Active Directory authentication in OpenEMR 5

Ryan_Nix · March 19, 2017, 4:36pm

Hi everyone,

I’m having difficulty finding where to bind our instance of OpenEMR to our campus Active Directory. It seems to be missing under Administration/Globals. Where do I go to set this up?

https://nextcloud.sesp.northwestern.edu/index.php/s/EkaVvpilufSRPUB

Thanks!

Ryan

brady.miller · March 19, 2017, 9:13pm

Hi Ryan,

Active Directory is not supported in OpenEMR 5.0.0 (most recent release), but is supported in the development version of OpenEMR(so will be in the 5.0.1 release). Options would be to wait for release (guessing 4-6 months), use the development codebase, or use 5.0.0 and port in the code to support this. btw, the settings are in Administration->Security: http://www.open-emr.org/wiki/index.php/Administration_Globals#Use_Active_Directory

-brady
OpenEMR

Ryan_Nix · March 19, 2017, 9:25pm

Thanks, Brady. I’ll use the development version for now since we’re just testing/piloting.

brady.miller · March 19, 2017, 9:34pm

Hi Ryan,
Sounds good. This is a new feature, so let us know us how it goes.
-brady

Ryan_Nix · April 1, 2017, 12:46am

Hey Brady,

I wasn’t able to get OpenEMR 5.0.1 connected to our campus AD, and I can’t seem to find any documentation on how to do so. We use a product from Appnitro called MachForm, and they have a very slick way of authenticating against LDAP servers.

brady.miller · April 3, 2017, 7:24am

Hi @Ryan_Nix ,

Did you set the pertinent settings in OpenEMR:
http://www.open-emr.org/wiki/index.php/Administration_Globals#Use_Active_Directory

If so, are you seeing any errors in the php error log when using this feature?

thanks,
-brady

Ryan_Nix · April 3, 2017, 7:45pm

Here is what is in the error.log

PHP Notice: Undefined index: authProvider in /home/emr2/public_html/library/auth.inc on line 91, referer: http://emr2.apps.northwestern.edu/interface/super/edit_globals.php

Ryan_Nix · April 3, 2017, 7:48pm

And now I can’t login with the database account, so maybe we need some kind of fall back just in case something like this happens?

brady.miller · April 4, 2017, 9:32am

Hi @Ryan_Nix ,

That is just a benign php notice. Do you note any PHP errors in the log?

Also, can turn it off via phpmyadmin(or other mysql software) that is external to OpenEMR, by setting the use_active_directory token in the globals sql table from 1 to 0.

-brady

bbeeken · July 26, 2017, 7:36pm

I am in the same situation as Ryan. I cannot get active directory to work. I filled out those settings and as soon as i save i get logged out and cannot log back in.

bbeeken · July 26, 2017, 7:37pm

Is there an example of how the settings should look?

brady.miller · July 28, 2017, 10:25am

hi @bbeeken ,

Did you try the solution posted above to allow login again:
turn it off via phpmyadmin(or other mysql software) that is external to OpenEMR, by setting the use_active_directory token in the globals sql table from 1 to 0

-brady

brady.miller · July 28, 2017, 10:29am

Hi @bbeeken

Regarding docs, only doc is here which is minimal:
http://www.open-emr.org/wiki/index.php/Administration_Globals#Use_Active_Directory

Agree that need better docs on this. Made an issue on github for this:

-brady

bbeeken · July 28, 2017, 4:36pm

I was able to get logged back after changing that setting in the table.

bbeeken · July 28, 2017, 4:38pm

Shouldn’t there be an admin bind account somewhere. I dont see how the connection could work without having the credentials to query the Active Directory server.

Ryan_Nix · October 13, 2017, 8:24pm

Not all systems require an admin/bind account. In fact, the best way to do this is it simply pass on the authentication to the LDAP/AD server. Not sure why some applications require an auth account (Nextcloud/ownCloud) and others do not (MachForm).

bakern · October 16, 2017, 3:59pm

I followed the directions from Sharon in the ticket linked by Brady and it seems to be working for us. The key is you need to create a user first that exists in your active directory and give the user administrator permissions (if you don’t have a user named ‘admin’ in active directory already). So all users need to be created in OpenEMR first, and then password authentication is done against AD.

This is very helpful, however, we would like to make use of active directory groups as well, and possibly auto-create users if they are in a certain AD group to reduce management time. Is anyone working on anything like this yet, or would anyone be opposed to extending this functionality?

Thanks,
Nate

Ryan_Nix · November 12, 2017, 8:02pm

Bulk creating users first in OpenEMR seems tedious. It would be great if authentication were possible based on an AD group.

Davidnic · October 5, 2018, 2:08am

Hello,

I am working to test linking OpenEMR 5.0.1 to our sites Active Directory which is hosted on Windows Server. The domain is restoremedical.network. I took a look at the thread posted earlier (Need Active Directory docs · Issue #972 · openemr/openemr · GitHub); I have attempted to use the following settings:

But every time I go to login I get this:

Can anyone elaborate on setting this up?

jesdynf · October 6, 2018, 5:17am

I can’t help you directly, but the Apache error logs should discuss why PHP is unhappy, and that might be enough to get you going – if it isn’t, paste the relevant snippet and we’ll go from there.