AnsweredAssumed Answered

LDAP:  Active Directory and group membership support

Question asked by Cameron Oltmann on Oct 16, 2015
Latest reply on Oct 17, 2015 by Julio Gomes
Yesterday I set up LDAP auth to connect our local install of SugarCRM Community Edition to Active Directory.  Everything went fairly smoothly until it came time to set up group membership restrictions.  I couldn't find any reference to the proper settings online, and even when I figured them out it still didn't work.  I found this was ultimately caused by a problem in LDAPAuthenticateUser.php - the user's distinguished name was being compared to the first letter of each group member's distinguished name.  This obviously will never result in a match.

Our SugarCRM install is version 6.5.8.  These issues may be fixed with more recent versions (hopefully yes?), but as of 6.5.8 group membership doesn't work out of the box.

For those trying to do this going forward, Here are the settings that worked for me, and the patch I had to apply to LDAPAuthenticateUser.php to make it work:

Group Membership Settings:
  • Group DN:  As described in docs (eg OU=Security Groups,DC=DOMAIN,DC=local)
  • Group Name:  As described in docs (eg cn=SugarCRM)
  • User Attribute: dn
  • Group Attribute:  member
Patch:
--- LDAPAuthenticateUser.php 2015-10-15 18:34:52.360207520 -0700
+++ LDAPAuthenticateUser.php-n 2015-10-15 18:35:50.136207480 -0700
@@ -183,7 +183,7 @@       }       //user is not a member of the group if the count is zero get the logs and return no id so it fails login  -    if(!isset($user_uid[0]) || ldap_count_entries($ldapconn, ldap_search($ldapconn,$GLOBALS['ldap_config']->settings['ldap_group_name'] . ",". $GLOBALS['ldap_config']->settings['ldap_group_dn']  ,"($group_attr=" . $user_uid[0] . ")")) ==  0){  +    if(!isset($user_uid) || ldap_count_entries($ldapconn, ldap_search($ldapconn,$GLOBALS['ldap_config']->settings['ldap_group_name'] . ",". $GLOBALS['ldap_config']->settings['ldap_group_dn']  ,"($group_attr=" . $user_uid . ")")) ==  0){        $GLOBALS['log']->fatal("ldapauth: User ($name) is not a member of the LDAP group");        $user_id = var_export($user_uid, true);        $GLOBALS['log']->debug("ldapauth: Group DN:{$GLOBALS['ldap_config']->settings['ldap_group_dn']} Group Name: " . $GLOBALS['ldap_config']->settings['ldap_group_name']  . " Group Attribute: $group_attr  User Attribute: $group_user_attr :(" . $user_uid[0] . ")");
(The formatting makes it all look confusing, but it will copy/paste just fine)

Hopefully someone finds this helpful.  I know it would've saved me a bunch of time to have this info available at the start.

Outcomes