Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now

LDAP plugin issues


Hello,

we are successfully using osTicket in one installation without a central directory. Currently we have to deploy one more instance of it, but the strong requirement is to interface it to an existing LDAP user base. So we proceeded with a new install and addition of the "auth-ldap" plugin.

All the prerequisites were preinstalled, the installation went on without any glitches, and in the end "auth-ldap.phar" plugin was added. These are the technical details of our installation:

OS: Centos 7 (1611)
Mysql: mysql-community-server-5.6.35-2.el7.x86_64
PHP: php-5.4.16-42.el7.x86_64
osTicket: 1.10
auth-ldap.phar plugin: 0.6.3

LDAP server: openldap-2.4.40-13.el7.x86_64 (no anon bind, ldaps with K5 backend responding at port 636).
This server perfecly works with SSSD on many nodes and, among other uses, provides authentication
for a  Dokuwiki web site running on the same host where osTicket was just installed.

This is how our typical user is defined inside LDAP:
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: uid=testus
# requesting: ALL
#

# testus, Users, example.com
dn: uid=testus,ou=Users,dc=example,dc=com
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
uid: testus
cn: Andy
sn: Apple
displayName: Andy Apple
uidNumber: 16055
gidNumber: 21003
loginShell: /bin/tcsh
homeDirectory: /home/testus
telephoneNumber: 008189934
mail: andy.apple@example.com

The installation and enablement of auth-ldap.phar went smoothly, and we were able to obtain the green message after configuring the plugin. To get this green message, we had to specify "ldaps://ldap.example.com" in place of "ldap.example.com:636". The binddn and its password worked without problems. So far so good..

Finally, I've tried to login into osTicket usting the existing LDAP user and its password. This did not work and the web server reported this error:

[Fri Jan 06 22:05:14.785323 2017] [:error] [pid 21277] [client 192.168.13.27:53379] PHP Fatal error:  Call to a member function bind() on a non-object in phar:///var/www/html/tt/include/plugins/auth-ldap.phar/authentication.php on line 220, referer: https://ticket.example.com/login.php

Digging a bit, I've discovered that this problem was occuring in the "getConnection" function inside "authentication.php", specifically some of "defaults" array entries were undefined before executing "bind" within this fragment of code:

        foreach ($this->getServers() as $s) {
            $params = $defaults + $s;
            $c = new Net_LDAP2($params);
            $r = $c->bind();
            if (!PEAR::isError($r)) {
                $connection = $c;
                return $c;
            }
        }

So I have set these:

$defaults['port'] = 636;
$defaults['starttls'] = false;
$defaults['binddn'] = 'uid=bindus,ou=Users,dc=example,dc=com';
$defaults['bindpw'] = 'bindpassword';
$defaults['basedn'] = 'dc=example,dc=com';

Then I added into $defaults ['options'] 'LDAP_OPT_PROTOCOL_VERSION' => 3
(this setting is successfully used for Dokuwiki authentication on the same box).

After that, the error message did not appear anymore, and the authentication process went much further. But the user was anyway not accepted ("Access denied" message). I then redfined the RFC-2307 schema as follows:

        // A general approach for RFC-2307
        '2307' => array(
            'user' => array(
                'filter' => '(objectClass=posixAccount)',
                'first' => 'cn',
                'last' => 'sn',
                'full' => array('displayName'),
                'email' => 'mail',
                'phone' => 'telephoneNumber',
                'mobile' => 'telephoneNumber',
                'username' => 'uid',
                'dn' => 'uid={username},{search_base}',
                'search' => '(&(objectClass=posixAccount)(|(uid={q}*)))',
                'lookup' => '(&(objectClass=posixAccount)({attr}={q}))',
            ),
        ),

And then traced the issue to this point at function "authenticate":

        if (!PEAR::isError($r))
            return $this->lookupAndSync($username, $dn);

This led me to the "lookup" function call inside lookupAndSync:

            if (!($info = $this->lookup($dn, false)))
                return;

Which finally ported me to the search call defined in the "include/Net/LDAP2/Search.php"

        $r = $c->search($lookup_dn, '(objectClass=*)', $opts);
        if (PEAR::isError($r) || !$r->count())
             return null;
        
So this search call ended without finding the user inside LDAP (but the bind went well with his password).

===========================================

To conclude, it seems that everything is almost working, but, most probably, I must have made some mistake with the schema definition. I will dig it further, but any hint/help at this stage would be highly appreciated. We are very much impressed with osTicket (use it at another organization), but in our current setup we absolutely need to interface it with LDAP.

Thanks ahead for your help, and best regards!

Andy.

Comments

  • Please see:

    Make sure that you also read the comments, as there is another fix in it for something else.
  • @oldapple, what are you using as the search base? I think it should be "ou=Users,dc=example,dc=com"

  • Hello Ntozier and Greezybacon, and thanks for replying!

    The link provided by Ntozier was not helpful, and the search base was correct. I was still unable to authenticate.. Shortly after I asked the question, I digged further and made a fast hack that solved my issue (I needed badly to put the LDAP auth in production, and did not care too much about the way I arrive to the goal).

    I leave here now a short memo on what I did, since maybe somebody else may find it useful.

    Basically, there were three issues that I workarounded, obviously not in a clean but still sufficient way:

    1) the "defaults" array did not contain the right values of binddn, bindpw and that of the search base before the non-anomyous bind attempt;

    2) my schema 2307 needed to be adjusted to our particular user LDAP entry layout;

    3) LDAP2.php also needed to have an extra bind added. These are the changes that I introduced:

    --- authentication.php.orig     2017-01-13 17:51:09.000000002 +0100
    +++ authentication.php  2017-01-13 17:50:13.000000002 +0100
    @@ -50,17 +50,17 @@
             // A general approach for RFC-2307
             '2307' => array(
                 'user' => array(
    -                'filter' => '(objectClass=inetOrgPerson)',
    -                'first' => 'gn',
    +                'filter' => '(objectClass=*)',
    +                'first' => 'cn',
                     'last' => 'sn',
    -                'full' => array('displayName', 'gecos', 'cn'),
    +                'full' => array('displayName'),
                     'email' => 'mail',
                     'phone' => 'telephoneNumber',
    -                'mobile' => 'mobileTelephoneNumber',
    +                'mobile' => 'telephoneNumber',
                     'username' => 'uid',
                     'dn' => 'uid={username},{search_base}',
    -                'search' => '(&(objectClass=inetOrgPerson)(|(uid={q}*)(displayName={q}*)(cn={q}*)))',
    -                'lookup' => '(&(objectClass=inetOrgPerson)({attr}={q}))',
    +                'search' => '(&(objectClass=*)(|(uid={q}*)(displayName={q}*)(cn={q}*)))',
    +                'lookup' => '(&(objectClass=*)({attr}={q}))',
                 ),
             ),
         );
    @@ -134,6 +134,7 @@
                 'options' => array(
                     'LDAP_OPT_TIMELIMIT' => 5,
                     'LDAP_OPT_NETWORK_TIMEOUT' => 5,
    +                'LDAP_OPT_PROTOCOL_VERSION' => 3,
                 )
             );
             if ($this->getConfig()->get('tls'))
    @@ -149,6 +150,11 @@
                 putenv('LDAPTLS_REQCERT=never');
             }
     
    +$defaults['binddn'] = $this->getConfig()->get('bind_dn');
    +$defaults['bindpw'] = Crypto::decrypt($this->getConfig()->get('bind_pw'),
    +                      SECRET_SALT, $this->getConfig()->getNamespace());
    +$defaults['basedn'] = $this->getConfig()->get('search_base');
    +
             foreach ($this->getServers() as $s) {
                 $params = $defaults + $s;
                 $c = new Net_LDAP2($params);


    --- include/Net/LDAP2.php.orig  2017-01-13 17:52:33.000000002 +0100
    +++ include/Net/LDAP2.php       2017-01-13 17:56:10.000000002 +0100
    @@ -1077,6 +1077,10 @@
             // or a definitive failure.
             while (true) {
                 $link = $this->getLink();
    +
    +ldap_set_option($link, LDAP_OPT_PROTOCOL_VERSION, 3);
    +ldap_bind($link,$this->_config["binddn"],$this->_config["bindpw"]);
    +
                 $search = @call_user_func($search_function,
                                           $link,
                                           $base,


    In the end, authentication worked.



Sign In or Register to comment.