Espo and LDAP/SSO

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • nhenjes
    Junior Member
    • Mar 2015
    • 6

    Espo and LDAP/SSO

    We have an installation we are trying to setup, and are having issues with connecting Espo with our AD using LDAP. It seems to authenticate fine, users are created in Espo with their email address pulled from the AD controller, but we get an "Auth Error" message when first signing on with AD credentials. Then on subsequent logins with the same user account, we get "Bad server response". Every time I try signing on with another user, I get the same results. Creates user, but then says Auth Error.

    The error log is giving us "Espo.ALERT: Unauthorized access attempt for user [user.name] from IP [XXX.XXX.XXX.XXX]" which is the IP address of the computer I am using.

    What are some things to check?
  • tarasm
    Super Moderator
    • Mar 2014
    • 573

    #2
    Are you using Active Directory server? Could you show your LDAP setting from "data/config.php", "ldap..." options.
    Job Offers and Requests

    Comment

    • nhenjes
      Junior Member
      • Mar 2015
      • 6

      #3
      We are using an AD server, here are the settings we currently have

      'ldapHost' => 'AD SERVER IP',
      'ldapPort' => 389,
      'ldapAuth' => true,
      'ldapUsername' => 'CN=Espocrm,OU=Users,OU=LOCATION,OU=COMPANY,DC=DOM AIN,DC=int',
      'ldapPassword' => 'CORRECT PASSWORD',
      'ldapSecurity' => 'TLS',
      'ldapBaseDn' => 'DC=DOMAIN,DC=int',
      'ldapAccountCanonicalForm' => 'Dn',
      'ldapOptReferrals' => false,
      'ldapBindRequiresDn' => false,
      'ldapUserLoginFilter' => '',
      'ldapTryUsernameSplit' => false,
      'ldapCreateEspoUser' => true,

      Comment

      • tarasm
        Super Moderator
        • Mar 2014
        • 573

        #4
        I will check it and let you know the result.
        Job Offers and Requests

        Comment

        • tarasm
          Super Moderator
          • Mar 2014
          • 573

          #5
          I have checked it on the OpenLDAP server. It works fine.
          EspoCRM uses a "Zend\Ldap" library, you can find more information on the library page.
          If it doesn't work. Please provide me access to your server to figure out the problem (send via PM).
          Job Offers and Requests

          Comment

          • tarasm
            Super Moderator
            • Mar 2014
            • 573

            #6
            You can read more information about configuring LDAP in EspoCRM in the blog http://blog.espocrm.com/administrati...n-for-espocrm/
            Job Offers and Requests

            Comment

            • nhenjes
              Junior Member
              • Mar 2015
              • 6

              #7
              Ok, we did some more checking on this. It seems that if we log in with an active directory user, Espo creates the user in it's system, but we can't actually log in as that user. The logs start showing "Espo.ALERT: Unauthorized access attempt for user [user.name] from IP [XXX.XXX.XXX.XXX]" as if it isn't validating correctly. Our ad user names are first.last, but espo is showing First Last for the username. Not sure if that has anything to do with it.

              Comment

              • nhenjes
                Junior Member
                • Mar 2015
                • 6

                #8
                When logging in the first time with a user, the Espo message at the top says "Please wait.." then "Bad server response", and finally "Auth Error" but the account is still created in Espo

                Comment

                • nhenjes
                  Junior Member
                  • Mar 2015
                  • 6

                  #9
                  Ok, finally figured out what the deal is. When the user is created after authenticating with AD, Espo takes the "Full Name" as the username instead of what AD knows the username to be. So if I have a user called Test User who's AD login is test.user, espo actually creates the user as Test User and it can't authenticate, instead of as test.user.

                  Comment

                  • nhenjes
                    Junior Member
                    • Mar 2015
                    • 6

                    #10
                    We modified Espo\Core\Utils\Authentication\LDAP.php to include the line $data['userName'] = strtolower(str_replace(" ", ".", $data['userName'])); in the create users section. There is a slight issue where the first time a new user logs in, Espo says bad server response, but when you log in subsequently it works fine. It's only that initial time it creates the account that there is an error.

                    Comment


                    • Brock
                      Brock commented
                      Editing a comment
                      Where exactly did you place this line of code in the "create user" section?

                    • Guest
                      Guest commented
                      Editing a comment
                      Thanks for posting this. I had the same problem and your solution works for me. I'm on Ubuntu 16.04, EspoCRM 4.1.6, OpenLDAP v2.4.42.

                      I'm getting logged in straightaway with no bad server response

                      Here is how the createUser function looks like after modification:

                      protected function createUser(array $userData)
                      {
                      $data = array();
                      foreach ($this->fields as $espo => $ldap) {
                      if (isset($userData[$ldap][0])) {
                      $data[$espo] = $userData[$ldap][0];
                      }
                      }

                      $data['userName'] = strtolower(str_replace(" ", ".", $data['userName']));

                      $user = $this->getEntityManager()->getEntity('User');
                      $user->set($data);

                      $this->getEntityManager()->saveEntity($user);

                      return $user;
                      }
                  • tarasm
                    Super Moderator
                    • Mar 2014
                    • 573

                    #11
                    Thanks, I will check the code.
                    Job Offers and Requests

                    Comment

                    • hi-ko
                      Member
                      • May 2015
                      • 90

                      #12
                      The field mapping shouldn't be hard coded rather than config. See /forum/installation-and-upgrade-help/5231-mapping-ldap-attributes-for-new-users.
                      Some additional Feedback to the LDAP sync:
                      • If not all users are stored in one single ou the only working config I found was "Principal"
                      • The "User Login Filter" doesn't support memberOf nor nested groups (not supported with OpenLDAP)
                      • Great feature would be a LDAP sync feature as mentioned in thread above

                      @taram: I think most organisations use MS AD or samba4 as AD. If helpful I could provide a simple test VM having a samba4 configured on a ubuntu system

                      Comment

                      • hi-ko
                        Member
                        • May 2015
                        • 90

                        #13
                        @nhenjes: Instead of coding your name scheme you should take the samaccountname from AD.
                        You can find my complete fix here: https://github.com/espocrm/espocrm/pull/157
                        I will add a feature request for group sync

                        Comment

                        Working...