Willkommen bei bytebang » The blog about all and nothing » OpenLDAP authentication for vTiger 6.0

OpenLDAP authentication for vTiger 6.0

Feb 05 2016

The Problem

vTiger is a wonderful open source CRM system which has a very friendly license and offers a lot of features. It comes with a ton of preconfigured settings, but unfortunately a LDAP authentification is not in the box. If you crawl the internet then you will find answers on stackoverflow or this excellent article how to setup AD-auth for vTiger but these answers are tailored towards a Microsoft Active Directory structure. Since the Microsoft Active Directory is technically related to OpenLDAP we can use this approach to access our own LDAP directory. Lets go ...

The Solution

The further examples assume that we already have a local OpenLDAP server which listens on port 389 and requires no authentication. I assume that the reader of this article has already set up his own OpenLDAP server and vTiger 6.x.

Download the adLDAP library

vTiger comes out of the box with no LDAP authentication libraries, so we have to download them and we have to place them within the right directory below the vtiger_root:

$cd /tmp
$wget http://downloads.sourceforge.net/project/adldap/adLDAP/adLDAP_4.0.4/adLDAP_4.0.4r2.zip
$unzip adLDAP_4.0.4r2.zip
$cd adLDAP/src
$mkdir -p /var/www/html/vtiger/modules/Users/authTypes/
$cp -R * /var/www/html/vtiger/modules/Users/authTypes/
$chown -R www-data:www-data /var/www/html/vtiger/modules/Users/authTypes/

OK - this one was simple: We download the correct version of the library, extract it, afterwards we put it into the right directory below our vtiger root (which is assumed to be under /var/www/html/vtiger/). Finally we set the correct permissions.

Configure the adLDAP library

The ugly thing with this approach is, that the settings for the LDAP access must be made directly in the sourcecode of adLDAP (/var/www/html/vtiger/modules/Users/authTypes/adLDAP.php). Assuming that my LDAP has an organizational group named "People" which is located below the domainspecific "contoso.at", I modified the following variables:

protected $accountSuffix = "ou=People,dc=contoso,dc=at";
protected $baseDn = "dc=contoso,dc=at";
protected $adPort = self::ADLDAP_LDAP_PORT;
protected $domainControllers = array("127.0.0.1");

The next step is to modify the adLDAP sourcecode. Depending on your settings the modifications will be like a little different, but in my case it was sufficient to change the line 712 in the file from this:

$this->ldapBind = @ldap_bind($this->ldapConnection, $username . $this->accountSuffix, $password);

to this:

$this->ldapBind = @ldap_bind($this->ldapConnection, "uid=" . $username . "," . $this->accountSuffix, $password);

OK. Why did I do this? ... The answer is simple: The library is tailored towards an Active Directory implementation. AD accepts user passwords in another format as LDAP does. In the end we did nothing other than constructing a valid user object which is accepted from OpenLDAP and looks like uid=myusername,ou=People,dc=contoso,dc=at (and not as the default implementation myusernameou=People,dc=contoso,dc=at).

Test the modifications

It is pain in the ass to test the modifications within vTiger. So we have to find an easier way how to do this. The simplest way is to write a small php script and to run it from the commandline. Here is the script:

<?php

require_once(dirname(FILE) . '/vtiger/modules/Users/authTypes/adLDAP.php');

try {
    $adldap = new adLDAP();
}

catch (adLDAPException $e) {
    echo "adLDAPException";
    echo $e;
    exit();
}

echo "adldap Object created !\n";

$authUser = $adldap->authenticate('myusername', 'mys3cretPa$$word');
if ($authUser == true) {
  echo "User authenticated successfully\n";
}
else {
  // getLastError is not needed, but may be helpful for finding out why:
  echo "User authentication unsuccessful\n";
  echo $adldap->getLastError();
}
?>

This little script mimics what is done inside the vTiger. It creates an LDAP conenction and afterwards it tests if the given credentials (myusername / mys3cretPa$$word) are the same as the ones within the LDAP tree. If yes then the script responds with the success message, otherwise it gives you the last error message. You can download the script here.

Tell vTiger about the new authentification method

If your testscript was able to authenticate against LDAP then we can tell vTiger about it. This is done by adding the line $AUTHCFG['authType'] = 'AD'; to either the /vtiger/config.php or the /vtiger/config.inc.php

From this time on vTiger authenticates against the LDAP directory instead of its own database. This as the following implications:

  • Only users which are in the LDAP directory can log into vTiger
  • Passwords in vTiger are 'overlayed' by the passwords in LDAP
  • Usernames in vTiger and in LDAP must be the same.

If you remove the authtype line from the config file then everything is as it was before.

It is not possible to login with a user that exists ONLY in the LDAP directory, because vTiger builds up its own user-tmp and a few other things during the creation of the user. If this tmp is not here then vTiger will not let you in - even if the password is correct.

To create a new user within LDAP and vTiger you have to do the following steps:

  1. Turn off AD authentification vithin vTiger to be able to login with the vTiger admin user
  2. Login with the vTiger admin user (and the local vTiger admin password) and create the new user account. The user account must be exactly the same as in LDAP. You can give that local vTiger user any password, it will be overlayed by the LDAP password afterwards.
  3. Create a new LDAP user with the same username as in vTiger.
  4. Turn on the AD authentification vithin vTiger again.

That's it. Permissions and so on are always set within vTiger, because we only influenced authentication and not authorization.

Have fun with your installation. If you like this article then feel free to leave a comment below.

Get Social


(c) 2017, by bytebang e.U. - Impressum - Datenschutz / Nutzungsbedingungen
-