Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
AD / LDAP Authentication
#1
Hi All,

I would like to authenticate users in corebos to our AD.

I am following the documentation at https://corebos.com/documentation/doku.php?id=en:adminmanual:users_auth

When I set the Global variable 'User_AuthenticationType' to 'AD', I get an error 'Active Directory Query not yet implemented' on the 'New User' page when trying to query the user.

If I set the Global variable 'User_AuthenticationType' to 'LDAP', on the 'New User' page, I can query the user successfully - But it populates the corebos field 'User Name' with the users Full Name, instead of the AD field samAccountName (username in AD)

After creating the user, if I set 'User_AuthenticationType' either to 'AD' or 'LDAP', I cannot login to corebos successfully. I get an error in vtiger.log :

Code:
ERROR PearDatabase_ Rows Returned:0 More than 1 row returned for SELECT * from vtiger_users where user_name=? AND user_password=? AND COALESCE(failed_login_attempts,0)

With debug set in log4php.properties - When logging in, I cannot see anything about contacting AD or LDAP server.

running the php adldap_test.php works successfully.
Reply
#2
in modules/Users/Users.php

Code:
public function doLogin($user_password) {
        $authType = GlobalVariable::getVariable('User_AuthenticationType', 'SQL');
        if ($this->is_admin) {
            $authType = 'SQL'; // admin users always login locally
        }

        $usr_name = $this->column_fields["user_name"];

        switch (strtoupper($authType)) {

$authType = GlobalVariable::getVariable('User_AuthenticationType', 'SQL');
Always returns the default value of 'SQL' because there is noone logged in yet.

If I hardcode $authType = 'AD'; I can log in successfully using Active Directory - YAY!

But, I lose ability to login as local admin because if ($this->is_admin) { does not work until after login!

So I ended up with :

Code:
public function doLogin($user_password) {
        $authType = "AD";
        $usr_name = strtolower($this->column_fields["user_name"]);

        if ($usr_name == 'admin') {
            $authType = 'SQL'; // admin users always login locally
        }

        switch (strtoupper($authType)) {

Currently I have Global variable 'User_AuthenticationType' set to 'LDAP', so that I can use the user import feature - which still does not work perfectly, I will look at that next...
Reply
#3
thank you for catching this bug. I made this change:

Code:
diff --git a/modules/Users/Users.php b/modules/Users/Users.php

index dad64c4c2..6b65a9e73 100644
--- a/modules/Users/Users.php
+++ b/modules/Users/Users.php
@@ -280,7 +280,14 @@ class Users extends CRMEntity {
         * @return true if the user is authenticated, false otherwise
         */
        public function doLogin($user_password) {
-               $authType = GlobalVariable::getVariable('User_AuthenticationType', 'SQL');
+               $result = $this->db->pquery('select id from vtiger_users where user_name=?', array($this->column_fields['user_name']));
+               if ($result && $this->db->num_rows($result)==1) {
+                       $row = $this->db->fetchByAssoc($result);
+                       $userid = $row['id'];
+               } else {
+                       return false;
+               }
+               $authType = GlobalVariable::getVariable('User_AuthenticationType', 'SQL', 'Users', $userid);
                if ($this->is_admin) {
                        $authType = 'SQL'; // admin users always login locally
                }


can you validate it works before I commit it?

I would also invite you to join the corebos gitter channel, there is at least one user there who has LDAP working so you can discuss the changes he made.

I will try to help all I can.
Joe
TSolucio
Reply
#4
Code:
if ($this->is_admin) {
  $authType = 'SQL'; // admin users always login locally
}
I would like users authenticated by AD/LDAP to be able to be admin too - This would only allow SQL users to be admin.

In the PDF, linked on the doc page at : http://corebos.com/documentation/lib/exe/fetch.php?media=en:adminmanual:vtiger-ldap-integration-v1.0.pdf

There is the following line in include/ldap/config.ldap.php :
Code:
$AUTHCFG['sql_account'] = array('admin', 'sqluser');

This applies to more than just LDAP - so maybe it could be in config.inc.php?

Code:
        $usr_name = $this->column_fields["user_name"];
        $result = $this->db->pquery('select id from vtiger_users where user_name=?', array($usr_name));
        if ($result && $this->db->num_rows($result)==1) {
                $row = $this->db->fetchByAssoc($result);
                $userid = $row['id'];
        } else {
                return false;
        }
        $authType = GlobalVariable::getVariable('User_AuthenticationType', 'SQL', 'Users', $userid);        
        
        $sql_auth_users = array('admin','sqluser'); // Move to config.inc.php?
        
        if (in_array($usr_name, $sql_auth_users)) {
            $this->log->debug("$usr_name exists in sql_auth_users, so using SQL Authentication");
            $authType = 'SQL';
        }
Reply
#5
We don't use config.inc.php in order to avoid conflicts. For example, if we add it there now, we would force every corebos install to manually update their config.inc.php file and  we couldn't add the change in git.

Either we create new GVs or we create an integration page if the settings require more than one/two variables.

In this case I would create a new variable named User_MandatoryAuthenticationSQL and do something like


Code:
$sql_auth_users = GlobalVariable::getVariable('User_MandatoryAuthenticationSQL', 'admin', 'Users', $userid);
$sql_auth_users = explode(',', $sql_auth_users);
if (in_array($usr_name, $sql_auth_users)) {
   $this->log->debug("$usr_name exists in sql_auth_users, so using SQL Authentication");
  $authType = 'SQL';
}


I understand that the change I made above retrieves the correct Global Variable value?  That worked?
Joe
TSolucio
Reply
#6
I would appreciate if you could make a PR with those changes once you get it working
Joe
TSolucio
Reply
#7
(08-28-2019, 11:24 PM)joebordes Wrote: I understand that the change I made above retrieves the correct Global Variable value?  That worked?

Yes, it worked correctly!


(08-28-2019, 11:24 PM)joebordes Wrote: I would appreciate if you could make a PR with those changes once you get it working

OK, I will keep testing and create a PR once done..
Reply


Forum Jump:


Users browsing this thread: