SugarCRM 4.5f Linux server AD authentication

[mpietersen]

As stated in my thread here I have successfully gone through the upgrade wizard to get a functional SugarCRM 4.5f install.

However I am currently having problems authentication with my Windows 2003 server to pull my users and passwords.
Does anyone have this currently working with 4.5f?

I'm currently running;

Fedora Core 4

and my LDAP auth settings are configured as;

Server: my.server.local
Port: 389
Base DN: DC=server,DC=local
Bind Attri: userPrincipalName
Login Attri: userPrincipalName (have also tried sAMAccount)
Auth User: SERVER\

Whenever I try and logon with my AD user name I get an 'Operations Error'
Has anyone run into this problem? I'd really like to get it resolved so I can roll 4.5 out to my production box.

Thanks in advance,
-mike

[mpietersen]

Can anyone shed some light on this?

[moonese]

Does this post do some help for you?

If not, in my case, I just do some minor modification on the code to add domain name before username.
Though it works, I don't know why in my case yetl.

[mpietersen]

Thanks for the reply, I'm glad someone is trying to help.

Unfortunately, I've already read and tried all the presented options to no avail.
When I try and log in with the information in the post presented, these are the errors that sugar gives.


Fri Nov 17 08:57:27 2006,219 [4728] FATAL SugarCRM - [LDAP ERROR][1]Operations error
Fri Nov 17 08:57:27 2006,222 [4728] FATAL SugarCRM - SECURITY: ldapauth: failed LDAP bind (login) by mpietersen, could not construct bind_user
Fri Nov 17 08:57:27 2006,224 [4728] FATAL SugarCRM - SECURITY: User authentication for mpietersen failed
Fri Nov 17 08:57:27 2006,230 [4728] FATAL SugarCRM - SECURITY: User authentication for mpietersen failed
Fri Nov 17 08:57:27 2006,232 [4728] FATAL SugarCRM - FAILED LOGIN:attempts[1] - mpietersen
Fri Nov 17 08:57:45 2006,058 [2784] FATAL SugarCRM -
Fri Nov 17 08:57:45 2006,066 [2784] FATAL SugarCRM - [LDAP ERROR][-7]Bad search filter
Fri Nov 17 08:57:45 2006,069 [2784] FATAL SugarCRM - SECURITY: ldapauth: failed LDAP bind (login) by ASFCORP\mpietersen, could not construct bind_user
Fri Nov 17 08:57:45 2006,071 [2784] FATAL SugarCRM - SECURITY: User authentication for ASFCORP\mpietersen failed
Fri Nov 17 08:57:45 2006,077 [2784] FATAL SugarCRM - SECURITY: User authentication for ASFCORP\mpietersen failed
Fri Nov 17 08:57:45 2006,079 [2784] FATAL SugarCRM - FAILED LOGIN:attempts[1] - ASFCORP\mpietersen


It looks like its trying to authenticate with the second log entry, but is still not working. All the settings are the same as the 4.2.0 production box (which is still working with AD). HELP!

[dketchum]

Windows 2003, IIS6, mysql 5.0.27, php 5.1.6
SugarCRM 4.5.1

I just got LDAP working with 4.5.1 authentication against active directory. LDAP is very picky and active directory doesn't follow the same rules as many other LDAP implementations (not that I've worked with any others, this is just what I've inferred from what I've read and experienced).

/modules/Users/authentication/LDAPAuthenticate/LDAPAuthenticateUser.php has all the code. You'll notice plenty of debugging lines like this (below). Unfortunately, some trigger fatal errors, some trigger debug, some info, etc, so you need to turn on debug level logging or better yet add your own debugging lines to see exactly what is failing and why. I didn't have to modify the php code to get this to work, but I did add debugging lines to help get it working.

$GLOBALS['log']->fatal("ldapauth.ldap_authenticate_user: ldap_rdn_lookup returned bind_user=" . $bind_user);

modify

/log4php.properties

to turn on more debugging levels, and read

/sugarcrm.log to see what happened.

1) Set
Bind Attribute: userPrincipalName
Login Attribute: sAMAccountName
Everyone else says capitalization is important; I didn't test this.

2) Active directory will permit an anonymous bind, BUT will not give you any results with an anonymous bind. You MUST fill in an Authenticated User and Authenticated Password to get LDAP working with active directory.

3) Authenticated User name must be an active directory Display Name (which is I assume is also the userPrincipalName), not a sAMAccountName. Example - 'John Doe' works, 'jdoe' does not. Capitalization does not appear to matter for the name. This user should be a restricted user since the password will display in /sugarcrm.log and of course should not be an active directory domain administrator.

4) This user, and ALL your SugarCRM users, must be in the same active directory OU or Base DN. The Base DN must be specified exactly or nothing works. Install lpd.exe from the Windows support tools on your server to get the Base DN right before proceeding.

LDP usage:

1) Connection / Connect / enter your domain controller
2) Connection / Bind / enter your user, password, and domain. Here you can user the sAMAccountName ('jdoe') and NTLM domain ('domain', not 'dc=domain, dc=com')
3) View / Tree - Enter the BaseBN. If it is not correct and exact you won't get any results. Order DOES matter.

At this point LDP should show you all the users in the OU / domain.

Even with LDAP enabled in SugarCRM, SugarCRM will authenticate if the user enters the correct SugarCRM (not active directory) password.

If everything is working correctly you should now be able to login to SugarCRM with username 'jdoe' (not 'John Doe') and jdoe's active directory password.

Good luck!

[henri.nel]

Hi,

This is a late reply, but I had the same problem.

I added my domain name before the bind user: 'domain name'\'username'

Bind Attribute: userPrincipalName
Login Attribute: sAMAccountName

Then check the "Bind to the LDAP server using a specific users credentials" box and enter a valid username with your netbios domain name in front.

Hope this helps.