vTiger CRM is prepared to authenticate users from LDAP or Active Directory. But this feature massively hidden, as it seems. The following article describes the configuration in detail.

Environment

I’ve tested this with vTiger CRM 6.0.0 on CentOS 6.5.
The Active Directory is in 2012R2 mode, operated by two Windows Server 2012 R2 domain controllers.

Requirements

First of all you need ldap support for php.

yum install php-ldap openldap (RHEL)
aptitude install php5-ldap ldap-client (DEBIAN)

adLDAP Module

Active Directory support in vTiger CRM is based on the adLDAP module. It provides Active Directory connectivity out of the box.

Project Website: http://adldap.sourceforge.net/download.php

Installation

Assuming your vTiger CRM installations www-root is /var/www/html/crm, do the following to install adLDAP support:

wget http://downloads.sourceforge.net/project/adldap/adLDAP/adLDAP_4.0.4/adLDAP_4.0.4r2.zip
unzip adLDAP_4.0.4r2.zip
cd adLDAP/src
mkdir -p /var/www/html/crm/modules/Users/authTypes/ 
cp -R * /var/www/html/crm/modules/Users/authTypes/
chown -R root:root /var/www/html/crm/modules/Users/authTypes/

Configuration

adLDAP is configured directly in the adLDAP.php class (ugh!). Just open and customize the settings for your needs. The following settings match those needed for a 2012R2 Active Directory.

...
class adLDAP {

    /**
     * Define the different types of account in AD
     */
    const ADLDAP_NORMAL_ACCOUNT = 805306368;
    const ADLDAP_WORKSTATION_TRUST = 805306369;
    const ADLDAP_INTERDOMAIN_TRUST = 805306370;
    const ADLDAP_SECURITY_GLOBAL_GROUP = 268435456;
    const ADLDAP_DISTRIBUTION_GROUP = 268435457;
    const ADLDAP_SECURITY_LOCAL_GROUP = 536870912;
    const ADLDAP_DISTRIBUTION_LOCAL_GROUP = 536870913;
    const ADLDAP_FOLDER = 'OU';
    const ADLDAP_CONTAINER = 'CN';

    /**
    * The default port for LDAP non-SSL connections
    */
    const ADLDAP_LDAP_PORT = '389';
    /**
    * The default port for LDAPS SSL connections
    */
    const ADLDAP_LDAPS_PORT = '636';

    /**
    * The account suffix for your domain, can be set when the class is invoked
    *
    * @var string
    */
        protected $accountSuffix = "@cortoso.com";

    /**
    * The base dn for your domain
    *
    * If this is set to null then adLDAP will attempt to obtain this automatically from the rootDSE
    *
    * @var string
    */
        protected $baseDn = "";

    /**
    * Port used to talk to the domain controllers.
    *
    * @var int
    */
    protected $adPort = self::ADLDAP_LDAP_PORT;
    /**
    * Array of domain controllers. Specifiy multiple controllers if you
    * would like the class to balance the LDAP queries amongst multiple servers
    *
    * @var array
    */
    protected $domainControllers = array("dc01.cortoso.com", "dc02.cortoso.com");

    /**
    * Optional account with higher privileges for searching
    * This should be set to a domain admin account
    *
    * @var string
    * @var string
    */
    protected $adminUsername = "ldap-binduser";
    protected $adminPassword = "super-password";

    /**
    * AD does not return the primary group. http://support.microsoft.com/?kbid=321360
    * This tweak will resolve the real primary group.
    * Setting to false will fudge "Domain Users" and is much faster. Keep in mind though that if
    * someone's primary group is NOT domain users, this is obviously going to mess up the results
    *
    * @var bool
    */
        protected $realPrimaryGroup = false;

    /**
    * Use SSL (LDAPS), your server needs to be setup, please see
    * http://adldap.sourceforge.net/wiki/doku.php?id=ldap_over_ssl
    *
    * @var bool
    */
        protected $useSSL = false;

    /**
    * Use TLS
    * If you wish to use TLS you should ensure that $useSSL is set to false and vice-versa
    *
    * @var bool
    */
    protected $useTLS = true;

    /**
    * Use SSO
    * To indicate to adLDAP to reuse password set by the brower through NTLM or Kerberos
    *
    * @var bool
    */
    protected $useSSO = false;

    /**
    * When querying group memberships, do it recursively
    * eg. User Fred is a member of Group A, which is a member of Group B, which is a member of Group C
    * user_ingroup("Fred","C") will returns true with this option turned on, false if turned off
    *
    * @var bool
    */
        protected $recursiveGroups = true;

    ...
?>

 Hints

  • configure multiple domain-controllers to prevent SPOFs
  • configured hostnames for your domain-controllers and common names in their SSL certificates have to match to prevent SSL trust errors
  • use TLS to ensure encrypted transport of user account data
  • create a special user for ldap binding, without any further permissions and with unlimited password validity (configure it in adLDAP with AdminUsername and AdminPassword parameters)

OpenLDAP Configuration

If you use SSL or TLS, it is absolutely necessary that your openldap trusts the domain controllers and their certificates. Make sure that you have a corporate certificate authority and issue certificates for all of your domain controllers. (Sounds horrible but is quite easy if you just install a Active Directory integrated certificate authority as Windows Server role.) You will need to export the certificate and import it for openssl.

Export CA Certificate

Use Windows Certificate Mangement Console to export the CA certificate base-64 encoded. If you installed the ca web management feature, just visit: http://your-dc/certsrv/certcarc.asp, choose base-64 format and click „Download CA certificate“.

Import CA Certificate for OpenLDAP

On RHEL-based systems OpenLDAP uses a default dir at /etc/openldap/certs to store trustable ca certificates in it. Just put the exported certificate file there.

Ensure that the path is configured in /etc/openldap/ldap.conf (RHEL) or /etc/ldap/ldap.conf (Debian). Either as file or folder. (Sometimes the folder configuration doesn’t work)

TLS_CACERT /etc/openldap/certs/cortoso-ca.cer
TLS_CACERTDIR /etc/openldap/certs/

Test adLDAP

Ldapsearch

With ldapsearch you can test the functionality of encrypted LDAP f.e. by:

[email protected]:~# ldapsearch -H "ldaps://dc01.cortoso.com" -b "" -s base -Omaxssf=0
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
	additional info: SASL(-4): no mechanism available:

TLS connection is established but we havn’t supplied auth. OK so far. If you face any problems, add „-d7“ to get some debugging output.

PHP Testscript

To be able to test adLDAP, it is much easier to write a small php sniplet than doing it directly with vTiger CRM. Just create a small adldap_test.php file, in the same directory where adLDAP.php resides, with following content:

<?php

require_once(dirname(FILE) . '/adLDAP.php');

try {
    $adldap = new adLDAP();
}

catch (adLDAPException $e) {
    echo $e;
    exit();
}
$authUser = $adldap->authenticate('user-to-authenticate', 'users-password');
if ($authUser == true) {
  echo "User authenticated successfully";
}
else {
  // getLastError is not needed, but may be helpful for finding out why:
  echo "\n";
  echo $adldap->getLastError();
  echo "\n";

  echo "User authentication unsuccessful";
}

echo "\n";
$result=$adldap->user()->infoCollection('ldap', array("*"));
echo "User:\n";
echo $result->displayName;
echo "Mail:\n";
echo $result->mail;

?>

Replace user and password for the user you want to test authentication for and execute it on the shell:

php adldap_test.php

It should state success and output the username and mail address if available.

To make sure it is also working in Apache Webserver context, you may also open it in a browser or use curl to test it:

curl http://10.10.0.2/crm/modules/Users/authTypes/adldap_test.php

vTiger CRM Configuration

vTiger needs local users for every active directory user being allowed to log in this way. This is needed to have a internal user entity for those „remote-users“. First of all login as admin user and create a local account for an ad user being allowed to administrate your vTiger CRM. The password doesn’t matter at all, since the user is authenticated by AD. You could use the domain administrator account, which would require to create a user named „administrator“.

Afterwards enable vTiger CRM to use AD authentication by modifying /var/www/html/crm/config.php

<?php 
   include('config.inc.php'); 
   $AUTHCFG['authType'] = 'AD'; 
?>

 

Finally you should be able to login with a user you already created locally.

  • Vtiger user

    4. August 2014 • Antworten

    I've followed your tutorial (it works now!) but I am wondering if SSO (single sign-on) is also available for vtiger version 6?
    Thanks in advance

    • Marco

      4. August 2014 • Antworten

      Hi, great to hear that there is anybody using this. It was a pain to get it run. I'm not using SSO right now and have no idea how to handle it. Would be interesting, if you find out.

      • Vtiger user

        5. August 2014 • Antworten

        I've found a tutorial on https://www.dokuwiki.org/auth:ad (section: NTLM on Apache (Linux)) which works partially. That script sets the $_SERVER['REMOTE_USER'] variable, but doesn't log you in to vtiger. Do you know how to fix the auto login?

  • fabrizio

    2. Oktober 2014 • Antworten

    Hi! I'msorry for my english. I follow your guise but wehn i test the script obtain only "User authenticated successfully User: Mail:" can you help me?
    regards

    • dodino

      9. Dezember 2014 • Antworten

      me too.

      • Marco

        18. Dezember 2014 • Antworten

        What exactly?

  • paul

    23. Juli 2015 • Antworten

    I got it to work pretty much exactly as you described. I had to reboot to get the PHP AD stuff to start running.

    For some reason I can't type in lower case.

  • vali

    17. November 2015 • Antworten

    Hi, on test im gething this:
    "User authenticated successfully User: Mail: "

    so when i try to login am redirecting back on login page.
    please help

    thank you

    • Marco

      17. November 2015 • Antworten

      How should I? Your post doesn't contain that much of useful information. The only thing I would like to point you to is the rather strange log output.

      • vali

        17. November 2015 • Antworten

        can this help log from apache:
        [:error] [pid 1227] [client XXX.XXX.XXX.XXX:63064] #0 /var/www/html/vtigercrm/includes/main/WebUI.php(174): Vtiger_WebUI->checkLogin(Object(Vtiger_Request))\n#1 /var/www/html/vtigercrm/index.php(18): Vtiger_WebUI->process(Object(Vtiger_Request))\n#2 {main}, referer: http://XXX.XXX.XXX.XXX/vtigercrm/index.php?module=Users&parent=Settings&view=Login&error=1

  • Braybaut

    6. Januar 2016 • Antworten

    Hello

    this found for vtiger crm 6.4 ??

    or alone vtiger 6.0 ?

  • Braybaut

    7. Januar 2016 • Antworten

    This found using Openldap ??

    • Marco

      15. Februar 2016 • Antworten

      I can't say anything about it. Sorry.

  • PATRICK

    20. Oktober 2016 • Antworten

    HI EVERYBODY,

    I ALSO GET ONLY NULL FEEDBACK WHEN TESTING:

    # php adldap_test.php
    User authenticated successfully
    User:
    Mail:

    ANY IDEAS WHAT THE PROBLEM COULD BE? I GET ALSO "unsuccessful" FEEDBACK WHEN I TEST WITH A WRONG PASSWORD. SO AUTHENTICATION IS WORKING BUT THE ATTRIBUTE MATCHING IS NOT WORKING.
    I AM USING A 2008R2 ACTIVE DIRECTORY.
    IST THE SCRIPT COMPATIBLE WITH IT?
    APPRICIATE YOUR FEEDBACK

    • Marco

      20. Oktober 2016 • Antworten

      If you look at the adldap_test.php script, the user and mail properties should be contained within the result. You could try to print the entire result to see if the property names changed.

  • Christian

    16. März 2017 • Antworten

    For those which are stuck with an Empty Displayname and an empty email in the Test script:
    $result=$adldap->user()->infoCollection('user-to-OUTPUT', array("*"));

    Heres the methods documentation block
    /**
    * Find information about the users. Returned in a raw array format from AD
    *
    * @param string $username The username to query
    * @param array $fields Array of parameters to query
    * @param bool $isGUID Is the username passed a GUID or a samAccountName
    * @return mixed
    */

    Greetings
    Christian


Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

*

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden .