AD / LDAP Authentication - Printable Version

AD / LDAP Authentication - Printable Version

+- CoreBOSBB (https://discussions.corebos.org)
+-- Forum: Support (https://discussions.corebos.org/forumdisplay.php?fid=17)
+--- Forum: Administrator Support (https://discussions.corebos.org/forumdisplay.php?fid=8)
+--- Thread: AD / LDAP Authentication (/showthread.php?tid=1558)

AD / LDAP Authentication - gaardam - 08-26-2019

Hi All,

I would like to authenticate users in corebos to our AD.

I am following the documentation at https://corebos.com/documentation/doku.php?id=en:adminmanual:users_auth

When I set the Global variable 'User_AuthenticationType' to 'AD', I get an error 'Active Directory Query not yet implemented' on the 'New User' page when trying to query the user.

If I set the Global variable 'User_AuthenticationType' to 'LDAP', on the 'New User' page, I can query the user successfully - But it populates the corebos field 'User Name' with the users Full Name, instead of the AD field samAccountName (username in AD)

After creating the user, if I set 'User_AuthenticationType' either to 'AD' or 'LDAP', I cannot login to corebos successfully. I get an error in vtiger.log :

Code:

ERROR PearDatabase_ Rows Returned:0 More than 1 row returned for SELECT * from vtiger_users where user_name=? AND user_password=? AND COALESCE(failed_login_attempts,0)

With debug set in log4php.properties - When logging in, I cannot see anything about contacting AD or LDAP server.

running the php adldap_test.php works successfully.

RE: AD / LDAP Authentication - gaardam - 08-28-2019

in modules/Users/Users.php

Code:

public function doLogin($user_password) {

        $authType = GlobalVariable::getVariable('User_AuthenticationType', 'SQL');

        if ($this->is_admin) {

            $authType = 'SQL'; // admin users always login locally

        }

        $usr_name = $this->column_fields["user_name"];

        switch (strtoupper($authType)) {

$authType = GlobalVariable::getVariable('User_AuthenticationType', 'SQL');
Always returns the default value of 'SQL' because there is noone logged in yet.

If I hardcode $authType = 'AD'; I can log in successfully using Active Directory - YAY!

But, I lose ability to login as local admin because if ($this->is_admin) { does not work until after login!

So I ended up with :

Code:

public function doLogin($user_password) {

        $authType = "AD";

        $usr_name = strtolower($this->column_fields["user_name"]);

        if ($usr_name == 'admin') {

            $authType = 'SQL'; // admin users always login locally

        }

        switch (strtoupper($authType)) {

Currently I have Global variable 'User_AuthenticationType' set to 'LDAP', so that I can use the user import feature - which still does not work perfectly, I will look at that next...

RE: AD / LDAP Authentication - joebordes - 08-28-2019

thank you for catching this bug. I made this change:

Code:

diff --git a/modules/Users/Users.php b/modules/Users/Users.php

index dad64c4c2..6b65a9e73 100644

--- a/modules/Users/Users.php

+++ b/modules/Users/Users.php

@@ -280,7 +280,14 @@ class Users extends CRMEntity {

         * @return true if the user is authenticated, false otherwise

         */

        public function doLogin($user_password) {

-               $authType = GlobalVariable::getVariable('User_AuthenticationType', 'SQL');

+               $result = $this->db->pquery('select id from vtiger_users where user_name=?', array($this->column_fields['user_name']));

+               if ($result && $this->db->num_rows($result)==1) {

+                       $row = $this->db->fetchByAssoc($result);

+                       $userid = $row['id'];

+               } else {

+                       return false;

+               }

+               $authType = GlobalVariable::getVariable('User_AuthenticationType', 'SQL', 'Users', $userid);

                if ($this->is_admin) {

                        $authType = 'SQL'; // admin users always login locally

                }

can you validate it works before I commit it?

I would also invite you to join the corebos gitter channel, there is at least one user there who has LDAP working so you can discuss the changes he made.

I will try to help all I can.

RE: AD / LDAP Authentication - gaardam - 08-28-2019

Code:

if ($this->is_admin) {

  $authType = 'SQL'; // admin users always login locally

}

I would like users authenticated by AD/LDAP to be able to be admin too - This would only allow SQL users to be admin.

In the PDF, linked on the doc page at : http://corebos.com/documentation/lib/exe/fetch.php?media=en:adminmanual:vtiger-ldap-integration-v1.0.pdf

There is the following line in include/ldap/config.ldap.php :

Code:

$AUTHCFG['sql_account'] = array('admin', 'sqluser');

This applies to more than just LDAP - so maybe it could be in config.inc.php?

Code:

        $usr_name = $this->column_fields["user_name"];

        $result = $this->db->pquery('select id from vtiger_users where user_name=?', array($usr_name));

        if ($result && $this->db->num_rows($result)==1) {

                $row = $this->db->fetchByAssoc($result);

                $userid = $row['id'];

        } else {

                return false;

        }

        $authType = GlobalVariable::getVariable('User_AuthenticationType', 'SQL', 'Users', $userid);        

        $sql_auth_users = array('admin','sqluser'); // Move to config.inc.php?

        if (in_array($usr_name, $sql_auth_users)) {

            $this->log->debug("$usr_name exists in sql_auth_users, so using SQL Authentication");

            $authType = 'SQL'; 

        }

RE: AD / LDAP Authentication - joebordes - 08-28-2019

We don't use config.inc.php in order to avoid conflicts. For example, if we add it there now, we would force every corebos install to manually update their config.inc.php file and we couldn't add the change in git.

Either we create new GVs or we create an integration page if the settings require more than one/two variables.

In this case I would create a new variable named User_MandatoryAuthenticationSQL and do something like

Code:

$sql_auth_users = GlobalVariable::getVariable('User_MandatoryAuthenticationSQL', 'admin', 'Users', $userid); 

$sql_auth_users = explode(',', $sql_auth_users);

if (in_array($usr_name, $sql_auth_users)) {

   $this->log->debug("$usr_name exists in sql_auth_users, so using SQL Authentication");

   $authType = 'SQL'; 

}

I understand that the change I made above retrieves the correct Global Variable value? That worked?

RE: AD / LDAP Authentication - joebordes - 08-28-2019

I would appreciate if you could make a PR with those changes once you get it working

RE: AD / LDAP Authentication - gaardam - 08-28-2019

(08-28-2019, 11:24 PM)joebordes Wrote: I understand that the change I made above retrieves the correct Global Variable value? That worked?

Yes, it worked correctly!

(08-28-2019, 11:24 PM)joebordes Wrote: I would appreciate if you could make a PR with those changes once you get it working

OK, I will keep testing and create a PR once done..