LDAP connectivity with the openemr-6

Security
1

Hello EMR Team,

ldap related data
ldap related data1503×471 57 KB

Have configured ldap with openemr using global setting but after that not able to login to openemr using its own credentials or ldap credentials.

How to establish connection between “OpenEMR-6” and ldap ?

2

With the demo server we are able to get the LDAP to work per the instructions. However, on a live server with https (SSL) doesn’t. Is it only configured to work for http:? Please respond ASAP.

Thanks!

3

hi @Jit_Chawla , it can support TLS(SSL).

4

Thanks Stephen. I’m working with Jit on this and opened a new post, but figured I’d respond on here with more detail. Here’s where I’m at on figuring this out. Maybe something will jump out at you on the config?

  1. We’ve configured the globals for the LDAP server
  2. We are using a MS Azure AD Domain Services LDAP server which requires secure LDAP with TLS over port 636 (but I think i can reroute the port inbound)
  3. I have converted the self-signed certificate and from the LDAP server into PEM form.
  4. I created directories called “ldap-ca” “ldap-cert” “ldap-key” in sites/default/documents/certificates
  5. I placed the certificate PEM into both the ldap-ca and ldap-cert folders with different names certificate.pem & cert.pem (I think I need to place it in both so it trusts the certificate? Or do I have this wrong?)
  6. I placed key.pem in ldap-key folder
  7. Every time we enable LDAP and try to login we get two errors:
    #1 In OpenEMR Logs:
    failure: x.x.x.x. user failed ldap authentication
    #2 In php log: ldap TLS (ldap_start_tls()) failed
  8. I enabled detailed debugging on line 754 on AuthUtils.php, but I’m not seeing/finding anymore errors

Googling the PHP error seems to indicate it’s not picking up a certificate or something.

Running on XAMPP if relevant

5

instead of creating directories it’s looking for files specified here or the cert file here

6

Finally got this working, kind of! I created a ldap.conf file in a new directory c:\openldap\sysconf and added a pointer to the certificate in the file which partially solved the problem. Once I moved the certificate from the directory buried within openemr/sites to a new directory on the root and updated the pointer, it started working. Seems like a permissioning issue somewhere within windows & xampp. Not sure if just updating AuthUtil.php to look at the new directory would have worked.

Also, for anyone trying to bind with Azure AD Domain Services a few things:

  1. the distinguished name should be something like:
  • cn={login},ou=AADDC Users,dc=AADDS,dc=[Domain],dc=com
  1. A challenge is that Azure AD DS stores the cn that you need to bind to as the display name. In our case, “first (space) last” while our usernames are first.last@[domain].com. So I had to add a replace “.” with " " in the AuthUtils.php login before passing the username off.

Edit: After further investigation, it’s simpler for Azure AD. The distinguished name for binding can just be the users’ azure ad email/login. Ex: username@domain.com. So depending on how you setup your users, you would put something like {login}@domain.com into the distinguished name on OpenEMR.