Active Directory Integration

I am having some trouble getting suitecrm Intergrated with active directory. I am running suitecrm version 7.4.3. It is running on a server 2012 r2 running iis version 8.5. running php 5.6

What I trying to get accomplished is to have the users in a certain domain group “CRMusers” have access to the CRM.

Here are the settings I have applied in Password setting in the Admin Menu
Server: PDC.DOMAIN.com
Port Number: 389
User DN: CN=Users,DC=PDC,DN=DOMAIN,DC=com
Bind Attribute: userPrincipalName
Login Attribute: userPrincipalName
Group Membership (the box is checked)
Group DN: CN=CRMUusers,CN=Users,DC=DOMAIN,DC=com
Group Name: CN=CRMUsers
User Attribute: uid
Group Attribute: memberUid
With User DN (box is selected)

Authentication: (selected)
Username: svcname@domain.com
Password: Entered
Auto Create Users (selected)

The svcname account is a member of the domain users, that is it. (That should give it read rights to the domain)
I am running php 5.6 and have loaded the PHP manager and the ldap dlls.

Try and change the fields to:

Bind atttribute: userPrincipalName
login attribute: sAMAccountName

Can you go into the admin->system settings-> view log, and look to see SuiteCRM is authenticating correctly with your active directory server?

Make sure that you have the logging set to fatal so that you will catch the fatal error messages.

First Thanks for responding. :slight_smile:
Made the changes you suggested still failing.

Here is the log output:
03/18/16 11:27:56 [3272][-none-][FATAL] SECURITY: ldapauth: failed LDAP bind (login) by kennedym, could not construct bind_user
03/18/16 11:27:56 [3272][-none-][FATAL] SECURITY: User authentication for kennedym failed
03/18/16 11:27:56 [3272][-none-][FATAL] SECURITY: User authentication for kennedym failed
03/18/16 11:27:56 [3272][-none-][FATAL] FAILED LOGIN:attempts[1] - kennedym
03/18/16 11:28:14 [2628][-none-][FATAL] [LDAP ERROR][10]Referral

In addition getting the following error on the intial page.
Strict Standards: Declaration of LDAPAuthenticateUser::authenticateUser() should be compatible with SugarAuthenticateUser::authenticateUser($name, $password, $fallback = false) in D:\Inetpub\Suitecrm\modules\Users\authentication\LDAPAuthenticate\LDAPAuthenticateUser.php on line 52

So the error message is basically saying that SuiteCRM can not find the username in the AD database using LDAP or that your password is incorrect.

The other error message is trying to suggest that the two calls it is making should be the same interfaces. But there are not the same.

Your user and group distinguished names (DN) seem a little strange. I noticed that your point directly to the Primary Domain Controller, instead of to the domain name. Unless of course, this is the actual name of your domain, you would usually point to the domain like this: eg. domain.com instead of pdc.domain.com. So that you can implement multiple domain controllers for redundancy.

Depending of the functional level of your domain or the way your AD Server has set up the structure of the database; you may want to try using the OU key work instead of CN. I would try something like this:

OU=Users,DC=domain,DC=com

If you have multiple sub domains, then this can be tricky to get working. It is also worth noting that LDAP is case sensitive. So be careful when typing in the values.

When I set up LDAP with SuiteCRM. I first tend to login to the domain controller and run ldp in command prompt, in order to work out the correct LDAP user and group distinguished names. The following link describes how to use it

https://support.microsoft.com/en-us/kb/224543

Also you may want to try the older user notation eg DOMAIN\username. For domains with a functional level of server 2000. This tends to work better.

Does any of this resolve the issue?

Hello @kennedymk , I’m trying the same. can you please tell me where should I add this setup in admin panel.