am currently experiencing the same problem as erobledo

With basically the same settings as he, I either receive "could not construct bind_user", "invalid dn syntax" or "invalid credentials" with various combinations of settings and applying the aforementioned patch.

However, the one common denominator with ALL various settings is the error message I am getting in my LDAP server log:

Code:

slapd[50]: bind: invalid dn (bsmith)

This is telling me that the username is not being passed properly in a distinguished name to the LDAP server, and as mentioned before, probably a relatively simple fix in LDAPAuthenticateUser.php, as it is being sent as "bsmith" instead of "uid=bsmith,cn=users,dc=site,dc=com" etc.

Unfortunately, I'm not good with php code and don't know how to reconstruct it to work.

I could be wrong on this but it seems evident.

[bsmithme]

"Oops."

I just noticed that the "Bind Attribute" should not be "uid" which makes no sense. The bind attribute should actually be "dn" since that is what we are using to login. This explains why the LDAP server is reporting an invalid dn.

The tooltip for "Login Attribute" is also in err (at least for OpenLDAP and MOSX) as using "dn" here makes no sense. The login attribute should be the name of the record that contains the login ID (such as uid).

By entering Bind Attribute: dn
and Login Attribute: uid

I seem to be in working order now.