osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now
Single Sign-On (SSO) issues / bug / question
Hi, I spent some time configuring SSO on our server and ran into some issues I wanted to share.
Here's my config:
Plugins configured and activated:
- OS: Debian 7.5-amd64
- osTicket Version: v1.9.1 (0e29c8d)
- Server Software: Apache/2.2.22 (Debian)
- PHP Version: 5.4.4-14+deb7u10
- MySQL Version: 10.0.11 (MariaDB)
SSO configured on the OS with Kerberos/Samba/Winbind. I used the guide from Michael (Chefkeks) found here.
- LDAP Authentication and Lookup (v0.5) (works fine. Logging in with AD username/pass works fine for users and staff)
- HTTP Passthru Authentication (v0.2) - tested with latest build from Jared and built from sources
I registered a domain user in osTicket with LDAP as authentication method. Logging in with domain username/pass works fine.
After activating SSO in apache things go wrong:
* Access control settings - Registration method: private (=what I want)
- apache log shows windows user (=ok)
- logging into osTicket shows user welcome page (=ok)
- clicking sign in link shows: Access Denied. Contact your help desk administrator to have an account registered for you
=> passthru works but username not recognized
* Access control settings - Registration method changed to public
- clicking sign in link now works, but what happens is that a second useraccount is created with the same user_id but different username and backend. Not the right behaviour:
id user_id status timezone_id dst lang username passwd backend
7 50 9 15 1 NULL NULL NULL ldap.client <= existed
25 50 1 15 1 NULL samaccountname NULL NULL <= added by public user registration
Deleting the user in the scp only removes the first user_id, which breaks things if you want to add the user again later on.
If username 'NULL' is updated to the samaccountname, all works fine.