Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now

Change of password for client when using LDAP auth

Hi,
we are using osTicket where our clients are log in using LDAP auth (osTicket 1.10, LDAP auth 0.6.3, Fedora 25, OpenLDAP 2.4.44).

Everything works, except one little thing. User can't change their password. osTicket doesn't give any error when I try to change password as a client. My guess would be something is not set on OpenLDAP server, but I'm not sure what is it.

Anybody run into same issue? Any advice, please?

Thanks.

Regards,
Richard Bukovansky
Tagged:

Comments

  • osTicket is happy to let you authenticate against LDAP/AD/etc.  However it does not and will not push back to the server on password changes.  The devs view that as a potential security risk.  Changing the password in osTicket only changes the local account password. (which is used if the LDAP/AD connection is down for some reason if the person is set to any authentication back end).
  • I was under the impression that when you use LDAP it's just syncing the data from your domain environment so it has the details hashed on the third parties db. But when making a password change, it's done via within the domain environment, so usually from the users Desktop. I may be missing something or completely off, but that's what I thought.
  • You are correct @Synt4xError
  • edited March 2017
    Well, it can be risk, but not in my case.

    1) I do have separate LDAP server (OpenLDAP) just for clients, because I would like to share their login information between osTicket and 2 other sites (Grav CMS sites with LDAP login), so clients then don't need to have 3 separate accounts. But if they change their password and it's not propagated to LDAP server, then I'm screwed.

    2) It's not feasible to provide any remote desktop or access to LDAP management, so that our clients could change their password in LDAP. We are providing them just with osTicket interface.

    So for me it would be much better if saving of password to LDAP additionally to saving password to osTicket DB was an option.
  • First of all I would like to thank entire community and team
    for such a wonderful system. And is there any progress on the feature request by rbukovansky?

    We are social organization with different
    field offices. We started to use that system with LDAP authentication Plugin. And users always asking support for resetting their
    password. So, we are
    expecting Password reset features for LDAP users as well.

    As mentioned by SyntRxError, the users connected in domain
    are able to change their password through desktop/laptop. But the users in
    remote filed offices are unable to do that. So they require remote password
    reset/modify technology. Similarly, there might be potential security risk in
    pushing back password to the server on password changes as mentioned by ntozier.
    But the system has already designed to take care of that in some extent as follows:

    1) Able to use SSL certificate in the system.

    2) Password reset link is sent to pre-define email address on link
    only and system admin is responsible to configure Email address of the user.

    3) Password reset link is active for predefined
    time period and it also disabled after us

    4) Password modification use secure hash algorithms to create
    it.

    And I think such password modification option should be
    available as an optional to LDAP plugin users. On that features,
    there should be an option in LDAP plugin whether the system admin should permit for
    password reset/modify/change to LDAP users as well.

    That additional feature will be great supportive to us. Thus, we also would like to request for that additional feature
    in LDAP Authentication and Lookup plugin.

    Thank you and regards’

    SD_Tech

  • I found a nice solution for resetting password solution for LDAP users. Here is the link for the project

    https://ltb-project.org/download#self_service_password

    I have integrated that code/project in OSTicket system.

    Hope it will be useful for required one.

    Thank you
    SD_Tech

  • Thanks for following up and letting us know.  If you want post in the Mods and Customization section of the forums with your updated code someone else might find it useful.
Sign In or Register to comment.