LDAP Support

LDAP Server and Client Installation

  1. sudo apt-get install slapd ldap-utils migrationtools
  2. You will be prompted for the LDAP admin password. Please remember it.
  3. sudo mv /etc/ldap/slapd.d /etc/ldap/slap.d.orig
  4. sudo dpkg-reconfigure slapdOmit OpenLDAP server configuration? No

    DNS domain name: server.world
    Organization name: server
    Password: enter the same password you entered in step 2
    Database backend to use: HDB
    Do you want the database to be removed when slapd is purged? Yes
    Move old database? Yes
    Allow LDAPv2 protocol? No

  5. sudo /etc/init.d/slapd restart

Modifying/Populating your Database

Let’s introduce some content to our database. We will add the following:

  • a node called People (to store users)
  • a node called Groups (to store groups)
  • a group called miners
  • a user called john

Create the following LDIF file and call it add_content.ldif:

dn: ou=People,dc=server,dc=world
objectClass: organizationalUnit
ou: People
dn: ou=Groups,dc=server,dc=world
objectClass: organizationalUnit
ou: Groups

dn: cn=miners,ou=Groups,dc=server,dc=world
objectClass: posixGroup
cn: miners
gidNumber: 5000

dn: uid=john,ou=People,dc=server,dc=world
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 5000
userPassword: johnldap
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john

**It’s important that uid and gid values in your directory are not the same as local values. Use high number ranges, IE. starting at 5000. By setting the uid and gid values in LDAP high, you also allow for easier control of what can be done with a local user vs an LDAP one. More on that later.

Add the content:

ldapadd -x -D cn=admin,dc=server,dc=world -W -f add_content.ldif

Enter LDAP Password: ********
adding new entry "ou=People,dc=server,dc=world"
adding new entry "ou=Groups,dc=server,dc=world"
adding new entry "cn=miners,ou=Groups,dc=server,dc=world"
adding new entry "uid=john,ou=People,dc=server,dc=world"

We can check that the information has been correctly added with the ldapsearch utility:

ldapsearch -x -LLL -b dc=server,dc=world 'uid=john' cn gidNumber
dn: uid=john,ou=People,dc=server,dc=world
cn: John Doe
gidNumber: 5000

Configuration in Zurmo

Go to Settings->Authentication Configuration->LDAP Configuration

  1. Configure: Enter your openldap server details:
  2. LDAP_1

  3. If you correctly enter the OpenLDAP server details and click on the ‘Test Connection’ button, you will get the ‘Successfully connected to LDAP server’ message as shown below:
  4. LDAP_2

  5. If you do not enter the OpenLDAP server details correctly and click on the ‘Test Connection’ button, you will get the ‘Unable to connect to LDAP server’ message as shown below:

LDAP_3

Active Directory Installation Steps

Active Directory Windows based LDAP Authentication

  1. Open Server Manager by clicking the icon in the Quick Launch toolbar or from the Administrative Tools folder.
  2. Wait until it finishes loading, then click on Roles > Add Roles link.
  3. LDAP_AD2

  4. In the Before You Begin window, click Next.
  5. LDAP_AD3

  6. In the Select Server Roles window, check Active Directory Domain Services, and then click Next.
  7. LDAP_AD4

  8. In the Active Directory Domain Services window, click Next.
  9. LDAP_AD5

  10. In the Confirm Installation Selections window, click Install.
  11. LDAP_AD6

  12. Wait for the process to complete.
  13. LDAP_AD7

  14. When it ends, click Close.
  15. LDAP_AD8

  16. Going back to Server Manager, click on the Active Directory Domain Services link. Note that there’s no information linked to it, because the DCPROMO command has not been run yet.
  17. LDAP_AD9

  18. Click on the DCPROMO link.
  19. To run DCPROMO, enter the command in the Run command, or click on the DCPROMO link from Server Manager > Roles > Active Directory Domain Services.
  20. LDAP_AD11

  21. Depending on whether or not AD-DS was previously installed, the Active Directory Domain Services Installation Wizard will appear. Click Next.
  22. LDAP_AD12

Note: The Advanced features of DCPROMO will be discussed in a future article.

Windows on iPad with OnLive Desktop

  1. In the Operating System Compatibility window, read the provided information and click Next.
  2. LDAP_ipad1

  3. In the Choose a Deployment Configuration window, click on “Create a new domain in a new forest” and click Next
  4. LDAP_ipad2

  5. Enter an appropriate name for the new domain. Make sure you pick the right domain name, as renaming domains is a task you will not wish to perform on a daily basis. Click Next.
  6. LDAP_ipad3a

    Note: Do NOT use single label domain names such as “mydomain” or similar. You MUST pick a full domain name such as “mydomain.local” or “mydomain.com” and so on.

    The wizard will perform checks to see if the domain name is not already in use on the local network.

    LDAP_ipad3b

  7. Pick the right forest function level. Windows 2000 mode is the default, and it allows the addition of Windows 2000, Windows Server 2003 and Windows Server 2008 Domain Controllers to the forest you’re creating. You can read “Understanding Windows Server 2008 Active Directory Domain and Forest Functional Levels” article for more information on that.
  8. LDAP_ipad4

  9. Pick the right domain function level. Windows 2000 Native mode is the default, and it allows the addition of Windows 2000, Windows Server 2003 and Windows Server 2008 Domain Controllers to the domain you’re creating.
  10. LDAP_ipad5

    Note: If you select “Windows Server 2008″ for the forest function level, you will not be prompted to pick a domain function level. Read more about domain and forest function levels in the article “Understanding Windows Server 2008 Active Directory Domain and Forest Functional Levels“.

  11. The wizard will perform checks to see if DNS is properly configured on the local network. In this case, no DNS server has been configured, therefore, the wizard will offer to automatically install DNS on this server.
  12. LDAP_ipad6a

    LDAP_ipad6b

    Note: The first DCs must also be a Global Catalog. Also, the first DCs in a forest cannot be a Read Only Domain controller.

  13. It’s most likely that you’ll get a warning telling you that the server has one or more dynamic IP Addresses. Running IPCONFIG /all will show that this is not the case, because as you can clearly see, I have given the server a static IP Address. So, where did this come from? The answer is IPv6. I did not manually configure the IPv6 Address, hence the warning. In a network where IPv6 is not used, you can safely ignore this warning.
  14. LDAP_ipad7a
    LDAP_ipad7b

  15. You’ll probably get a warning about DNS delegation. Since no DNS has been configured yet, you can ignore the message and click Yes.
  16. LDAP_ipad8

  17. Next, change the paths for the AD database, log files and SYSVOL folder. For large deployments, carefully plan your DC configuration to get the maximum performance. When satisfied, click Next.
  18. LDAP_ipad9

  19. Enter the password for the Active Directory Recovery Mode. This password must be kept confidential, and because it stays constant while regular domain user passwords expire (based upon the password policy configured for the domain, the default is 42 days), it does not. This password should be complex and at least 7 characters long. I strongly suggest that you do NOT use the regular administrator’s password, and that you write it down and securely store it. Click Next.
  20. LDAP_ipad10

  21. In the Summary window review your selections, and if required, save them to an unattend answer file. When satisfied, click Next.
  22. LDAP_ipad11

  23. The wizard will begin creating the Active Directory domain, and when finished, you will need to press Finish and reboot your computer.

LDAP_ipad12a

LDAP_ipad12b
LDAP_ipad12c

Configuration in Zurmo

Go to Settings->Authentication Configuration->LDAP Configuration

  1. Enter the Active Server details as shown in the figure
  2. LDAP_4

  3. Click the Test Connection button to ensure the Active server details are correct. If you correctly enter the Active server details, you will get a ‘Successfully connected to LDAP server’ message. If not, you will receive an‘Unable to connect to Ldap server’ message.

Leave a Comment

  • http://twitter.com/err404notfound Muhammad Shoaib

    Awesome

  • David Saldana

    I followed all instructions that are posted here but Zurmo is not communicating with Windows LDAP and users cannot authenticate.

    • http://www.facebook.com/people/Ray-Stoeckicht/100001473956853 Ray Stoeckicht

      I will have an engineer respond to this

      • David Saldana

        Thanks a lot

        • Dhananjay Donthula

          Hi David ,

          For Windows LDAP or ‘Active Directory’ you don’t have to follow this steps ,this steps are required for OpenLDAP linux based ,i will have the documentation on Active Directory shortly so that it can guide you more did you upgrade your zurmo instance to the latest ?, then you can see a new dropdown to distinguish LDAP server type and let me know if you still face a issue with the latest upgrade of zurmo

          • David Saldana

            Yes I have the Latest 1.5 version installed and that is what I saw the dropdown option but I still have the same issue.

          • Dhananjay Donthula

            are you able to connect to your active directory server or ‘you got successfully connected message but when you try to login with active directory user and login is failing’

          • David Saldana

            I go to the setup LDAP screen, fill out all the information and then press the test button but it keeps reading and I never get the “successfully connected message.

          • Dhananjay Donthula

            can you configure and run the walkthrough test for active directory and see that it passes

          • David Saldana

            I am not sure I understand what you want me to do.

          • Dhananjay Donthula

            i am ask you to configure and run the walkthrough test and unit test for active directory test classes using phpunit
            and see the results

          • David Saldana

            ok here is what I have done. I installed turnkey Zurmo old version (VMware) and then downloaded the 1.5 full package from zurmo website and installed it on top of the old version and LDAP is not working. I downloaded the Bitnami new version (VMware) since seems to have all unix packages already installed and configure and LDAP is working. so I am clearly missing something on the other server, do you know what are the requirements for AD LDAP to work?
            Thanks in advance for all your help.

          • Dhananjay Donthula

            AD LDAP documentation will be available shortly on wiki

          • David Saldana

            Thanks a lot

          • http://www.facebook.com/people/Ray-Stoeckicht/100001473956853 Ray Stoeckicht

            Hi David, the wiki has been updated. You can now see AD LDAP documentation.

          • David Saldana

            Thanks

          • http://www.facebook.com/people/Ray-Stoeckicht/100001473956853 Ray Stoeckicht
          • David Saldana

            ok let me read the document and run the test.

  • rodolfojcj

    Hi!

    I’m trying to connect with LDAP service running on a Zentyal server installed in the Local Area Network of my company. The “Test Connection” step done in configuration is successful, but real login fails. This LDAP running in Zentyal is an OpenLDAP under the hood.

    This same LDAP Zentyal server is used successfully to provide the authentication backbone for a python application running in the same intranet for the same users.

    The server has these properties, which I set in a fresh installed Zurmo:

    server type: openldap
    host: 192.168.1.200
    port: 390
    user name: zentyalro (this is the read only connection user)
    password: OQY1WpbEc1OQRVZpFXWa (this is the read only connection password)
    base domain: dc=mycompany,dc=com
    turn on ldap: checked

    The test connection outputs “Successfully Connected to Ldap Server” with these params. Next in the login screen I put my ldap user name “rodolfo.castellanos” and my raw ldap password and the error message “Incorrect username or password.” is that I get back.

    I’m studying the source code, but I don’t see what could be the reason for the failure. Things I’ve thought:

    - User name could be the full DN? I tried with “uid=rodolfo.castellanos,ou=Users,dc=mycompany,dc=com” but it failed too.

    - Is zurmo expecting the uid as login attribute? I tried “rodolfo.castellanos” and “uid=rodolfo.castellanos” and it failed too.

    - Is zurmo expecting a specific user and group base existing in the LDAP tree? In this wiki article the example LDIF file uses “People” and “Groups” as Organizational Units, but it’s not practical for me because the tree already exists.

    - I noticed toot that the source code of app/protected/modules/zurmo/controllers/LdapController.php in its public function actionTestConnection() does not use the functionality existing in classes such as app/protected/modules/users/UserLdapIdentity.php, which means to me the connection code is not exercised as would be in a real connection attempt.

    Thanks in advance for your attention and any help to do a successful connection via LDAP of this promising Zurmo CRM will be welcomed and very appreciated.

    Bye,
    Rodolfo Castellanos
    Venezuela

    • Dhananjay Donthula

      Hi Rofolfo,

      i think the issue is rodolfo.castellanos is not in the zurmo user list you should have user in Zurmo as well as in ldap server.if you still have issue in ldap you can try to UserLdapTest.

      Please do let me know if it solves your issue
      Thanks,

      Dhananjay Donthula

      • rodolfojcj

        Hi Dhananjay!

        I’m very grateful for your answer, it worked!

        I thought I did something like that yesterday, but today following your suggestion I did it again and it just worked!

        It could be fine if Zurmo could allow a ldap user registration/login in the fly without additional user creation needed, just like the python application we use in our LAN does. But for now we’ll be giving Zurmo a chance and explore how we can take advantage of it.

        After considering the previous case, I followed these steps with another user:

        1. Create the user account in Zurmo pedro.perez with password PA (user creation does not allow empty password)

        2. User pedro.perez already exists in ldap with password PB

        3. Try to login in Zurmo with user name pedro.perez and password PA. Result is successful.

        4. Try to login in Zurmo with user name pedro.perez and password PB. Result is successful too.

        Thank you again!

        Bye,

        Rodolfo Castellanos
        Venezuela

  • Don Robertson

    Hi – I am doing a demo of Zurmo at our local software freedom day. I discovered it recently and have installed a copy on my server. Thought it was good enough to do a run through for a business audience :-) Love the Drupal Webform Module too.

    This copy is being installed on a Zentyal server – so I am trying to get the LDAP authentication going.

    Zentyal uses openLDAP

    I set up and tested the LDAP connection, and it worked.

    However, users and groups are not being populated from the LDAP server to Zurmo. Do I still need to add users and groups to Zurmo?

    I was hoping to show the benefits of LDAP – add a user on the Zentyal server, and Look! here it is in Zurmo. Disable in LDAP and user is gone in Zurmo. Is this possible?

    Don
    PS – got a lot to get done tomorrow … if you could let me know :-)

    • Ray Stoeckicht

      We have not worked with Zentyal so not sure if it will work.

      • Don Robertson

        Yeah – okay, lets just say an Ubuntu based server running open LDAP. Does Zurmo populate it’s users and groups from the LDAP server or just use the password?

        • Pascal Michard

          Any news on this? I’m trying to get zurmo LDAP to work with zentyal without success. The connection appears to be ok.

  • Sujit

    Hi
    I installed Zurmo on my centos machine successfully. When i do Active Directory authentication it works fine. But when I try to connect with LDAP, it is not connecting. My LDAP settings are good,because it work fine with other applications. What would be the problem – please help me.

  • Charles Rishard

    Hi. Are there any tutorials on setting up AD LDAP integration? My company’s AD LDAP is reachable through the test connection, but we can not see how LDAP is integrated. We would like to use LDAP to authenticate users into Zurmo.

  • rodolfojcj

    Hello again!

    I am running zurmo 2.2.3 on my intranet. Today I was updating it incrementally to more recent versions till stable version (as of today) 2.6.4, and everything seemed to work fine, until I explored de Authentication settings, which uses LDAP, finding that the LDAP settings web screen is empty.

    To discard that I rolled back to version 2.2.3 from backups, and checking again LDAP settings they are empty too. So, this is a bug I was not aware of and is present from some previous version that I can’t point to precisely.

    Then, I did a fresh installation of 2.6.4 in a different test machine and LDAP settings work fine and I identified the URL used to get there (http://put_zurmo_test_host_here/app/index.php/zurmo/ldap/configurationEditLdap). Next I went back to restored production zurmo with 2.2.3 and pointed the web browser to http://put_zurmo_production_host_here/app/index.php/zurmo/ldap/configurationEditLdap and it is accessible and works fine, showing the right params and even the “test connection” button runs successfully.

    So it would be very fine that the LDAP settings functionality continues to work after updating zurmo.

    Thanks to anyone who can examine and fix it.

  • Bruno Simioni

    Hey guys,

    I’m trying to integrate Zurmo CRM with my OpenDS LDAP server with no success. Let me explain some points:

    1. I’ve configurate my Zurmo instance to connect to OpenDS using the OpenLDAP option.

    2. I’ve activated debug flag, and the production.log file have no information about LDAP login, for success or error causes.

    3. The “Test LDAP connection”, under the Administration tool, returns true. I’ve actually patched some code. Here we go:

    at: /home/apizurmo/zurmo/app/protected/modules/zurmo/utils/LdapUtil.php:77

    00077 $bindRegisteredDomain = ‘cn=’ . $bindRegisteredDomain . ‘,’ . $baseDomain; // Not Coding Standard

    was modified to just:

    $bindRegisteredDomain = $bindRegisteredDomain; // Not Coding Standard

    And my server finally connect, using the “cn=Directory Manager” bind master user.

    4. When trying to login, Zurmo returns “User/Pass invalid”, but inspecting the code, I got:

    at: /home/apizurmo/zurmo/app/protected/modules/users/components/UserLdapIdentity.php:83

    00083 if ($result[0] && @ldap_bind($ldapConnection, $result[0]['dn'], $this->password))

    returns ok. $result has just 1 row (as expected, when user logins correctly) and the next line, 85

    00085 if ($this->errorCode != 1)

    has a false condition, since errorCode still has “1″ value. “ERROR_USERNAME_INVALID” I guess.

    With this condition, I cannot login into Zurmo, still having a correctly user/pass/bind inserted. This is the first time I tried to log in, so no user was created in Zurmo database (just the super one).

    Would you guys help me to solve this integration problem?

    Is the LDAP integration readonly, or Zurmo writes into LDAP server?

    Best,

  • http://blog.nihilnovo.eu Dimitrios Stergiou

    I connected Zurmo with our Active Directory, and i can see that the “Test Connection” works. Also, when “sniffing” the traffic from Zurmo to our Active Directory i see that the credentials are correct and i am binding to the AD.

    However, the user is not able to login into Zurmo. Please note that i have not defined the user in Zurmo. So:
    1) Do i need to create the user in Zurmo before they are able to connect via AD?
    2) If not, what steps do i need to take to make this work?

    Thanks,

  • Maxim Smolkin

    I set AD connection and got message “Successfully Connected to Ldap Server”. But when I try to login using AD username and password I got message “Incorrect username or password”.

  • Don Robertson

    Hi – suddenly I can no longer log into Zurmo with an Ldap user or with a admin user not in ldap. I am getting the following in the errors.

    2015/05/06 14:52:10 [error] assert(): Assertion “is_int($port)” failed (/var/www/html/zurmo/app/protected/modules/zurmo/utils/Lda
    pUtil.php:69)

    Stack trace:

    #0 /var/www/html/zurmo/app/protected/modules/zurmo/forms/LoginForm.php(66): UserLdapIdentity->authenticate()

    #1 /var/www/html/zurmo/yii/framework/validators/CInlineValidator.php(42): LoginForm->authenticate()

    #2 /var/www/html/zurmo/yii/framework/validators/CValidator.php(213): CInlineValidator->validateAttribute()

    #3 /var/www/html/zurmo/yii/framework/base/CModel.php(159): CInlineValidator->validate()

    #4 /var/www/html/zurmo/yii/framework/web/widgets/CActiveForm.php(835): LoginForm->validate()

    #5 /var/www/html/zurmo/app/protected/modules/zurmo/controllers/DefaultController.php(71): validate()

    #6 /var/www/html/zurmo/yii/framework/web/actions/CInlineAction.php(49): ZurmoDefaultController->actionLogin()

    #7 /var/www/html/zurmo/yii/framework/web/CController.php(308): CInlineAction->runWithParams()

    #8 /var/www/html/zurmo/yii/framework/web/filters/CFilterChain.php(133): ZurmoDefaultController->runAction()

    #9 /var/www/html/zurmo/yii/framework/web/CController.php(291): CFilterChain->run()

    #10 /var/www/html/zurmo/yii/framework/web/CController.php(265): ZurmoDefaultController->runActionWithFilters()

    #11 /var/www/html/zurmo/yii/framework/web/CWebApplication.php(282): ZurmoDefaultController->run()

    #12 /var/www/html/zurmo/yii/framework/web/CWebApplication.php(141): WebApplication->runController()

    #13 /var/www/html/zurmo/yii/framework/base/CApplication.php(169): WebApplication->processRequest()

    #14 /var/www/html/zurmo/app/protected/core/components/WebApplication.php(88): WebApplication->run()

    #15 /var/www/html/zurmo/app/index.php(70): WebApplication->run()

    REQUEST_URI=/zurmo/app/index.php/zurmo/default/login

    in /var/www/html/zurmo/app/protected/modules/zurmo/utils/LdapUtil.php (69)

    in /var/www/html/zurmo/app/protected/modules/users/components/UserLdapIdentity.php (60)

    in /var/www/html/zurmo/app/protected/modules/zurmo/forms/LoginForm.php (66)

    I cannot find where the ldap configuration is stored, so can’t see if it is okay.

  • Jason

    Has anyone got the AD login working, I’ve tested it in the backend and it says “Successfully Connected to Ldap Server”. But when I try to login using AD username and password I get “Incorrect username or password”. I see this has been reported a few times in this thread, but I don’t see a solution posted :(

  • Zbigniew Żelazek

    AD integration works fine, but you need to create user with the same login. Password -type any password. After that you can use login and password from LDAP/AD

    without create user with same login I was error
    assert(): Assertion "is_int($port)" failed (/var/www/html/zurmo/app/protected/modules/zurmo/utils/LdapUtil.php:69)