LDAP: overwriteSugarUserInfo

[chrismiller]

Just starting out with SugarOS, and I got LDAP auth working and managed to figure out how to get Sugar to copy certain LDAP attributes from the server to Sugar. I would like Sugar to update its info (phone, title, etc.) from the LDAP server each time a user logs in.

In the LDAP auth module's default.php file, there's a reference to

PHP Code:

array('overwriteSugarUserInfo'=>true,) 


but it doesn't look like it has anything to do with what I hoped it would do.

Is there any way to get Sugar to update employee info from LDAP each time a user logs on?

[nhwebforge]

I'm also desperately seeking a solution to this problem too. Surely the advantage of LDAP authentication is a single point of administration for users... but this is useless if any changes made to the LDAP server are not then reflected to the SugarCRM database.

Any assistance greatly appreciated.

[kuske]

It is a bug in SugarCRM for which a solution is described in thread http://www.sugarcrm.com/forums/showthread.php?t=29783

[nhwebforge]

Thanks Kuske, but this solution only allows for an intial import of info upon the user's first login (I found that post a while ago when we were first trying to get the LDAP integration working).

What we're looking for is a synchronisation from LDAP to SugarCRM at every log in.

Example, the user's mobile telephone number changes. The change is made in Active Directory. The next time the user logs into SugarCRM, this new data should be imported and their mobile phone details updated in the SugarCRM database.

Currently, this is not the case.

Any advice?

[kuske]

If your ...\LDAPConfigs\default.php is correct you can use the following patch to update the user information on every successful login.

In module \modules\Users\authentication\LDAPAuthenticate\LDA PAuthenticateUser.php change the statements

Code:

			//user already exists use this one
			if($row = $GLOBALS['db']->fetchByAssoc($dbresult)){
				if($row['status'] != 'Inactive')
					return $row['id'];
				else
					return '';
			}

to

Code:

            //user already exists use this one
            if($row = $GLOBALS['db']->fetchByAssoc($dbresult)){

                if($row['status'] != 'Inactive')
                {
  
                   $user = new User();
                   $user->retrieve($row['id']);
                   foreach($this->ldapUserInfo as $key=>$value){
                      $user->$key = $value;
                   }
                   $user->save();

                   return $row['id'];

                }

                else
                   return '';
            }

[nhwebforge]

Thanks again Kuske!

One question, you say this updates info on a successful login. However, if the users password has changed on the Active Directory, the user will not be able to log into Sugar with the new password. That is to say, the password will only be updated from AD once the user has successfully logged in with their old Sugar password, right?

Can we make it so that if a user changes their password on the AD (like our company policy forces every user to do every three months!) the this will immediately be their Sugar password?

The way I see it working:

I change my AD password.
I attempt to log into Sugar.
Sugar AUTHENTICATES agains AD even if user exists in Sugar's DB. If correct, new password is stored in Sugar DB - at the same time, all data should be synchronised as per my previous post. If not authenticated, access denied even if the password entered is that which currently exists in Sugar DB.

[kuske]

The password cannot be copied from AD to Sugar.

There is only a password verification from Sugar against AD.
So if the AD Password is changed, this is the new Sugar Password too.

If you use LDAP auth. you should not have additional passwords in Sugar, because after an unsuccessful AD auth. Sugar checks the password against its own password list.
This makes sense for the admin but not for "normal" users, so their md5hash can be set tu NULL in then database.

On the other hand, it is not possible to log in in Sugar if your user account is set to inactive.

Have much fun with Sugar
Harald Kuske