by iDevIT

Sudo Login (or Masquerade) allows Administrators to log in as any regular user without asking for their password and without disconnecting them. Specially useful for configuring their workspace (filters, reports, dashboard) or to support users (reproduce issues, help them step by step, etc).

Free Trial

By clicking you consent to be contacted by the developer

#4345 - LDAP and Users Unable to login

Closed Bug? created by eligeo Verified Purchase 2 years ago

We have deployed this plugin into an environment with LDAP. After logging into a user account (from admin), we made some changes and then logged out. The user themselves are unable to login after the fact though. We are seeing this message:

MicrosoftTeams-image (1).png

Are there any settings that could be impacting this? We're still investigating with a developer on our end but need feedback on this.

  1. idevit member avatar

    iDevIT Provider Affiliate

    2 years ago

    Hello ELigeo team,

    Which version of SugarCRM are you using ? OnPremise / OnDemand ?

    Our plugin has never been think with external auth only in mind. So I can't ensure you it is working.

    In the mean time to what I understood : - you sucessfully used the plugin on computer 1 to log in as user A - you made changes (which kind of changes in which module ?) - you logged out as the user (you were back as the admin user ?) - on computer 1, you can still log out/log in as Admin - you can't log anymore as user 1 on computer 1, - can you log as user 1 on another computer ? - did you try private browsing mode ? - did you try to check the user settings regarding auth for this specific user ?

    Unfortunately, I didn't have a LDAP system there to test myself. Can you help me to understand the problem ?

    Normally we are just writing in the browser session an information, so I don't see/understand how it could affect the system. In the meantime hope your answers will help us to give a more detailed answer.

    Regards

  2. eligeo member avatar

    eligeo Verified Purchase

    2 years ago

    Hi there,

    Version is 9.0.3.

    The changes we did were to update settings for their Dashboard. Each time we login as a user and then log out, we get reports that the user can no longer log back in.

    The only way for them to log back in is through a hard reset on cache for their browser. It's definitely caching it somehow.

    Is this something you can revisit with LDAP or do we need to look at another option?

    • idevit member avatar

      iDevIT Provider Affiliate

      2 years ago

      Hello,

      Sorry first for all the inconvenience.

      You didn't answer the scenario of number of computer used and our questions. We can only guess that the admin is not (sounds obvious) the same computer than the user. We can also guess the flavor and hosting solution. Sugar OnDemand use SugarIdentity and you didn't provide any information about it.

      I never heard this kind of scenario before but in the same time the error message displayed mean you configured the system to only use external auth.

      Did the user log in first in Sugar before using the plugin (this one is quite important as Sugar has to initialize some data for the user before to use the module) If you created the user, log in/out with it, then you should be able to use the module without troubles

      According to doc : https://support.sugarcrm.com/Documentation/Sugar_Versions/10.0/Pro/Administration_Guide/Password_Management/index.html Once you have completed the form, you will then need to enable LDAP for users by navigating to Admin > User Management, selecting the desired user, then clicking the Advanced tab in their user profile. Enable the "LDAP Authentication Only" checkbox then click "Save". Sugar will then synchronize the user's Active Directory user name and present the password on the LDAP port. When the user next logs into Sugar, they will enter their Active Directory username and password.

      Did you try to uncheck the checkbox and see if it was working for this user. We had customers working with ldap and i didn't remember it was not working. So I guess this is related to this checkbox.

      Also as you mention something is getting corrupted in the second computer (user browser's cache) I guess more than this is not a data related problem. I also guess from your last message that cleaning the browser is fixing the user computer and that he can log in back. For documenting the issue, what is the computer OS and browser (+version)

      Is the problem reproductible just by log in / out without doing any modification also ?

      Am I correct with all these assertions ?

      This issues have never been reported to us before. Unfortunately, we don't have in short term a plan to look for LDAP authentification specially if we have a working workaround.

      Of course feel free to test any modules, we barely test all of them before creating ours and no one was handling the situation another way. But this would be interesting to have your feedbacks about it.

      Best regards and sorry again for the inconvenience. IDevIT

    • eligeo member avatar

      eligeo Verified Purchase

      2 years ago

      Hi there, sorry here is more information: 1. Admin is not the same user computer as the user. 2. It is on-premise. 3. System is configured to use external auth but the admin user in this case was not external auth. The user is external auth. 4. We have used LDAP with this client for over 5 years, it's synchronizing just fine with LDAP. 5. We've had zero issues with LDAP configuration until installing the plugin in production and seeing this effect. 6. This problem is reproducible, we had 5 users affected by it and immediately stopped using it. This is not a small deployment.

      I'm hoping I misunderstood your comment about "we barely test all of them". Either way, we need a plugin that is compatible with LDAP and external auth. Totally fine if you can't just say so.

    • idevit member avatar

      iDevIT Provider Affiliate

      2 years ago

      Hello and thanks for your many answers. I have one more that is I know is not that you're willing to do but that could help me refine the symptoms and understand where to look at.

      If you try to uncheck the external auth only in User management for a particular user, can he/she still log in after you used the module ?

      I highly suspect that only this checkbox break the logi/session monitoring behavior because our module is working for the last 10 years, we only updated it to work with sidecar/Sugar7+ new framework.

      Hope you will be able to do the test with us.

      Regards iDevIt

    • eligeo member avatar

      eligeo Verified Purchase

      2 years ago

      I'm not honestly willing to do it as it does impact users. While I appreciate it's worked for 10-years, Sugar has changed drastically and even more so with SugarIdentity.

      Are you able to configure an LDAP server and run some tests with your code? I'm not interested in doing testing until we know it's been proven to work. There are a number of online LDAP options you can use to do this. If not, we'll need to review other add-on's. Not a big deal, just need to know the direction you're going to go with this.

    • idevit member avatar

      iDevIT Provider Affiliate

      2 years ago

      Hello,

      The idea was to test for few minutes to focus on the root cause. But I take your point, you can't/don't want to track the issue and we will have to dig on our own.

      The best solution for you as of today is to ask for refund to my friends of Sugar outfitters. They will grant it without question, no worries about it.

      You'll then be able to review other addons.

      In the meantime I will edit the documentation and warn the solution is not working with LDAP support + external auth only If we got time to test using LDAP support we will update the solution here.

      Best regards and sorry for the inconvenience. IDevIT

  3. eligeo member avatar

    eligeo Verified Purchase

    2 years ago

    Hi there,

    We've been doing some digging including contacting Sugar Support. There is one area I believe may have caused a user to be logged out. We saw that you're using the oauth endpoint in the code. There is a thought that maybe the "platform" specification may be causing the user to be logged out based on this comment from Sugar Support:

    One thing to be mindful of is that you are passing a unique "platform" with the sudo request, otherwise it will default to "base" which is the one a user will use when navigating Sugar using a Browser. If your API request is also using Platform "base" or if this parameter is left blank (it will default to "base") at which time it would invalidate any tokens the User may have and they will be logged out from the application.

    Could this potentially be part of the issue?

  4. idevit member avatar

    iDevIT Provider Affiliate

    2 years ago

    Hello Derek, Thanks for the follow up and help to try to dig the issue. Unfortunately, I am really unsure about the Sugar Support answer ("base" client is dedicated to the web access whereas the "mobile" one is dedicated to mobile application access) This help in deed to have both the web access and mobile app launched at the same time.

    Aim of the module is to have full access as the sudoed user to the web channel of the application, we ever used the "base auth" as model for years.

    As already staged we really think this is link to LDAP/external auth. We searched for a fake/free ldap server to test : https://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/

    And so we tried to create a new demo of SugarCRM on Demand but unfortunately, despite our tries, we didn't sucessfully connected Sugar to this ldap server I double check some ldap commands on my Mac and they were working so it appears that demo servers of Sugar does not allow to connect to LDAP server (I suspect they are blocking any other ports than 443 on the demo server)

    For now, i didn't have a single second to have a look to auto-host a sugar instance by myself on my dev env to have a new look.

    I know you didn't want to be bothered on the topic, but would you have by luck, such a working env connected on this sample ldap server that you could share with us in order to gain time and be focused on digging the root cause please ?

    Many thanks for your answer.

    • eligeo member avatar

      eligeo Verified Purchase

      2 years ago

      Hi there,

      Sugar Support and ourselves have both confirmed it’s not related to LDAP. We can re-create the issue without LDAP.

      Look, we are trying to help. You need to add an alternative platform during your Rest calls.

      I unfortunately don’t have an LDAP server for you to use but as mentioned we’ve not only investigated it ourselves, we confirmed it with Sugar Support.

      We reviewed your code and saw that issue. Here is a link to platforms, it can be easily added: https://support.sugarcrm.com/Documentation/Sugar_Developer/Sugar_Developer_Guide_9.3/Architecture/Extensions/Platforms/

  5. idevit member avatar

    iDevIT Provider Affiliate

    2 years ago

    Hi Derek / Eligeo team,

    Please be ensured we are thankfull for the message and help provided. But to our knowledge, the module is still working as expected.

    As Youtube doesn't want to let me upload the video, please find a link recorded tonight using Sugar 10.0.1 under Php 7.3 : http://localhost:8888/SugarEnt10-0-1/index.php#Home/144adab2-8bc9-11ea-abca-a860b631b572

    • You will see admin account on the right side of the screen
    • regular user "test" on the left

    I created some dummy accounts using test user, then under admin, log as test and create more dummies account Then on the left side, i am still log in I can navigate, browse records, log out, log in back

    On the admin session, i log out as user to be back to my admin session I can stil log out/log in using my regular user.

    So without LDAP this is just working fine.

    I will have now a look if I can connect this damned LDAP server to my Sugar instance and let you know

    • eligeo member avatar

      eligeo Verified Purchase

      2 years ago

      I understand and we can login to some accounts without issue but there are issues with some accounts. This isn’t relegated to just LDAP. After discussions with Sugar Support (and we are an Advanced Partner with certified developers on staff), it does appear the platform specification in the API call is missing. This would explain the inconsistent behaviour we are seeing.

      We can make the adjustments ourselves, but it’s probably best that comes on your end for others.

    • idevit member avatar

      iDevIT Provider Affiliate

      2 years ago

      Hello,

      I see we have the same certificates from Sugar University pinned on the walls :) Else on your last sentence you mention that the plugin is working just fine with some users (also connected to ldap ?) where as others are not working correctly ?

      That is really interesting because this kick out the LDAP issue from the scope.

      We are really doubting the fact to create another "platform" that is out of the purposes of the module. On the last week I spent almost all my time to try to have a working Sugar environement that could connect to LDAP servers (MAMP on mac is KO, my WAMP installation on my windows machine breaks when entering the licence on Sugar Ent 10.0.1

      I am continuing to dig, but for now, no clue on the question.

      I agree that solving the issue there definitively is better than fixing it on your solo side, but until now i don't have any clue on how to fix it.

      Do you have a list of common settings for the affected users on your customer instance ?

      Regards iDevIT

    • eligeo member avatar

      eligeo Verified Purchase

      2 years ago

      Sounds good. We weren't trying to "compare" as much as I wanted you to know that we're not just throwing non-sense at you is all.

      I realize you doubt that, but if you use the same platform with the same token, that token is invalidated using the oauth2 login.

      Sugar confirmed that the following code from your file sudoLogin-chooseuser.js (Line 107): app.api.call('create', app.api.buildURL('oauth2/sudo/'+userName), {}, {

      This call will invalidate the authentication token for user "userName". They would need to login again.

      If you add a custom platform in here, call it "sudologin" or whatever. This won't happen. If you don't specify a platform it will default to "base", which is what is used to login with Sugar.

    • eligeo member avatar

      eligeo Verified Purchase

      2 years ago

      And sorry, answer to your last question. There's no real setting changes for the user other than LDAP when we have it turned on. Everything else is fairly default.

  6. idevit member avatar

    iDevIT Provider Affiliate

    2 years ago

    Sorry link was broken : https://fromsmash.com/XpQvWcI.0W-ct

  7. idevit member avatar

    iDevIT Provider Affiliate

    2 years ago

    Version 2.2 has been pre-released for eligeo in order to double check the problem was solved. Thanks for your support eligeo team.

This case is public. Please leave out any sensitive information such as URLs, passwords, etc.
Saving Comment Saving Comment...
Rating
  • "Great and responsive customer service! There was a conflict with one of the recent Sugar upgrades and iDevIT was quick to respond and resolve the issu..." - cpike

    Read More Reviews