SugarCRM SupportKnowledge BaseUser Log In ManagementConfiguring LDAP Authentication Using Active Directory

Configuring LDAP Authentication Using Active Directory

Overview

Sugar can be configured to accept Lightweight Directory Access Protocol (LDAP) authentication if your organization has implemented LDAP or Active Directory authentication. When users in your system attempt to log into Sugar, the application will authenticate them against your LDAP directory or Active Directory. If authentication is successful, the user is allowed to log into Sugar. If the authentication is unsuccessful, Sugar will then attempt to verify the provided credentials against its own database of valid usernames and passwords.

Note: For instances that use SugarIdentity, the administrator will need to access SugarIdentity via the Cloud Settings console in order to configure LDAP authentication. Please note that only some SugarCloud instances use SugarIdentity. Refer to the SugarIdentity Guide to determine if yours is configured to do so. Existing customers will be notified before their instances begin using the service.

Prerequisites

You must add a user to your Active Directory account for the purpose of authenticating from Sugar to Active Directory to read the LDAP. Make this user a managed service account (MSA) with read-only access to Active Directory. For more information on creating an MSA, please refer to the following article on Microsoft's support site: Managed Service Accounts: Understanding, Implementing, Best Practices, and Troubleshooting.

Note: Configuring Active Directory to support LDAP is beyond the scope of this document. For more information on configuring Active Directory, please refer to Microsoft's support site at https://support.microsoft.com.

Steps to Complete

Enabling LDAP for the Instance

  1. Log into Sugar as an administrator and navigate to Admin > Password Management.
  2. Scroll down to the LDAP Support section at the bottom of the page.
  3. Select the checkbox next to "Enable LDAP Authentication". Sugar will then display some additional fields where you must enter information pertaining to your LDAP account.
    ldap1
  4. Complete the fields with information specific to your LDAP or Active Directory account. Please refer to the following section, LDAP Support Fields, for more information on the field requirements.
    ldap2
  5. Click "Save" after completing the form and proceed to the Enabling LDAP for Users section.

LDAP Support Fields

The following fields are presented after you click "Enable LDAP Authentication" in Admin > Password Management:

  • Server : Enter the FQDN of your Active Directory Server (e.g. MYSERVER.MYDOMAIN.com)
    • Note: This should be your Domain Controller.
  • Port Number : Enter 389 
    • Note: This is the default port. Enter this value unless you have some custom configuration for LDAP.
  • User DN : Enter OU=sugarcrm,DC=MYSERVER,DC=MYDOMAIN,DC=com 
    • Note: The OU "OU=sugarcrm" is the actual OU in the Active Directory that you chose to put your users in. Please note that this OU does not have to called "sugarcrm". It can be called anything you want or any OU that has the users you want to be in your Sugar instance. Please confirm the group is an OU and not a CN. If CN, you can use the designator CN=Users for example.
  • Bind Attribute : Enter "userPrincipalName" 
    • Note: This is what is used for the Active Directory and is case sensitive.
  • Login Attribute : Enter "sAMAccountName"  
    • Note: This is what is used for the Active Directory and is case sensitive.
  • Authenticated User : Enter as username@MYSERVER.MYDOMAIN.com or domain\userfirstname.userlastname 
    • Note: The authenticated user is the MSA that you configured as part of this article's Prerequisites. If you chose to enter in this format (domain\userfirstname.userlastname), then enter it with two backslashes like "domain\\userfirstname.userlastname" because when you click save, Sugar will remove one of the backslashes.
  • Authenticated Password : Enter the password of the authenticated user you created
  • Auto Create Users : Uncheck this option if you do not wish to re-create AD users in Sugar. They will be automatically created when they first log into Sugar. Check this option if you instead wish to re-create AD users in Sugar with the same username and password before they log in.

Enabling LDAP for Users

  1. Navigate to Admin > User Management > {user name} > Advanced Tab.
  2. Select LDAP Authentication for this user.
    ldap4_red

After saving, Sugar will synchronize the user's Active Directory user name and present the password on the LDAP port. When the user logs in, they should now enter their Active Directory username and password.
ldap4

LDAP With a Firewall

If the Active Directory authentication server is behind a corporate firewall and your instance of Sugar is hosted in our cloud environment, then please refer to the Configuring Your SMTP Server to Work With SugarCloud article to ensure the appropriate IP range is open on your firewall to allow communication with the Active Directory server. A rule will need to be created allowing the LDAP bi-directional communication for the necessary IP range. This can be the standard LDAP port 389 or you can use LDAP over SSL.

Last modified: 2019-06-12 23:53:03