Hello all, I have an inquiry to see if my LDAP configuration is possible (utilising Active Directory). Previously, with SuiteCRM 7, we have an LDAP configuration that just worked, now if I put that configuration into SuiteCRM 8 with the same parameters, it will not work. Not that I really wanted to use that type of configuration considering the docs say to use .env.local for those parameters. Anyway, my goal is to search the entire directory under multiple OUs and sub-OUs and grab each of those users. Here is my current somewhat working configuration for .env.local:
AUTH_TYPE=ldap
###> LDAP CONFIG ###
external_auth_only=0
LDAP_HOST=domain.local
LDAP_PORT=636
LDAP_ENCRYPTION=tls
LDAP_PROTOCOL_VERSION=3
LDAP_REFERRALS=false
LDAP_QUERY_STRING=objectClass=person
LDAP_DN_STRING='OU=example,OU=example,OU=example,DC=domain,DC=local'
LDAP_SEARCH_DN='CN=exampleuser,OU=example,OU=example,OU=example,DC=domain,DC=local'
LDAP_SEARCH_PASSWORD='examplepass'
###< LDAP CONFIG ###
###> LDAP AUTO CREATE CONFIG ###
LDAP_AUTO_CREATE=enabled
LDAP_PROVIDER_BASE_DN='OU=example,DC=domain,DC=local'
LDAP_PROVIDER_SEARCH_DN='CN=exampleuser,OU=example,OU=example,OU=example,DC=domain,DC=local'
LDAP_PROVIDER_SEARCH_PASSWORD='examplepass'
LDAP_PROVIDER_DEFAULT_ROLES=ROLE_USER
LDAP_PROVIDER_UID_KEY='sAMAccountName'
LDAP_PROVIDER_FILTER='(&(sAMAccountName={username})(objectClass=person))'
###< LDAP AUTO CREATE CONFIG ###
This somewhat works, I can input the sAMAccountName attribute in the user field and respective password in the password field, but only for users in the OU specified in LDAP_DN_SEARCH, it will not read other users that are in an OU under that OU (for example, example2 OU lives under example1 OU, if LDAP_DN_SEARCH points to example1, it will not include users under example2) which is a big problem for me. I also want the variables LDAP_PROVIDER_BASE_DN and LDAP_SEARCH_DN to equal dc=domain,dc=local (rather than including the OU ou=exmaple1,dc=domain,dc=local) as I want to search the entire directory for users. I have tried putting in CN={username} as in ‘LDAP_SEARCH_DN=‘CN={username}dc=domain,dc=local’’ but that causes this error in /<crm>/logs/prod/prod.log:
request.CRITICAL: Uncaught PHP Exception Symfony\Component\Ldap\Exception\LdapException: "Could not complete search with dn "CN={username},OU=example,OU=example,OU=example,DC=domain,DC=local", query "objectClass=person" and filters "*". LDAP error was [32] No such object." at /<crm>/vendor/symfony/ldap/Adapter/ExtLdap/Query.php line 133 {"exception":"[object] (Symfony\\Component\\Ldap\\Exception\\LdapException(code: 0): Could not complete search with dn \"CN={username},OU=example,OU=example,OU=example,DC=domain,DC=local\", query \"objectClass=person\" and filters \"*\". LDAP error was [32] No such object. at /<crm>/vendor/symfony/ldap/Adapter/ExtLdap/Query.php:133)"} []```
This is how most of the errors turn up with the three variables given, dn, query and filters. If I change either or both LDAP_PROVIDER_BASE_DN and LDAP_SEARCH_DN to equal dc=domain,dc=local, then I will get the same error. I have given the service account used in LDAP_SEARCH_DN and LDAP_PROVIDER_SEARCH_DN explicit read permissions of the entire domain.
After this, I decided to read deeper into the symfony documentation for LDAP (as SuiteCRM 8 utilises symfony for LDAP), I noticed that base_dn in symfony was set to equal dc=domain,dc=local, so I do not know why my input does not work. I found under //vendor/symfony/ldap/Adapter/AbstractQuery.php, there is a scope option and I tested all three options static::SCOPE_BASE, static::SCOPE_ONE, static::SCOPE_SUB by putting them in $resolver->setDefaults, though after restarting apache and clearing the cache (using bin/console cache:clear) and refreshing the page using Shift+F5 each time I changed the value, it did not let users log on in OU’s under the specified LDAP_DN_STRING.
I am not sure if I am on the right track, my goal of changing the source code was to test potential fixes and I don’t want to change the source code if I can, it would be preferable if there is something that I can pass through in env.local.