vtiger

[djabbour]

Please note: The patch has been tested against OpenLDAP. I would like someone with AD access to let me know if AD authentication works.

This patch works against vTiger 4.0.1, 4.2 (alpha) and 4.2 CVS.

Usage:
After patching (directions below), you have an option in your config.php file to change $AUTHCFG['authType'] to SQL, AD, or LDAP. When running in SQL mode (the default) vTiger works as normal, and checks passwords against the database.

In LDAP or AD mode, vTiger will check users' passwords against the directory server. NOTE: ACCOUNTS MUST EXIST IN BOTH VTIGER AND THE DIRECTORY SERVER FOR THIS TO WORK. THE ACCOUNT NAMES MUCH MATCH. PASSWORDS, HOWEVER, NEED NOT BE SET IN VTIGER.

Once you switch the authType variable in config.php, this patch will only authenticate against the directory server. Please ensure you have created at least one admin user in vTiger that also exists in your directory before switching to AD or LDAP mode.

This patch will also remove the change password button in vTiger when using AD or LDAP authentication. You will change your password using your directory services.

Files modified by patch:
* install/4createConfigFile.php
* modules/Users/User.php
* modules/Users/DetailView.php

Files added by patch:
* modules/Users/authTypes/
* LDAP.php
* adLDAP.php

To patch (in Unix):
* Copy the authTypes directory to modules/Users/
* Copy the User.php.patch and DetailView.php.patch files to
modules/Users/
* CD to the modules/Users/ directory
* patch --verbose -p0 <DetailView.php.patch
* patch --verbose -p0 <User.php.patch
* Copy the 4createConfigFile.php.patch file to install/
* CD to install/
* patch --verbose -p0 <4createConfigFile.php.patch

The installer will now add the following lines to config.php. If you are installing a fresh copy, patch your installer and install. Then add users to vTiger (without setting passwords). Then edit config.php. If you are patching an existing installation, add the following lines to your config:

//AUTHCFG
$AUTHCFG['authType'] = 'SQL'; //Can either by LDAP, AD, or SQL

//Config Options for LDAP
$AUTHCFG['ldap_host'] = 'localhost';
$AUTHCFG['ldap_port'] = NULL;
$AUTHCFG['ldap_basedn'] = 'dc=localhost,dc=com';
$AUTHCFG['ldap_uid'] = 'uid'; //can be CN or UID depending on ldap install
$AUTHCFG['ldap_username'] = NULL;
$AUTHCFG['ldap_pass'] = NULL;

//Config Options for Active Directory
$AUTHCFG['ad_accountSuffix'] = '@mydomain.local';
$AUTHCFG['ad_basedn'] = 'DC=mydamin,DC=local';
$AUTHCFG['ad_dc'] = array ( "dc.mydomain.local" ); //array of domain controllers
$AUTHCFG['ad_username'] = NULL; //optional user/pass for searching
$AUTHCFG['ad_pass'] = NULL;
$AUTHCFG['ad_realgroup'] = true; //AD does not return the primary group. Setting this to false will fudge "Domain Users" and is much faster. True will resolve the real primary group, but may be resource intensive.


--
LDAP and AD patch for vTiger written by:
Daniel Jabbour
iWebPress Incorporated, www.iwebpress.com
djabbour - a t - iwebpress - d o t - com

[delacx86]

Hi,

I am really interested in what you did cause, I am testing vtiger for a client who would be running with IIS6.0/MYSQL/PHP and who would like integrated authentification, of course the integrated authentification would only work if the vtiger code would be ldap aware, would it be complicated to add to your code that is accepts the ntlm/kerberos authentification on the fly on the login page ??? if the vtiger login users the MSAD credentials it is already a good start, if authentification occurs by itself on the login page it would be even greater.

if i could do something to help this work...

thanks

[djabbour]

My patch allows vtiger to authenticate to an LDAP or Active Directory. It does not implement single sign-on (kerberos). Users will still need to type their AD password a second time to login to vtiger (though at least the passwords would always been in sync). NTLM authentication and Kerberos, as far as I understand them, would be completely different topics, and require a lot of rewriting (I'm not entirely sure it'd be possible using php alone).

A far simpler solution would be to use this patch, upgrade your client to at least Windows 2000 server (preferably 2003) and simply have the vtiger authentication page use AD authentication to the active directory so user passwords will authenticate to the directory server. Good luck.

[indigoleopard]

Hello Team!

We are planning to integrate this in the product team.
So, please do share your views.

Richie

[mikecrowe]

Daniel,

Trying active directory. Get the following error:

Fatal error: Call to undefined function: ldap_connect() in /opt/vtigerCRM4_0_1/apache/htdocs/vtigerCRM/modules/Users/authTypes/adLDAP.php on line 81

[mikecrowe]

I think it may be a PHP issues. Looks like the PHP distributed with VT doesn't include something like ldap.so

[jamesmoey]

Great Patch !!
There is just a minor bug. In the User.php.patch file:

+ case 'AD':
+ $this->log->debug("Using Active Directory authentication");
+ require_once('modules/Users/authTypes/adLDAP.php');
+ $adldap = new adLDAP();
+ if ($adldap->authenticate($this->user_names,$user_password)) {
+ return true;
+ } else {
+ return false;
+ }
+ break;

"$this->user_names" should be "$this->user_name".

[jamesmoey]

jamesmoey wrote:
By the way, the AD code work.

[iampepsiguy]

I just applied this patch. It required some manual updates as the patch didn't take against 4.2 code. I also made the change as described above (user_names to user_name).

This works perfectly aginst AD (tested against Windows 2000 domain controller).

This patch/feature rocks! Please include in base software.

Great job!!

[jpabellon]

Has this been integrated? Please advise...

Thanks!