Replacing nusoap and curl using NTLM auth for sugar 12.0.3


We are upgrading a customer from 11.x to sugar 13, but in 12.0.3 Nusoap has been removed. The customer is also using NTLM authentication for their soap connection. I am having troubles finding documentation covering this scenario. I have found that we should replace Nusoap with the sugarcrm \SoapClient, but no clear documentation found how to implement this soapclient and wether it is possible to get NTLM authentication to work.

Besides NuSoap, the customer also uses curl with NTLM authentication, which should also be replaced I asume. 

Any tips where to start?



  • Hi ,

    Yes, we did remove Nusoap and advise everyone against using it. I'm assuming your NTLM auth is a custom code you need to rewrite for 13.0 is that correct? I would advise you to look into our native LDAP integration, if you are in SugarCloud, we have a few more options with SugarIdentity. If you need really need to rewrite your code, you could look into PHP's native SoapClient (I don't believe we have a Sugarcrm\SoapClient we support at this point).

    You can create a client like:

    $this->client = new \SoapClient(<your soap server> . '?wsdl', $params);

    For cURL, you have to replace it with ExternalResourceClient.

    SugarCRM | Principal Developer Advocate

  • Hi Rafael Fernandes,

    Thank you for your reply!

    "I'm assuming your NTLM auth is a custom code you need to rewrite for 13.0 is that correct"

    - That is correct. Changes in Sugar are syncing data to other backed systems.

    "I would advise you to look into our native LDAP integration"

    - It is an on-premise environment, I will discus this option with the system administrator. Would it also be possible to use this LDAP integration in our code to connect to their backend?

    "you could look into PHP's native SoapClient"

    - All the sample code I could find on implementing NTLM in PHP relies on cURL. Which is discouraged. Or am I missing something?

    "For cURL, you have to replace it with ExternalResourceClient.".

    - The ExternalResourceClient does not support NTLM, or am I missing something?



  • Hi

    I have discussed this with our admins, but we are not entirely sure how the LDAP integration would work. As far as we are aware, LDAP might work for incoming requests, but not for outgoing requests, right?

    According to the system admin their server also supports Kerberos authentication, but I think this is also not supported by the ExternalResourceClient and requires me to use cURL for my requests?



  • Hi ,

    ExternalResourceClient is our HTTP client, it is equivalent to cURL for Sugar, it doesn't have any logic in it other than dealing with HTTP transport, whatever you need to do in cURL, use ExternalResourceClient instead.

    You can configure your Active Directory to accept LDAP authentication, so Sugar will use that connection to authenticate its users against. In fact, it will always be "outbound requests" as Sugar goes to LDAP and tried to authenticate (username+password) and LDAP provides a handshake with OK/NOK for those credentials..

    Perhaps you can explain better what you're trying to achieve so we can better assist you!?

    SugarCRM | Principal Developer Advocate

  • Hi !

    First of all, thanks for the time and effort you put in answering my questions. 

    I will simplify the question. So I have this piece of code:

    $ch = curl_init ();
    curl_setopt ( $ch, CURLOPT_URL, $this->wsdl );
    curl_setopt ( $ch, CURLOPT_RETURNTRANSFER, 1 );
    curl_setopt ( $ch, CURLOPT_TIMEOUT, 5 );
    curl_setopt ( $ch, CURLOPT_CONNECTTIMEOUT, 5 );
    curl_setopt ( $ch, CURLOPT_FOLLOWLOCATION, true );
    curl_setopt ( $ch, CURLOPT_HTTPAUTH, CURLAUTH_NTLM );
    curl_setopt ( $ch, CURLOPT_USERPWD, ":" );
    curl_setopt ( $ch, CURLOPT_UNRESTRICTED_AUTH, true );
    curl_setopt ( $ch, CURLOPT_HTTPHEADER, $headers );
    curl_setopt ( $ch, CURLOPT_POSTFIELDS, $fields );
    $response = curl_exec ( $ch );

    and I have to replace it with:

    $response = (new ExternalResourceClient(5))->post($this->wsdl, $fields, $headers);

    Besides the url, body/fields, headers and timeout, I am missing many cURL params, which I can not set in the ExternalResourceClient. I figured out some of them are not needed, but I do not think I can ignore CURLAUTH_NTLM and hope the connection will work afterwards...

    If NTLM is not an option, how would I implement LDAP authentication for this request?