Support for Basic Auth

[housefomore]

Hello, has anyone had any success in using basic auth and Sugar?

As much as I appreciate all of the hard work that has gone into securing Sugar, I'd like to put it behind web server based authentication and SSL (and not have to login twice).

I'd think a quick way in would be to look for an unauthenticated user and
$_SERVER["PHP_USERNAME"] / $_SERVER['PHP_AUTH_USER'] and log the user in. I haven't dug enough into sugar to tell where I would add that.

If anyone else has done this, I'd appreciate a point in the right direction.

Thanks!
-Jason

[hkphooey]

Perhaps you might look into authentication by SSL certificate. Once the user has the cert in their browser, they will just log into SugarCRM in the normal way. If they don't have the certificate, then they can't access the site.

There's a good write up here:

http://it.toolbox.com/blogs/security...ificates-11500

If that's too complex for you (probably the case if you have a large number of users), then I guess you'd just use Basic Auth with .htaccess files, but ask the browser to 'remember' the login, so that your users aren't asked for the password continually.

[macscr]

Did you ever figure this out? i would like to do the same thing. heck, what all authentication options does Sugar support? I havent seen any type of list.

[kbrill]

I'd think a quick way in would be to look for an unauthenticated user and
$_SERVER["PHP_USERNAME"] / $_SERVER['PHP_AUTH_USER'] and log the user in. I haven't dug enough into sugar to tell where I would add that.

Thanks!
-Jason

If there is a way to get to the user name and password that was typed in (I have never used it this way so I am unsure if you can) you could do something like this in a launch script.

PHP Code:

<?php
$username=$AUTH_USERNAME; //however you would get to it
$password=$AUTH_PASSWORD; 
headers("http://localhost/noedit/SugarEnt-Full-5.5.0/index.php?
action=Authenticate&
module=Users&
login_module=Home&
login_action=index&
user_name={$username}&
user_password={$password}"
?>

If you can't get to those typed in values then maybe you could have each username start in it's own home directory where the username and password would be stored.

[Leendert]

I required something similar to Basic Auth. On our server we use Kerberos based authentication using mod_auth_kerb, and apply password protection to the directories containing the sugarCRM application.

Assuming you have configured your webserver correctly, the $_SERVER['REMOTE_USER'] variable should be set and can be used to log the user in. To do so I extended the default SugarCRM 5.5 CE installation by creating a new authentication module and modified login page. The scheme here requires the user to exist in the sugarCRM database already and simply eliminates the password prompt at the login page, allowing the user to login without typing a password.
If a username and password are specified on the login page and the specified username does not match REMOTE_USER the authentication falls back to the SugarAuthentication framework. This is useful if you have users in sugarCRM that are not available in your Kerberos or other server side authentication mechanism, e.g. the admin user created at install time.

The modification I made are as follows:

Create a new authentication module by create a new directory: modules/Users/authentication/KerbAuthenticate inside this directory I created two files:

KerbAuthenticate.php

Code:

<?php
if(!defined('sugarEntry') || !sugarEntry) die('Not A Valid Entry Point');
/**
 * This program is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License version 3 as published by the
 * Free Software Foundation with the addition of the following permission added
 * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
 * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
 * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
 * 
 * This program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
 * details.
 * 
 * You should have received a copy of the GNU General Public License along with
 * this program; if not, see http://www.gnu.org/licenses or write to the Free
 * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301 USA.
 */

/**
 * This file is used to control the authentication process. 
 * It will call on the user authenticate and control redirection 
 * based on the users validation
 *
 */
require_once('modules/Users/authentication/SugarAuthenticate/SugarAuthenticate.php');
class KerbAuthenticate extends SugarAuthenticate {
	var $userAuthenticateClass = 'KerbAuthenticateUser';
	var $authenticationDir = 'KerbAuthenticate';
	/**
	 * Constructs KerbAuthenticate
	 * This will load the user authentication class
	 *
	 * @return KerbAuthenticate
	 */
	function KerbAuthenticate(){
		parent::SugarAuthenticate();
	}

}

and KerbAuthenticateUser.php:

Code:

<?php
if(!defined('sugarEntry') || !sugarEntry) die('Not A Valid Entry Point');
/**
 * This program is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License version 3 as published by the
 * Free Software Foundation with the addition of the following permission added
 * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
 * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
 * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
 * 
 * This program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
 * details.
 * 
 * You should have received a copy of the GNU General Public License along with
 * this program; if not, see http://www.gnu.org/licenses or write to the Free
 * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301 USA.
 */

/**
 * This file uses password-less authentication based on the REMOTE_USER HTTP
 * server variable, if set. Otherwise, it falls back on the standard
 * SugarAuthenticate method.
 *
 */

require_once('modules/Users/authentication/SugarAuthenticate/SugarAuthenticateUser.php');

define('KERB_REALM', '@DOMAIN.COM');

class KerbAuthenticateUser extends SugarAuthenticateUser{

	/**
	 * Does the actual authentication of the user and returns an id that will be used
	 * to load the current user (loadUserOnSession)
	 *
	 * @param STRING $name
	 * @param STRING $password
	 * @return STRING id - used for loading the user
	 *
	 */
	function authenticateUser($name, $password, $fallback=false) {

		if (isset($_SERVER['REMOTE_USER'])) {
			$kerb_user_id = str_ireplace(KERB_REALM, '', $_SERVER['REMOTE_USER']);

			// If the REMOTE_USER matches the typed login name, check if the user is in the SugarCRM
			// database and not inactive.
			if ($kerb_user_id == $name) {
				$name = $GLOBALS['db']->quote($name);
				$query = "SELECT * from users where user_name='$name' AND (portal_only IS NULL OR portal_only !='1') AND (is_group IS NULL OR is_group !='1') AND status !='Inactive'";
				$result = $GLOBALS['db']->limitQuery($query,0,1,false);
				$row = $GLOBALS['db']->fetchByAssoc($result);

				// If the user is active in the CRM database return the user id, otherwise the authentication fails
				if (empty ($row)) {
					return '';
				} else {
					return $row['id'];
				}
			}
		} 
		// else: The REMOTE_USER is not specified, does not match the typed name or is not an active user
		// in the SugarCRM user database

		return '';
	}


	/**
	 * this is called when a user logs in 
	 *
	 * @param STRING $name
	 * @param STRING $password
	 * @param STRING $fallback - is this authentication a fallback from a failed authentication
	 * @return boolean
	 *
	 */
	function loadUserOnLogin($name, $password, $fallback = false) {

		// Check if the REMOTE_USER is specified (e.g. through HTTP BasicAuth or Negotiate)
		// try logging in using the REMOTE_USER variable if no password is specified
		if (isset($_SERVER['REMOTE_USER'])) {
			$GLOBALS['log']->debug("Using HTTP based authentication for ". $_SERVER['REMOTE_USER']);
			$user_id = $this->authenticateUser($name, '', $fallback);
			if(!empty($user_id)) {
				return $this->loadUserOnSession($user_id);
			}
		}

                // Could not authenticate. The calling class will determine if fallback
                // is appropriate (depending on KerbAuthenticate only setting in user panel)
                return false;

	}

}

?>

See post below for continuation:

[Leendert]

Continued from above:

I then modified the login in screen that informs the user that he or she is already authenticated as REMOTE_USER and hide the password box. If the user changes the username the password box is shown. To create this revised login screen I created the directory custom/modules/Users with the following files, which are only slightly modified from the default install:

Login.php

Code:

<?php
if(!defined('sugarEntry') || !sugarEntry) die('Not A Valid Entry Point');
/*********************************************************************************
 * SugarCRM is a customer relationship management program developed by
 * SugarCRM, Inc. Copyright (C) 2004 - 2009 SugarCRM Inc.
 * 
 * This program is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License version 3 as published by the
 * Free Software Foundation with the addition of the following permission added
 * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
 * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
 * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
 * 
 * This program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
 * details.
 * 
 * You should have received a copy of the GNU General Public License along with
 * this program; if not, see http://www.gnu.org/licenses or write to the Free
 * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301 USA.
 * 
 * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
 * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com.
 * 
 * The interactive user interfaces in modified source and object code versions
 * of this program must display Appropriate Legal Notices, as required under
 * Section 5 of the GNU General Public License version 3.
 * 
 * In accordance with Section 7(b) of the GNU General Public License version 3,
 * these Appropriate Legal Notices must retain the display of the "Powered by
 * SugarCRM" logo. If the display of the logo is not reasonably feasible for
 * technical reasons, the Appropriate Legal Notices must display the words
 * "Powered by SugarCRM".
 ********************************************************************************/
/*********************************************************************************

 * Description: TODO:  To be written.
 * Portions created by SugarCRM are Copyright (C) SugarCRM, Inc.
 * All Rights Reserved.
 * Contributor(s): ______________________________________..
 ********************************************************************************/
define('KERB_REALM','@DOMAIN.COM');
$sugar_smarty = new Sugar_Smarty();
$sugar_smarty->assign('MOD', $mod_strings);
$sugar_smarty->assign('APP', $app_strings);
echo '<link rel="stylesheet" type="text/css" media="all" href="modules/Users/login.css">';
echo '<script type="text/javascript" src="modules/Users/login.js"></script>';


global $app_language, $sugar_config;
//we don't want the parent module's string file, but rather the string file specifc to this subpanel
global $current_language;

$query = "SELECT count(id) as total from users WHERE status='Active' AND deleted=0 AND is_group=0 AND portal_only=0";



if (isset($_GET['login_module']))
	$sugar_smarty->assign('LOGIN_MODULE', $_GET['login_module']);
if (isset($_GET['login_action']))
	$sugar_smarty->assign('LOGIN_ACTION', $_GET['login_action']);
if (isset($_GET['login_record']))
	$sugar_smarty->assign('LOGIN_RECORD', $_GET['login_record']);

// Retrieve username from the session if possible.

if (isset($_SERVER['REMOTE_USER'])) {
	$login_user_name = str_ireplace(KERB_REALM,'',$_SERVER['REMOTE_USER']);
} elseif(isset($_SESSION["login_user_name"])) {
	if (isset($_REQUEST['default_user_name']))
		$login_user_name = $_REQUEST['default_user_name'];
	else
		$login_user_name = $_SESSION['login_user_name'];
} else {
	if(isset($_REQUEST['default_user_name'])) {
		$login_user_name = $_REQUEST['default_user_name'];
	} elseif(isset($_REQUEST['ck_login_id_20'])) {
		$login_user_name = get_user_name($_REQUEST['ck_login_id_20']);
	} else {
		$login_user_name = $sugar_config['default_user_name'];
	}
	$_SESSION['login_user_name'] = $login_user_name;
}
$sugar_smarty->assign('LOGIN_USER_NAME', $login_user_name);

$mod_strings['VLD_ERROR'] = $GLOBALS['app_strings']["\x4c\x4f\x47\x49\x4e\x5f\x4c\x4f\x47\x4f\x5f\x45\x52\x52\x4f\x52"];

// Retrieve password from the session if possible.
if(isset($_SESSION["login_password"])) {
	$login_password = $_SESSION['login_password'];
} else {
	$login_password = $sugar_config['default_password'];
	$_SESSION['login_password'] = $login_password;
}
$sugar_smarty->assign('LOGIN_PASSWORD', $login_password);

if(isset($_SESSION["login_error"])) {
	$sugar_smarty->assign('LOGIN_ERROR', $_SESSION['login_error']);
}
if(isset($_SESSION["waiting_error"])) {
    $sugar_smarty->assign('WAITING_ERROR', $_SESSION['waiting_error']);
}

if (isset($_REQUEST['ck_login_language_20'])) {
	$display_language = $_REQUEST['ck_login_language_20'];
} else {
	$display_language = $sugar_config['default_language'];
}

if (isset($_REQUEST['ck_login_theme_20'])) {
	$display_theme = $_REQUEST['ck_login_theme_20'];
} else {
	$display_theme = $sugar_config['default_theme'];
}
if (empty($GLOBALS['sugar_config']['passwordsetting']['forgotpasswordON']))
	$sugar_smarty->assign('DISPLAY_FORGOT_PASSWORD_FEATURE','none');

$the_languages = get_languages();
$sugar_smarty->assign('SELECT_LANGUAGE', get_select_options_with_id($the_languages, $display_language));
$sugar_smarty->assign('SELECT_THEME', get_select_options_with_id(SugarThemeRegistry::availableThemes(), $display_theme));
if ( !empty($logindisplay) )
	$sugar_smarty->assign('LOGIN_DISPLAY', $logindisplay);;

//echo get_module_title($mod_strings['LBL_MODULE_NAME'], $mod_strings['LBL_LOGIN'], false);

$sugar_smarty->assign('theme_changed',!empty($_SESSION['theme_changed'])?'true':'false');

// RECAPTCHA
	
	$admin = new Administration();
	$admin->retrieveSettings('captcha');
	$captcha_privatekey = "";
	$captcha_publickey="";
	$captcha_js = "";
	$Captcha='';
	
	// if the admin set the captcha stuff, assign javascript and div		
	if(isset($admin->settings['captcha_on'])&& $admin->settings['captcha_on']=='1' && !empty($admin->settings['captcha_private_key']) && !empty($admin->settings['captcha_public_key'])){
		
			$captcha_privatekey = $admin->settings['captcha_private_key'];
			$captcha_publickey = $admin->settings['captcha_public_key'];
			$captcha_js .="<script type='text/javascript' src='" . getJSPath('include/javascript/sugar_grp1_yui.js') . "'></script><script type='text/javascript' src='" . getJSPath('include/javascript/sugar_grp_yui2.js') . "'></script>
			<script type='text/javascript' src='http://api.recaptcha.net/js/recaptcha_ajax.js'></script>
			<script>
			function initCaptcha(){
			Recaptcha.create('$captcha_publickey' ,'captchaImage',{theme:'custom'});
			}
			window.onload=initCaptcha;
		
			var handleFailure=handleSuccess;
			var handleSuccess = function(o){
				if(o.responseText!==undefined && o.responseText =='Success'){
					generatepwd();
					Recaptcha.reload();
				}
				else{
					if(o.responseText!='')
						document.getElementById('generate_success').innerHTML =o.responseText;
					Recaptcha.reload();
				}
			}
			var callback2 ={ success:handleSuccess, failure: handleFailure };
			
			function validateAndSubmit(){
					var form = document.getElementById('form');
					var url = '&to_pdf=1&module=Home&action=index&entryPoint=Changenewpassword&recaptcha_challenge_field='+Recaptcha.get_challenge()+'&recaptcha_response_field='+ Recaptcha.get_response();
					YAHOO.util.Connect.asyncRequest('POST','index.php',callback2,url);
			}</script>";
		$Captcha.="<tr>
			<td scope='row' width='20%'>".$mod_strings['LBL_RECAPTCHA_INSTRUCTION'].":</td>
		    <td width='70%'><input type='text' size='26' id='recaptcha_response_field' value=''></td>
			
		</tr>
		<tr>		
				 	
		 	<td colspan='2'><div style='margin-left:2px'class='x-sqs-list' id='recaptcha_image'></div></td>
		</tr>
		<tr>
			<td colspan='2' align='right'><a href='javascript:Recaptcha.reload()'>".$mod_strings['LBL_RECAPTCHA_NEW_CAPTCHA']."</a>&nbsp;&nbsp;
			 		<a class='recaptcha_only_if_image' href='javascript:Recaptcha.switch_type(\"audio\")'>".$mod_strings['LBL_RECAPTCHA_SOUND']."</a>
			 		<a class='recaptcha_only_if_audio' href='javascript:Recaptcha.switch_type(\"image\")'> ".$mod_strings['LBL_RECAPTCHA_IMAGE']."</a>
		 	</td>
		</tr>";
		$sugar_smarty->assign('CAPTCHA', $Captcha);
		echo $captcha_js;
	
	}else{
		echo "<script>
		function validateAndSubmit(){generatepwd();}
		</script>";
	}

$sugar_smarty->display('custom/modules/Users/login.tpl'); ?>

Continued below:

[Leendert]

Continued from above:

login.tpl

Code:

<!--
/*********************************************************************************
 * SugarCRM is a customer relationship management program developed by
 * SugarCRM, Inc. Copyright (C) 2004 - 2009 SugarCRM Inc.
 * 
 * This program is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License version 3 as published by the
 * Free Software Foundation with the addition of the following permission added
 * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
 * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
 * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
 * 
 * This program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
 * details.
 * 
 * You should have received a copy of the GNU General Public License along with
 * this program; if not, see http://www.gnu.org/licenses or write to the Free
 * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301 USA.
 * 
 * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
 * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com.
 * 
 * The interactive user interfaces in modified source and object code versions
 * of this program must display Appropriate Legal Notices, as required under
 * Section 5 of the GNU General Public License version 3.
 * 
 * In accordance with Section 7(b) of the GNU General Public License version 3,
 * these Appropriate Legal Notices must retain the display of the "Powered by
 * SugarCRM" logo. If the display of the logo is not reasonably feasible for
 * technical reasons, the Appropriate Legal Notices must display the words
 * "Powered by SugarCRM".
 ********************************************************************************/
/*********************************************************************************

 ********************************************************************************/
-->
<link rel='stylesheet' type="text/css" href='modules/Users/login.css'>
<script type='text/javascript'>
var LBL_LOGIN_SUBMIT = '{$MOD.LBL_LOGIN_SUBMIT}';
var LBL_REQUEST_SUBMIT = '{$MOD.LBL_REQUEST_SUBMIT}';
var LOGIN_USER_NAME = '{$LOGIN_USER_NAME}';

{literal}
function showPasswordBox(){
	var user_id = document.getElementById("user_name").value;
	if (user_id == LOGIN_USER_NAME) {
		document.getElementById("password_row").style.display="none";
	} else {
		document.getElementById("password_row").style.display="table-row";
	}

}
{/literal}

</script>
<!--[if IE 6]>
{literal}
<script type='text/javascript'>
if ( !SUGAR.themes.theme_ie6compat && ( !{/literal}{$theme_changed}{literal} || !Get_Cookie('ie6compatcheck') ) ) {
    alert('{/literal}{$MOD.LBL_IE6COMPAT_CHECK}{literal}');
    Set_Cookie('ie6compatcheck','true',365,'/','','');
    location.href = location.href+'&ck_login_theme_20=SugarIE6&usertheme=SugarIE6';
}
YAHOO.util.Event.onDOMReady(function()
{
    document.getElementById('login_theme').onchange = function()
    {
        if ( !(YAHOO.env.ua.ie > 5 && YAHOO.env.ua.ie < 7) || SUGAR.themes.hasIE6compat(this.value) )
		    document.getElementById('login_theme').value = this.value;    
        else {
            alert('{/literal}{$MOD.LBL_THEME_PICKER_IE6COMPAT_CHECK}{literal}');
            document.getElementById('login_theme').value = 'SugarIE6';
        }
    }
});

</script>
{/literal}
<![endif]-->										
<table cellpadding="0" align="center" width="100%" cellspacing="0" border="0">
	<tr>
		<td>
			<table cellpadding="0"  cellspacing="0" border="0" align="center" width='350px'>
				<tr>
					<td style="padding-bottom: 10px;" ><b>{$MOD.LBL_LOGIN_WELCOME_TO}</b><br>
						<IMG src="include/images/sugar_md.png" alt="Sugar" width="340" height="25">
					</td>
				</tr>
				<tr>
					<td align="center">
						<div class="edit view login">
							<form action="index.php" method="post" name="DetailView" id="form" onsubmit="return document.getElementById('cant_login').value == ''">
								<table cellpadding="0" cellspacing="2" border="0" align="center" width="100%">
									{if $LOGIN_ERROR !=''}
									<tr>
										<td scope="row" colspan="2"><span class="error">{$LOGIN_ERROR}</span></td>
						    	{if $WAITING_ERROR !=''}
							        <tr>
							            <td scope="row" colspan="2"><span class="error">{$WAITING_ERROR}</span></td>
									</tr>
								{/if}
									</tr>
								{else}
									<tr>
										<td scope="row" width='1%'></td>
										<td scope="row"><span id='post_error' class="error"></span></td>
									</tr>
								{/if}
									<tr>
										<td scope="row" colspan="2" width="100%" style="font-size: 12px; padding-bottom: 5px; font-weight: normal;">You have been pre-authenticated as <strong>{$LOGIN_USER_NAME}</strong><br>Press Login to proceed or enter a different user name and password if required.
										<input type="hidden" name="module" value="Users">
										<input type="hidden" name="action" value="Authenticate">
										<input type="hidden" name="return_module" value="Users">
										<input type="hidden" name="return_action" value="Login">
										<input type="hidden" id="cant_login" name="cant_login" value="">
										<input type="hidden" name="login_module" value="{$LOGIN_MODULE}">
										<input type="hidden" name="login_action" value="{$LOGIN_ACTION}">
										<input type="hidden" name="login_record" value="{$LOGIN_RECORD}">
										</td>
									</tr>
									<tr>
										<td scope="row" width="30%">{$MOD.LBL_USER_NAME}:</td>
										<td width="70%"><input type="text" onkeyup='showPasswordBox();' onfocus='this.select();' size='35' tabindex="1" id="user_name" name="user_name"  value='{$LOGIN_USER_NAME}'></td>
									</tr>
									<tr id="password_row" style="display: none">
										<td scope="row">{$MOD.LBL_PASSWORD}:</td>
										<td width="30%"><input type="password" size='26' tabindex="2" id="user_password" name="user_password" value=''></td>
									</tr>
									<tr>
										<td colspan="2" class="login_more"><div  style="cursor: hand; cursor: pointer; display:{$LOGIN_DISPLAY}" onclick='toggleDisplay("more");'><IMG src="index.php?entryPoint=getImage&themeName='+SUGAR.themes.theme_name+'&imageName=advanced_search.gif" border="0" alt="Hide Options" id="more_options">&nbsp;<a href='javascript:void(0)'>{$MOD.LBL_LOGIN_OPTIONS}</a></div>
											<div id='more' style='display: none'>
												<table cellpadding="0" cellspacing="2" border="0" align="center" width="100%">
													<tr>
														<td scope="row" width="30%">{$MOD.LBL_THEME}</td>
														<td width="70%"><select style='width: 152px' name='login_theme' id='login_theme'>{$SELECT_THEME}</select></td>
														</tr>
													<tr>
														<td scope="row">{$MOD.LBL_LANGUAGE}</td>
														<td><select style='width: 152px' name='login_language'>{$SELECT_LANGUAGE}</select></td>
													</tr>
												</table>
											</div>
										</td>
									</tr>
									<tr>
										<td>&nbsp;</td>
										<td><input title="{$MOD.LBL_LOGIN_BUTTON_TITLE}" accessKey="{$MOD.LBL_LOGIN_BUTTON_TITLE}" class="button" type="submit" tabindex="3" id="login_button" name="Login" value="{$MOD.LBL_LOGIN_BUTTON_LABEL}"><br>&nbsp;</td>		
									</tr>
								</table>
							</form>
							<form action="index.php" method="post" name="fp_form" id="fp_form" >
								<table cellpadding="0" cellspacing="2" border="0" align="center" width="100%">
									<tr>
										<td colspan="2" class="login_more">
										<div  style="cursor: hand; cursor: pointer; display:{$DISPLAY_FORGOT_PASSWORD_FEATURE};" onclick='toggleDisplay("forgot_password_dialog");'>
											<IMG src="index.php?entryPoint=getImage&themeName='+SUGAR.themes.theme_name+'&imageName=advanced_search.gif" border="0" alt="Hide Options" id="forgot_password_dialog_options">
											<a href='javascript:void(0)'>{$MOD.LBL_LOGIN_FORGOT_PASSWORD}</a>
										</div>
											<div id="forgot_password_dialog" style="display:none" > 
												<input type="hidden" name="entryPoint" value="GeneratePassword">
												<table cellpadding="0" cellspacing="2" border="0" align="center" width="100%" >
													<tr>
														<td colspan="2">
															<div id="generate_success" class='error' style="display:inline;"> </div>
														</td>
													</tr>
													<tr>
														<td scope="row" width="30%">{$MOD.LBL_USER_NAME}:</td>
														<td width="70%"><input type="text" size='26' id="fp_user_name" name="fp_user_name"  value='{$LOGIN_USER_NAME}'</td>
													</tr>
													<tr>
											            <td scope="row" width="30%">{$MOD.LBL_EMAIL}:</td>
											            <td width="70%"><input type="text" size='26' id="fp_user_mail" name="fp_user_mail"  value='' ></td>
											     	</tr>
													{$CAPTCHA}
													<tr>
													    <td scope="row" width="30%"><div id='wait_pwd_generation'></div></td>
														<td width="70%"><input title="Email Temp Password" class="button" type="button" style="display:inline" onclick="validateAndSubmit(); return document.getElementById('cant_login').value == ''" id="generate_pwd_button" name="fp_login" value="{$MOD.LBL_LOGIN_SUBMIT}"></td>		
													</tr>
												</table>
											</div>
										</td>
									</tr>
								</table>
							</form>
						</div>
					</td>
				</tr>
			</table>
		</td>
	</tr>
</table>
<br>
<br>

[Leendert]

Continued from above:

Finally, to enable this authentication method, add the following line to $sugar_config in config.php

Code:

 'authenticationClass' => 'KerbAuthenticate',

For Basic Auth you can use the same code, but you don't need to strip off the Kerberos realm from the REMOTE_USER variable (mod_auth_kerb generates a username like username@DOMAIN.COM, requiring the @DOMAIN.COM to be stripped off).