Soap Ldap Login Problem

[jherington]

Hello,

I have 451h installed with openLdap and can login via the sugar login page via openLdap just fine. I also have soap configured to run login and seamless_login and this too works great for the admin user (who is not in ldap but in stead only in the local sugar db). I do not have the ldap encrypt key set in my ldap config. I can not get my ldap user to pass authentication via the soap login??

It is 3:50am here and I am out of ideas...I hope someone can please help...TIA

[chinwoei]

http://www.sugarcrm.com/wiki/index.p...Authentication

visit the above link
might be helpful for you.
that is the wiki help.

[jherington]

Thank you for your reply chinwoei,

I have seem similar posts and question if it applies to me because I do not have this encryption key value filled or even enabled within my sugarcrm ldap configuration section. Also, I am running in RHEL5 and therefore I assume I would need to install and then reference a php mcrypt extension (ie. extension=mcrypt.so) or something like that.

Could anyone confirm for me whether or not I HAVE TO enable the ldap encryption key within the sugarcrm ldap config section in order to perform soap logins against ldap users?

Within my webservice do I continue to compute a MD5 type encryption or do I need to compute a 3DES (assuming I enable and provide an ldap encryption key within sugarcrm ldap config section)? In the post chinwoe referenced it was refering to a Microsoft Outlook configuration and "OutlookTripleDES". Since I don't use Outlook but I do use openLdap does 3DES or TripleDES still apply or do I just stick with MD5 (which seems to be working fine for non-ldap users authinticating via soap)

Again it think it is worth noting that currently apart from the soap to ldap login method, regular ldap logins work fine even without that encrypt key value filled in.

Thanks!

[jherington]

Hello,

To update, I installed libmcrypt and then got both php-mcrpt (from rpm) and php5-mcrypt (from debian site which came in the form of tar.gz). When I expanded the php5-mcrypt I found a mcrypt.so...I don't know if I need to do anything else.

Does encrypt need to be compiled in into Apachee? I am using the Bitrock LAMP (their latest verision 5.5).

I have tried both php-mcrpt and php5-mcrypt in the sugarcrm php extension dir with extension='mcrypt.so' in php.ini ('mcrypt.so' is the actual name of the module after installing it). I get no errors in the Apache log when I start sugar but I can't tell if anything is working. I still can't edit the encryption key field in the sugar ldap admin section.

I am somewhat new to linux and so this is all overwhelming, any help would be greatly appreciated.

I am evaluating sugar for a division of the IRS and they don't have any linux support that is helpful. The IRS has an account with RedHat Support which I have called several times and they too can not help because SugarCRM is an "unsupported package". I am suppose to show this product next week...possibly I should have gotten the pro version but as a private contractor I was also interested in this for me in other contracts and opportunities.

If I get a different version of Sugar (like pro) and I install with the bitrock lamp (which has 515 php) can I expect this to work? I am running RHEL5. I upgraded from the original bitrock of sugarcrm 351g because it did not ship with ldap.so and shipped with php 4.x and I could not find ldap.so binary or source for that version of ldap.so.

[jherington]

Hello,

I now have libmcrypt and php-mcrypt installed and am now able to enter a value into the ldap key field. When I login via soap I do not understand how to encrypt the key and password and send it successfully to sugar authentication.

I have tried to follow: http://www.sugarcrm.com/wiki/index.p...P_through_SOAP

But am confused about how the followng section of code is working:
$ldap_hash = bin2hex(mcrypt_cbc(MCRYPT_3DES, $key, $user_password, MCRYPT_ENCRYPT, $iv));

The following is how I am processing the ldap key and user password: I take the ldap key and encrypt it with MD5 and truncates it to 24 digits - this value is then used along with the clear-text password to setup a 3DES encryption of the password - this is then converted to hex and returned to be used as the password property in user_auth.

Code:

Public Shared Function ComputeTripleDESString(ByVal MD5LdapKey As String, ByVal ClearTextPassword As String) As String
            Dim _3DESPassword As String = String.Empty

            If MD5LdapKey <> "" AndAlso ClearTextPassword <> "" Then

                ' Note in the example the key needs is a MD5 of the sugar ldap encryption key used to setup ldap.
                ' Note the CryptoStream is made up of (Seceret-Key, Initialization-Vector) and writes to a memory-stream.
                ' The CryptoStream object is a System.IO.Stream
                ' sw writes characters to a stream in a particular encoding

                MD5LdapKey = MD5LdapKey.Substring(0, 24)

                Dim cryptoProvider As TripleDESCryptoServiceProvider = New TripleDESCryptoServiceProvider()
                Dim ms As MemoryStream = New MemoryStream()
                Dim cs As CryptoStream = _
                New CryptoStream(ms, cryptoProvider.CreateEncryptor(System.Text.Encoding.ASCII.GetBytes (MD5LdapKey),System.Text.Encoding.ASCII.GetBytes("password")), CryptoStreamMode.Write)
                Dim sw As StreamWriter = New StreamWriter(cs)

                sw.Write(ClearTextPassword)
                sw.Flush()
                cs.FlushFinalBlock()
                ms.Flush()

                'convert back to a string
                _3DESPassword = Convert.ToBase64String(ms.GetBuffer(), 0, ms.Length)

                ' Convert the string to a Byte()
                Dim _outputBuffer As Byte() = System.Text.Encoding.ASCII.GetBytes(_3DESPassword)

                ' Convert the byte() to a hex-string
                Dim builder As New StringBuilder(_outputBuffer.Length)

                For i As Integer = 0 To _outputBuffer.Length - 1
                    builder.Append(_outputBuffer(i).ToString("X2"))
                Next

                _3DESPassword = builder.ToString
            End If

            Return _3DESPassword
End Function

PS. I can login with this same user just fine when not going through soap. The sugar log file indicates a failed login each time I try to login via soap to ldap. I login just fine through soap if I don't go through ldap (in this case the password is only encrypted to MD5).

[begin edit]
Note I just ran this on my computer and with the password being "password" and the key being "abc123" and the iv for the 3des remaining "password"; The 3DES created is: ' 3DES: ("iBOKld9cCHAxe0gdWs87Rw==") and the Hex of the 3DES is: Hex: ("69424F4B6C64396343484178653067645773383752773D3D "). Also to note the original MD5 of the key is: MD5: ("E99A18C428CB38D5F260853678922E03") this is of course before the truncation to a lenght of 24.
[end edit]

[jherington]

Still not working...To help clairify I have incuded a complete code example. This example does NOT work! I can NOT get authenticated soap to ldap. I authenticate fine soap to sugar db. I also authenticate fine when going from the sugar login screen to ldap. Also included below my code is the code example provided on sugar forum written in php and using a mcrypt function. I can't tell exactly what the php auther is doing with the MD5 hash but I have tried to both return the byte array and a hex string.

Code:

Private Sub LoginLdapUser()

            ' abc123 is the text entered into the ldap encryption key field
            Dim _ldapKey As String = "abc123"
            Dim _userName As String = "jherington"
            Dim _userPassword As String = "password"
            Dim _sessionId As String = String.Empty
            Dim _intSeamlessLogin As Integer = 0
            Dim builder As StringBuilder

            ' SugarCRM user authentication object
            Dim _user As New user_auth

            ' Build MD5 hash from Ldap Key
            Dim md5 As MD5 = md5.Create()
            Dim _inputBuffer As Byte() = System.Text.Encoding.ASCII.GetBytes(_ldapKey)
            Dim _outputBuffer As Byte() = md5.ComputeHash(_inputBuffer)

            ' I tried this also...
            ' Convert the byte() to a hex-string
            'builder = New StringBuilder(_outputBuffer.Length)

            'For i As Integer = 0 To _outputBuffer.Length - 1
            '    builder.Append(_outputBuffer(i).ToString("X2"))
            'Next

            '_outputBuffer = ASCIIEncoding.ASCII.GetBytes(builder.ToString.Substring(0, 24))

            ' 3DES Encrypt user password using MD5 Ldap Key and the word "password" as the iv
            Dim cryptoProvider As TripleDES = TripleDES.Create("TripleDES")
            cryptoProvider.Mode = CipherMode.CBC
            cryptoProvider.Key = _outputBuffer
            cryptoProvider.IV = System.Text.Encoding.ASCII.GetBytes("password")
            Dim buff As Byte() = ASCIIEncoding.ASCII.GetBytes(_userPassword)
            buff = cryptoProvider.CreateEncryptor.TransformFinalBlock(buff, 0, buff.Length)

            ' Convert binary to hex
            Dim _len As Integer = buff.Length
            builder = New StringBuilder(_len)
            For i As Integer = 0 To _len - 1
                builder.Append(buff(i).ToString("X2"))
            Next

            Dim _3DESPassword As String = builder.ToString

            _user.user_name = _userName
            _user.password = _3DESPassword

            Dim auth_result As set_entry_result = sugarSoap.login(_user, "Home")

            If Not Convert.ToInt32(auth_result.error.number) = 0 Then

                ' An error occured
                _soapError = String.Concat(auth_result.error.name, ": ", auth_result.error.description)

                ' Clear the existing sessionId
                _sessionId = String.Empty

                UltraWebTab1.Tabs.GetTab(0).ContentPane.TargetUrl = _
                    "http://itsa2.sugdomain.sug/sugarcrm/index.php?action=Authenticate&module=Users&user_name=" & _
                        "jherington&user_password=password&login_theme=Sugar&login_language=en_us&login_module=Accounts&login_action=index"

            Else ' Success
                ' Set the sessionId
                _sessionId = auth_result.id

                _intSeamlessLogin = sugarSoap.seamless_login(_sessionId)

                If _intSeamlessLogin <> 0 Then

                    UltraWebTab1.Tabs.GetTab(0).ContentPane.TargetUrl = _
                        "http://itsa2.sugdomain.sug/sugarcrm/index.php?module=Home&action=index&MSID=" & _sessionId
                End If
            End If
        End Sub

Code example provided on sugar forum which I assume works?

Code:

require_once('./path/to/nusoap.php');
 
 $soap_client = new soapclient('http://someurl.com/sugar/soap.php?wsdl');
 
 $user_name = 'matt';
 $user_password = 'mygoodsecret123';
 $app_name = 'myniceprogram';
 
 $key = 'abc123';  // LDAP Key as entered in Sugar
 $key = substr(md5($key),0,24);
 $iv = 'password';  // note that this is the word password, not the user's password or hash...
 $ldap_hash = bin2hex(mcrypt_cbc(MCRYPT_3DES, $key, $user_password, MCRYPT_ENCRYPT, $iv));
 $soap_client->call('login',array('user_auth'=>array('user_name'=>$user_name, 'password'=>$ldap_hash,'version'=>'.1'), 'application_name'=>$app_name));

Also...I have a very simple openLdap nothing fancy is there any thing in particular that Sugar is assuming about the openLdap setup such as some sort of encryption setup or somthing else?

Also...Is there anything special I have to do with Apache or PHP besides enable php-mcrypt (which I already did)...like enable any sort of encryption option or what ever?

[julian]

Hello jherington,

Unfortunately, I have no experience with LDAP. However, we still may be able to figure this out by comparing the successful LDAP call with the unsuccessful one.

The normal LDAP authentication (for logging in to the Sugar UI) occurs in ./modules/Users/LDAPAuthenticate/LDAPAuthenticateUser.php. Can you add some logging that checks what kind of password is sent to the LDAP server? You'd be able to see the format of the password sent for the successful call, then compare that to what's sent for the SOAP->LDAP call.

Sugar obviously needs to do the work of converting your cleartext password (entered by a user on the Login screen) into an LDAP-ready hash. Perhaps you can find where this is done and mimic the behavior in your own code.

If I'm off track, or if this still doesn't get you toward a working example, let me know and I'll consult some of the other engineers.

Good luck!

[jherington]

Thank Julian,

I will work on this today and get back to you with what I find.

Just so I understand what it is I think you are suggesting: When I login directly to Ldap (no Soap) the module you mention will convert my clear-text password into a hash and then pass the username and password hash to the Ldap server...Correct? -and- When I login via Soap to Ldap what I am doing is creating that same password hash prior to sending the password via soap...Correct? I guess the 3DES is strictly an internal hash mechenism within Sugar and then Sugar ultimately just forwards on the actual MD5 hash of the password or mayby just a clear-text of the password?

Again thanks for the suggestion and I will do some digging and get back to you with what I find!

[julian]

I never do diagrams, but mspaint.exe is calling my name for this one.

When you fill out the login form, you're obviously entering a cleartext password. Somewhere in Sugar's code, it is being translated to some format that LDAP will accept. When you login through SOAP, that same code may not be triggered (which is the problem). We'll most likely need to fix a bug in Sugar, but in the meantime, you can probably implement that same translation yourself.

Let me know what you find!

[jherington]

I have finally gotten this working. I turns out it was an issue with how I was 0 padding within the binary to hex conversion. After looking at logging results within the decrypt_string function of SoapHelperFunctions.php, I was able to get the MD5 hash that was produced by the sugar bin2hex. With that target, I came up with the following code which basically pads my .Net hash the same as php:

Code:

Shared Function Bin2Hex(ByVal bin() As Byte) As String
            Dim sb As New StringBuilder(bin.Length * 2)
            Dim b As Byte
            For Each b In bin
                sb.Append(b.ToString("x").PadLeft(2, "0"c))
            Next b
            Return sb.ToString()
End Function 'Bin2Hex

Otherwise my code was fine. Hope this helps someone else. Btw, thanks very much to Julian for his effort!