Announcement

Collapse
No announcement yet.

Fallback authentication mechanism when LDAP fails

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Fallback authentication mechanism when LDAP fails

    Is there a way to make the Espo authentication mechanism the fallback method for the times when LDAP fails? I'm also interested in this so I can separate some of my users from the LDAP configuration. The majority of my users are part of the main LDAP configuration because they are internal employees, but we also allow subcontractors to access our CRM system and adding them to the LDAP system is not a possibility. It would be really helpful if the authentication mechanism would say "I didn't find anything in LDAP... let me try Espo".

    This is the relevant code. Could the other implementation be used if the first one fails?

    PHP Code:
    229 $authenticationImpl $this->getAuthenticationImpl($authenticationMethod);
    230
    231 $params 
    = [
    232 'isPortal' => $this->isPortal(),
    233 ];
    234
    235 $loginResultData 
    = [];
    236
    237 $user 
    $authenticationImpl->login($username$password$authToken$params$this->request$loginResultData); 

  • #2
    This is not a long term solution at all, but it solved my most immediate issue:
    Code:
    diff --git a/application/Espo/Core/Utils/Auth.php b/application/Espo/Core/Utils/Auth.php
    index 03c8a24b..626c14db 100644
    --- a/application/Espo/Core/Utils/Auth.php
    +++ b/application/Espo/Core/Utils/Auth.php
    @@ -243,7 +243,18 @@ class Auth
    }
    
    if (!$user) {
    -   return;
    +   $authenticationImpl = $this->getAuthenticationImpl("Espo");
    +   $params = [ 'isPortal' => $this->isPortal(), ];
    +   $loginResultData = [];
    +   $user = $authenticationImpl->login($username, $password, $authToken, $params, $this->request, $loginResultData);
    +   $authLogRecord = null;
    +   if (!$authTokenIsFound) {
    +     $authLogRecord = $this->createAuthLogRecord($username, $user, $authenticationMethod);
    +   }
    +
    +   if (!$user) {
    +     return;
    +   }
    }
    Basically, if LDAP authentication fails, it will use the Espo method. If that fails, it will do what it did before - return.

    Comment


    • #3
      Gotta bring your post back from the dead here for a moment... Hopefully get some proper attention for my issue too.

      Is this still the best solution for when you have an individual user account that you want to bypass LDAP authentication? We have an application user that we don't want in our AD but we need to be able to authenticate into the CRM.

      We have Espo authentication working on our first Admin account (the one with ID = `1`), which was created prior to use wiring up LDAP. I see on the user SQL table there's a auth_method column. However, the auth_method for both our ID 1 Admin user as well as the new application user we're trying to create are both null! It seems like the new application user keeps trying to auth with LDAP but can't find the creds. Yet, our ID 1 Admin definitely doesn't have an AD account yet allows us login to it.

      Does anyone know if there's an auth_method db value that EspoCRM checks to potentially use Espo-auth instead of LDAP?

      Comment


      • #4
        I continue to use the code I posted two years ago. Mixing authentication implementations has not worked, at least for me, using other methods.

        Comment


        • Zosh
          Zosh commented
          Editing a comment
          Coincidentally, another user basically asked the same question today! I extrapolated out a more in-depth investigation surrounding this issue/use-case on his post: [Local users beside LDAP](https://forum.espocrm.com/forum/gene...rs-beside-ldap)

          Maybe this will all progress toward a more streamlined solution/answer.

        • espcrm
          espcrm commented
          Editing a comment
          I like how you using EspoCRM 'code' [text](url) in the forum.
      Working...
      X