Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now

LDAP - Microsoft AD Bind error

Hi Forum,

I'm attempting to connect my osTicket to an Active Directory domain that I inherited. But I'm not able to complete the plugin configuration:

Bind failed: Strong(er) authentication required: Unable to bind to server ***Domain Controller***.actechnical.com

I've plugged in settings that I figure should be working. I'm not perfectly clear on the BIND DN name, or the Search Base fields.

The user is Help Desk, login is helpdesk. I was able to pull the FQDN from the whoami command.

Thanks for your help

imageimage

Comments

  • I would presume that "Strong(er) Authentication required" would mean that either:
    You need to use TLD 
    or
    your username/password is failing.

    Try changing "Search User" to just the username of the user "actechnical"
  • Thanks for your help.

    So an update.

    Our Active Directory has been configured for enhanced security. Meaning, that it requires a secure connection for LDAP authentications. Outside of osTicket, I performed a ldapsearch to the AD server. This error is similar to the error that I posted earlier from the osTicket configuration of LDAP.

    ldap_bind: Strong(er) authentication required (8)
    additional info: 00002028: LdapErr: DSID-0C090252, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1

    When I looked up this specific error code, I was led to this post:

    Essentially I need to either, turn off the signing requirement off from my domain, which I cannot do. Or, enable data signing, or communicate via SSL.

    Has this configuration been performed before?

    Thanks
  • Have you tried checking the use TLS check box right below the error?
  • Update:

    We determined that the "ldap_bind: Strong(er) authentication required (8)" requires a secure connection between client and server. As a result, we abandoned a linux-based OsTicket host as the installation of a certificate outside of Apache exceeded our knowledge of linux. So, we spun up an old license of Windows Server 2008 R2 and reinstalled osTicket on IIS. See attached screenshot of the system specs.

    To correct the security issue, we generated a private-key certificate from our Domain Controller, as the certificate authority. We installed that certificate onto the client. This installation guarantees a secure connection between the osTicket server and Microsoft AD (LDAP) server. When using a LDAP explorer utility, which is installed in the "Add Server Roles" feature, we were able to successfully bind to the domain controller from the osTicket running box. We confirmed that securely, LDAP is now running on port 636, instead of the default, 389.

    So now that we cleared that up, it is now time to focus on osTicket. 

    Taking what we learned about ports, we decided to modify the LDAP server string to ***LDAPServer***.actechnical.com:636.

    However, when we submit those settings the following error occurs:
    Unable to connect to ***LDAPSERVER***:636:389. Connection refused.

    Odd, that the osTicket is attempting to still connect to our server over port 389.

    After much investigation, I decided to check the ldap-auth.phar file. So I used PHP.phar to extract the phar file and I started looking. Lo and behold, when I examined the LDAP2.php file, the port, 389, was hard coded into the configuration.

    I attempted different variations of the port. Hard-coding 636, and leaving it blank.

    Ultimately, I decided to leave it blank, which means I need to add the port in the server connection string on osTicket LDAP-Auth plugin configuration. I successfully repacked the PHAR file and deployed it into the plugins directory.

    I removed the existing plugin from the page, restarted the webserver, re-added the plugin and attempted to configure it.

    Finally, when I set the configuration on the LDAP-Auth config page, I get an error HTTP 500 error.

    I'm attempting to check our error logs for more information, but the server doesn't have any entries for HTTP 500 errors. I'm able to see 200 GET entries, but no errors.

    That's what I've experienced for now - tried lots of things; any help would be greatly appreciated.

    sysinfo-iis.png
    993 x 928 - 59K
    ldap-auth.png
    1422 x 978 - 66K
    error500.png
    1176 x 620 - 11K
    iislog.png
    1482 x 410 - 54K
Sign In or Register to comment.