Active Directory authentication in OpenEMR 5


(Ryan Nix) #1

Hi everyone,

I’m having difficulty finding where to bind our instance of OpenEMR to our campus Active Directory. It seems to be missing under Administration/Globals. Where do I go to set this up?

https://nextcloud.sesp.northwestern.edu/index.php/s/EkaVvpilufSRPUB

Thanks!

Ryan


(Brady Miller) #2

Hi Ryan,

Active Directory is not supported in OpenEMR 5.0.0 (most recent release), but is supported in the development version of OpenEMR(so will be in the 5.0.1 release). Options would be to wait for release (guessing 4-6 months), use the development codebase, or use 5.0.0 and port in the code to support this. btw, the settings are in Administration->Security: http://www.open-emr.org/wiki/index.php/Administration_Globals#Use_Active_Directory

-brady
OpenEMR


(Ryan Nix) #3

Thanks, Brady. I’ll use the development version for now since we’re just testing/piloting.


(Brady Miller) #4

Hi Ryan,
Sounds good. This is a new feature, so let us know us how it goes.
-brady


(Ryan Nix) #5

Hey Brady,

I wasn’t able to get OpenEMR 5.0.1 connected to our campus AD, and I can’t seem to find any documentation on how to do so. We use a product from Appnitro called MachForm, and they have a very slick way of authenticating against LDAP servers.


(Brady Miller) #6

Hi @Ryan_Nix ,

Did you set the pertinent settings in OpenEMR:
http://www.open-emr.org/wiki/index.php/Administration_Globals#Use_Active_Directory

If so, are you seeing any errors in the php error log when using this feature?

thanks,
-brady


(Ryan Nix) #7

Here is what is in the error.log

PHP Notice: Undefined index: authProvider in /home/emr2/public_html/library/auth.inc on line 91, referer: http://emr2.apps.northwestern.edu/interface/super/edit_globals.php


(Ryan Nix) #8

And now I can’t login with the database account, so maybe we need some kind of fall back just in case something like this happens?


(Brady Miller) #9

Hi @Ryan_Nix ,

That is just a benign php notice. Do you note any PHP errors in the log?

Also, can turn it off via phpmyadmin(or other mysql software) that is external to OpenEMR, by setting the use_active_directory token in the globals sql table from 1 to 0.

-brady


#10

I am in the same situation as Ryan. I cannot get active directory to work. I filled out those settings and as soon as i save i get logged out and cannot log back in.


#11

Is there an example of how the settings should look?


(Brady Miller) #12

hi @bbeeken ,

Did you try the solution posted above to allow login again:
turn it off via phpmyadmin(or other mysql software) that is external to OpenEMR, by setting the use_active_directory token in the globals sql table from 1 to 0

-brady


(Brady Miller) #13

Hi @bbeeken

Regarding docs, only doc is here which is minimal:
http://www.open-emr.org/wiki/index.php/Administration_Globals#Use_Active_Directory

Agree that need better docs on this. Made an issue on github for this:

-brady


#14

I was able to get logged back after changing that setting in the table.


#15

Shouldn’t there be an admin bind account somewhere. I dont see how the connection could work without having the credentials to query the Active Directory server.


(Ryan Nix) #16

Not all systems require an admin/bind account. In fact, the best way to do this is it simply pass on the authentication to the LDAP/AD server. Not sure why some applications require an auth account (Nextcloud/ownCloud) and others do not (MachForm).


#17

I followed the directions from Sharon in the ticket linked by Brady and it seems to be working for us. The key is you need to create a user first that exists in your active directory and give the user administrator permissions (if you don’t have a user named ‘admin’ in active directory already). So all users need to be created in OpenEMR first, and then password authentication is done against AD.

This is very helpful, however, we would like to make use of active directory groups as well, and possibly auto-create users if they are in a certain AD group to reduce management time. Is anyone working on anything like this yet, or would anyone be opposed to extending this functionality?

Thanks,
Nate


(Ryan Nix) #18

Bulk creating users first in OpenEMR seems tedious. It would be great if authentication were possible based on an AD group.


(David Nichols) #19

Hello,

I am working to test linking OpenEMR 5.0.1 to our sites Active Directory which is hosted on Windows Server. The domain is restoremedical.network. I took a look at the thread posted earlier (Need Active Directory docs · Issue #972 · openemr/openemr · GitHub); I have attempted to use the following settings:

But every time I go to login I get this:

image

Can anyone elaborate on setting this up?


(Asher Densmore-Lynn) #20

I can’t help you directly, but the Apache error logs should discuss why PHP is unhappy, and that might be enough to get you going – if it isn’t, paste the relevant snippet and we’ll go from there.