yes, I see in Ubuntu you have ldap-utils providing ldapsearch and also
/etc/ldap/ldap.conf
installed by libldap-common
# dpkg -S /etc/ldap/ldap.conf
libldap-common: /etc/ldap/ldap.conf
and check out
man ldap.conf
(btw, to solve packagesā search I use AI with the free https://www.perplexity.ai or phind.com)
I would say the first step is to be able to connect with TLS to your LDAP by using ldapsearch
(in the meanwhile best would be you can see the logs in the LDAP server)
Already done and it works (without encryption ).
From the first post:
āTrying to make an ldapsearch manually (within the server) it works (ldapsearch -x -b ādc=example,dc=localā -H ldap://myhost.example.local -D user -W) but when trying to login with SuiteCRM ui I cannot see any search to ldap server from logs (suitecrm.log) e.g: ldapauth is not invoked.ā
Already done and it works (without encryption ).
exactly, so now have ldapsearch to work with encryption, by changing port (or with the same port but adding -ZZ for StartTLS). I see also ldapsearch have options for debug and verbose.
Howdy,
So, ldapsearch wasnāt installed as there hasnāt been a need, previous to this update, to have it installed in order for LDAP authentication to work. Iām not sure if that would be the case now.
Anyway, the machine where SuiteCRM is installed is enrolled on the IDM domain. the ldap.conf file exists. I also donāt need to add extra parameters like -H host:port to the command as the server globally knows what its identity server is.
So doing a simple test:
# kinit my-user
Password for my-user@DOMAIN.TLD:
# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=tld> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# users, compat, domain.tld
dn: cn=users,cn=compat,dc=domain,dc=tld
objectClass: extensibleObject
cn: users
...
I am using port 389 with TLS so the connection is automatically upgraded. For all matters, the IDM server is also the CA authority.
I can contact and run all commands from this server to the IDM server. The certificates are valid. The only problem is whatever crap was made from v 8.4.1 to v8.4.2 that simply broke LDAP.
We use LDAP authentication across a myriad of applications. None has problems.
EDIT:
Some follow-up on the configuration environment of IDM: FreeIPA docs - HowTo - LDAP
Red Hat IDM and FreeIPA are the exact same thing.
These two forum threads contain some thorough investigation and solutions.
Please read the above two forum threads, try their solutions, and report back here with your results.
# ldapsearch -x -H ldaps://idm1.domain.tld:636
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=tld> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# users, compat, domain.tld
dn: cn=users,cn=compat,dc=domain,dc=tld
objectClass: extensibleObject
cn: users
...and so on
the same thing. I have no issues connecting using port 636 or 389 with TLS which is what I am using on SuiteCRM.
The ldap.conf file exists and is configured with TLS_CACERT with the correct information. The system is enrolled on a domain and all these configurations are set and working.
Also I am extremely sorry for my bluntness but I donāt see exactly the point of digging over a year old topics, from users having trouble with first time LDAP config, when this is about a SuiteCRM change that broke a working LDAP integration (version 8.4.1) to a non-working LDAP integration (version 8.4.2) on several environments and setups. There were no problems before for various setups, now there are. Certificates havenāt expired over the course of the update.
What more tests do you need, specifically?
ldap.conf exists and correctly configuredldapsearchand other tools work without any issue over TLSCan you set APP_ENV=qa, this should provide additional detail, and report back your results?
# cat .env | grep APP_ENV
# * .env.$APP_ENV committed environment-specific defaults
# * .env.$APP_ENV.local uncommitted environment-specific overrides
APP_ENV=qa
Login credentials incorrect, please try again.
No entries on either logs/prod/prod.log or public/legacy/suitecrm.log
EDIT:
To test I performed the following steps
bin/console cache:clear and bin/console cache:pool:clear cache.global_clearerI would also like to add that in the course of debugging this situation I have created multiple .env files, such as:
$ ls -la .env*
-rw-r--r--. 1 apache apache 1932 Jan 25 17:54 .env
-rw-r--r--. 1 apache apache 889 Jan 23 17:20 .env.local
-rw-r--r--. 1 apache apache 889 Jan 23 17:27 .env.prod.local
-rw-r--r--. 1 apache apache 889 Jan 23 17:32 .env.qa.local
The locals are all copy of the original .local
I didnāt know about the qa environment, but I do know that the dev environment gives you access to elaborate error messages with full stack traces (I find these most useful for this kind of forum troubleshooting, I can go look at the actual code without having to set up a complex environment and trying to reproduce on my local).
However, the last few people whom I told to change to dev got a broken system with a Doctrine error. I believe this can be solved, Iāve solved it myself, but it was a long time ago and I donāt remember what it was. Maybe installing the dev package to get the dist precompiled folder, maybe running composer to update packages to better match the dev environment, maybe something else. Maybe itās something as simple as giving the DB credentials in the .dev.env file.
@maverickws itās up to you if want to try yet another environment, and go through the trouble of getting it to work, but I do think that might provide more informationā¦
Itās several yarn commands + other commands, to get APP_ENV=dev to work and show more detailed error info:
@chris001, but that is to set up the full dev environment that is able to compile the front end. That dev package I mentioned is meant to avoid that by providing a precompiled dist directory and some other bits. We wonāt need to compile the front-end, just get Symfony to go trough the dev environment so it provides more detailed outputā¦
Hereās the steps to install and setup dev mode (APP_ENV=dev) properly:
if you would setup this dev mode as explained in the post above @maverickws and report back your more detailed error messages when the LDAP login fails to login on 8.5.
Iām sorry Iām not a developer, someone f*cks up and I have to go and install dev releases, setup full development environments and whatever?
How about you install a freeipa server which is quite easy and test yourself? Itās free open source software.
This is not my work, Iāve done plenty of testing already, took hours from my day I should be working for this. Having to setup a full development environment just because this doesnāt generate proper log output is ridiculous.
If the stanza is to leave errors in the app until final users do all the work for you, then Iām just going back to 8.4.1 until I find some other solution for CRM.
As Iāve stated many times before, and I will stress it again, I am not a developer, I was evaluating SuiteCRM for inclusion in projects, and the whole lifecycle of this issue and these requests, make it clear that this is not suitable for anything.
Iām also testing SuiteCRM as an Open Source alternative to SugarCRM (and unfortunately I donāt have a lot of time 'cause Iām testing the product for my company and can squeeze a few hours out of normal activities).
Following up on a request/suggestion from @pgr Iāve done the following test:
There isnāt much āextended informationā. There is only a
Failed to load resource: the server responded with a status of 401 (Unauthorized)
Login failed
Screenshot attached.
I had done this test before. Same result.
I was looking at the logs on the LDAP server side
SuiteCRM requests come like this:
[26/Jan/2024:12:59:41.190646024 +0000] conn=64347 fd=253 slot=253 connection from 1.1.1.1(crm-server-ip) to 2.2.2.2(idm-server-ip)
[26/Jan/2024:12:59:41.191192457 +0000] conn=64347 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="start_tls_plugin"
[26/Jan/2024:12:59:41.191280241 +0000] conn=64347 op=0 RESULT err=0 tag=120 nentries=0 wtime=0.000358914 optime=0.000129024 etime=0.000486443
[26/Jan/2024:12:59:41.228051635 +0000] conn=64347 TLS1.3 128-bit AES-GCM
[26/Jan/2024:12:59:41.228532725 +0000] conn=64347 op=1 BIND dn="uid=bind-dn,cn=sysaccounts,cn=etc,dc=domain,dc=tld" method=128 version=3
[26/Jan/2024:12:59:41.229479533 +0000] conn=64347 op=1 RESULT err=0 tag=97 nentries=0 wtime=0.021358633 optime=0.000938740 etime=0.022294725 dn="uid=bind-dn,cn=sysaccounts,cn=etc,dc=domain,dc=tld"
[26/Jan/2024:12:59:41.246339682 +0000] conn=64347 op=2 SRCH base="cn=accounts,dc=domain,dc=tld" scope=2 filter="(memberOf=cn=sales,cn=groups,cn=accounts,dc=domain,dc=tld)" attrs="* aci"
[26/Jan/2024:12:59:41.250503876 +0000] conn=64347 op=2 RESULT err=0 tag=101 nentries=2 wtime=0.000254305 optime=0.004170018 etime=0.004419211
[26/Jan/2024:12:59:41.311098525 +0000] conn=64347 op=3 BIND dn="uid=bind-dn,cn=sysaccounts,cn=etc,dc=domain,dc=tld" method=128 version=3
[26/Jan/2024:12:59:41.312039818 +0000] conn=64347 op=3 RESULT err=0 tag=97 nentries=0 wtime=0.000173717 optime=0.000960047 etime=0.001130890 dn="uid=bind-dn,cn=sysaccounts,cn=etc,dc=domain,dc=tld"
[26/Jan/2024:12:59:41.328356714 +0000] conn=64347 op=4 SRCH base="dc=domain,dc=tld" scope=2 filter="(uid=my-user)" attrs="* aci"
[26/Jan/2024:12:59:41.332848612 +0000] conn=64347 op=4 RESULT err=0 tag=101 nentries=1 wtime=0.000294621 optime=0.004498508 etime=0.004789213
[26/Jan/2024:12:59:41.351576404 +0000] conn=64347 op=5 UNBIND
[26/Jan/2024:12:59:41.351629711 +0000] conn=64347 op=5 fd=253 closed error - U1
So the number one question here is where does this attrs="* aci" part being parsed from. This is failing because the request isnāt properly formed.
What about Network tab?
Any nice, detailed, Symfony exception there?
Your LDAP logs are also interesting! 
Network tab gives this:
Until the request is properly formed, it will always fail.
I have commenting the ### LDAP AUTO CREATE CONFIG
but the issue is the same.
Edit:
On the headers I have
URL https://suitecrm.app/login
Status: 401 Unauthorised
Source: Network
Address: suitecrm-server-ip:443
Initiator: poly fills.7539f468be309dcf.js:1:32939
If I put the mouse over this, I get:
dunno if this is of any help but well
