Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now

[MOD] LDAP Authentication

135678

Comments

  • Thane;38970 said:
    Normally the ldap table should be created automatically, yes.
    Where did you encounter that error? Seems I've forgotten checking that on that page. If you log into SCP it should be created.
    I dont have any other MOD installed.

    Tables didn't created automatically. I am getting error "DB Error #1146

    [SELECT ldap.* FROM ost_ldap_config ldap;]

    Table 'support.ost_ldap_config' doesn't exist

    Can I get the details of the table or better if I can get SCRIPT?

    Thanks in advance.
    Thanks for helping out.


    Update:
    I have removed all the files and upload all the files back.

    Looks like now the tables has been created. May be the script didn't run last time.

    Thanks again for your support.

    Cheers
  • rishidawar;38971 said:

    I have removed all the files and upload all the files back.

    Looks like now the tables has been created. May be the script didn't run last time.

    Thanks again for your support.

    Cheers
    Argh, and I've just created a patch to test :D
    Glad, that it runs for you now.
  • Hello again, I have encountered a problem, not sure where my problem exist:
    When i Change to 636/SSL I get the following error message during LDAP Test:
    Result: Leave empty to use the Administrator in LDAP Settings
    calling ldap_connect with: "ldaps://SERVERFQDN:636"
    setting LDAP_OPT_PROTOCOL_VERSION to 3 and LDAP_OPT_REFERRALS to 0
    binding to ldap with "user@domain.ext" and his password
    Can't contact LDAP server
    errno: -1
    Cannot authenticate with LDAP server.
    If I try to connect to LDAP Server by Softerra LDAP Browser, it uses the exact same phrase as it is shown above, but it work. Any Idea what is going wrong? Corp Domain and Username are removed, but exists and are working.
    Certificate on server is available and valid.
  • Luzifer;38977 said:
    Hello again, I have encountered a problem, not sure where my problem exist:
    When i Change to 636/SSL I get the following error message during LDAP Test:
    Result: Leave empty to use the Administrator in LDAP Settings
    calling ldap_connect with: "ldaps://SERVERFQDN:636"
    setting LDAP_OPT_PROTOCOL_VERSION to 3 and LDAP_OPT_REFERRALS to 0
    binding to ldap with "user@domain.ext" and his password
    Can't contact LDAP server
    errno: -1
    Cannot authenticate with LDAP server.
    If I try to connect to LDAP Server by Softerra LDAP Browser, it uses the exact same phrase as it is shown above, but it work. Any Idea what is going wrong? Corp Domain and Username are removed, but exists and are working.
    SSL requires you to add the openssl extension to php and set up your openldap configuration correctly.

    Instructions for Windows: I don't have any instructions for linux, sorry. Perhaps someone else here can help you with that.
  • Nope, Windows is fine, I´m on windows. :) I will check, Thank You very much! It is around get a connect to an active directory. And if I don´t use SSL, it works, but I don´t want to send the passwords unencrypted for login to LDAP Server.

    Update: I followed the steps from http://greg.cathell.net/php_ldap_ssl.html, as far as possible, as the Certificate already exists, but it still does not work. Is there any possible way to see why it cannot reach the LDAP-Server?
  • I've received positive feedback from the testers of our new osTicket with SSO. One request was to add back the ability to open a ticket on another user's behalf for those times when the requester can't or won't do it themselves. Can we add a button on the "Open a New Ticket" dialog to enable changing the Full Name and email address?

    Second thing - when a user creates a new ticket, their phone number doesn't show up in the phone field on the My Tickets page.
  • Hi

    i've just installed a brand new osticket 1.7 on a new easyphp server on a windows 7 workstation

    Did the setup , installed your V8 mode, filled all the LDAP settings

    but when i want to enable , i have an HTTP error 500

    Any Idea ?
  • Luzifer;38983 said:

    Update: I followed the steps from http://greg.cathell.net/php_ldap_ssl.html, as far as possible, as the Certificate already exists, but it still does not work. Is there any possible way to see why it cannot reach the LDAP-Server?
    You have to use the ca certificate that certified the ldap server you use.

    this is the content of my ldap.conf
    TLS_REQCERT never
    TLS_CACERT C:\openldap\sysconf\ca.pem

    Maybe try to use another php based ldaps capable program to connect. Apart from that i have no ideas at the moment.
    CotterPin;39001 said:
    Can we add a button on the "Open a New Ticket" dialog to enable changing the Full Name and email address?
    If you don't force clientlogins that functionality is already there. You have to click on the guest ticket creation button or link to the open.php directly. When you do that you also have to make sure that there is no valid session at that moment. The users must type the email correctly, else you'll have problems adressing those tickets. If i remember correctly the emails in the database are case sensitive.
    CotterPin;39001 said:

    Second thing - when a user creates a new ticket, their phone number doesn't show up in the phone field on the My Tickets page.
    If the phone field in ldap returns the correct value you could try to set the extension length to zero. You would have to delete all tickets of the user to get test results.
    realbuzz;39009 said:
    Hi

    i've just installed a brand new osticket 1.7 on a new easyphp server on a windows 7 workstation

    Did the setup , installed your V8 mode, filled all the LDAP settings

    but when i want to enable , i have an HTTP error 500

    Any Idea ?
    Please check if the ldap extension is enabled on that server. If that's the case please post the php error that you get.
  • now it works, I have to move ldap.conf to C:\ldap.conf. That was all. Now SSL encrypted LDAP is working fine, seems it is new path forApache/2.4.4 (Win64) OpenSSL/1.0.1e PHP/5.4.14
  • Hi everyone!

    First, big thanks to Thane for all your work on this, it's been a life saver, and to the others who have been extensively testing - I've been following closely through all the versions and have managed to get it all working which is great :)

    My question is - am I able to change the labels for 'User/E-Mail Address' and 'Password/Ticket ID' on the login.php (login.inc.php), line 14.
    I want them to simply say

    Username
    Password

    As users are getting confused by trying to enter their email.

    Apologies if this is simple, but I keep getting syntax wrong, and I'm not sure if it will break the LDAP!

    Thanks
    Matt
  • @Matt
    To get the results you want change the line
    <label for=\"email\"><?php echo LDAP::ldapClientActive()?'User'.'/'.'E-Mail Address':'E-Mail Address';?>:</label>

    To
    <label for=\"email\">User:</label>

    And the line
    <label for=\"ticketno\"><?php echo LDAP::ldapClientActive()?'Password'.'/'.'Ticket ID':'Ticket ID';?>:</label>

    To
    <label for=\"ticketno\">Password:</label>


    I'll add an option in the next patch (may take a while) to do that.
  • Thane;39110 said:
    @Matt
    To get the results you want change the line
    <label for=\"email\"><?php echo LDAP::ldapClientActive()?'User'.'/'.'E-Mail Address':'E-Mail Address';?>:</label>

    To
    <label for=\"email\">User:</label>

    And the line
    <label for=\"ticketno\"><?php echo LDAP::ldapClientActive()?'Password'.'/'.'Ticket ID':'Ticket ID';?>:</label>

    To
    <label for=\"ticketno\">Password:</label>


    I'll add an option in the next patch (may take a while) to do that.
    Thanks Thane! That's awesome! Sorry, I realise it was relatively simple, just not 100% with PHP :)
  • I do the same as is described above, but all the same leaves:
    Result: Leave empty to use the Administrator in LDAP Settings
    calling ldap_connect with: "*******" and port "389"
    setting LDAP_OPT_PROTOCOL_VERSION to 3 and LDAP_OPT_REFERRALS to 0
    binding to ldap with "*******" and his password
    using the filter: "(&(sAMAccountName=pvv))"
    calling ldap_search with the domain: "DC=***,DC=local", the Filter: "(&(sAMAccountName=pvv))" and the Attributes: "array("givenname")"
    LDAP returned field data: "Владимир"


    Debug of function ldapGetEmail():

    getting the email of user: "pvv"
    binding to ldap with "*****" and his password
    calling ldap_search with the domain: "DC=*****,DC=local", the Filter: "(&(sAMAccountName=pvv))" and the Attributes: "array("mail")"
    LDAP returned field data: "*******"


    Debug of function ldapGetUsernameFromEmail():

    getting the user of email: "*****"
    binding to ldap with "*****" and his password
    calling ldap_search with the domain: "DC=****,DC=local", the Filter: "(&(mail=*****))" and the Attributes: "array("samaccountname")"
    LDAP returned field data: "pvv"
  • @vladsn
    Looks like the settings are correct. Seems there is an encoding mismatch in givenname. What type of encoding does your ldap return?
  • UTF-8. Or I didn't understand something?
  • True, by setting LDAP_OPT_PROTOCOL_VERSION to 3 it should return either utf8 or ascii and nothing else. But your result doesn't show anything readable. The most probable explanation would be an encoding mismatch.
    The other explanations would be the result text was reencoded when you wrote our post here. Or your webserver forces an encoding other than utf8. Do you have any users without special characters to test with, to see if the ldap mod itself behaves as expected?
  • I am using LDAP Active Directory. Connecting to a Active Directory occurs, but the output is not correct information. I changed the encoding web-server utf-8, window-1251, unicode. Does not work with these encodings.
  • With the encoding server understood. I am interested in one question. TEST LDAP Connection must give such a result?
    Result: Leave empty to use the Administrator in LDAP Settings
    calling ldap_connect with: "192.168.0.3" and port "389"
    setting LDAP_OPT_PROTOCOL_VERSION to 3 and LDAP_OPT_REFERRALS to 0
    binding to ldap with "boredskiy@***.local" and his password
    using the filter: "(&(sAMAccountName=boredskiy))"
    calling ldap_search with the domain: "DC=***,DC=local", the Filter: "(&(sAMAccountName=boredskiy))" and the Attributes: "array("telephonenumber")"
    LDAP returned field data: "92-54"


    Debug of function ldapGetEmail():

    getting the email of user: ""
    binding to ldap with "boredskiy@***.local" and his password
    calling ldap_search with the domain: "DC=***,DC=local", the Filter: "(&(sAMAccountName=))" and the Attributes: "array("mail")"
    LDAP returned nothing...


    Debug of function ldapGetUsernameFromEmail():

    getting the user of email: ""
    binding to ldap with "boredskiy@***.local" and his password
    calling ldap_search with the domain: "DC=***,DC=local", the Filter: "(&(mail=))" and the Attributes: "array("samaccountname")"
    LDAP returned nothing...
  • my result for the test user 'ostclient' in my testing domain looks like the following:

    calling ldap_connect with: \"ldaps://192.168.178.40:636\"
    setting LDAP_OPT_PROTOCOL_VERSION to 3 and LDAP_OPT_REFERRALS to 0
    binding to ldap with \"administrator@vpg.local\" and his password
    using the filter: \"(&(sAMAccountName=ostclient))\"
    calling ldap_search with the domain: \"DC=vpg,DC=local\", the Filter: \"(&(sAMAccountName=ostclient))\" and the Attributes: \"array(\"cn\")\"
    LDAP returned field data: \"ost client\"


    Debug of function ldapGetEmail():

    getting the email of user: \"ostclient\"
    binding to ldap with \"administrator@vpg.local\" and his password
    calling ldap_search with the domain: \"DC=vpg,DC=local\", the Filter: \"(&(sAMAccountName=ostclient))\" and the Attributes: \"array(\"mail\")\"
    LDAP returned field data: \"ost.client@vpg.de\"


    Debug of function ldapGetUsernameFromEmail():

    getting the user of email: \"ost.client@vpg.de\"
    binding to ldap with \"administrator@vpg.local\" and his password
    calling ldap_search with the domain: \"DC=vpg,DC=local\", the Filter: \"(&(mail=ost.client@vpg.de))\" and the Attributes: \"array(\"samaccountname\")\"
    LDAP returned field data: \"ostclient\"


    The 'ldap returned nothing' is expected, since you've left the user field of test ldap empty. Other than that it looks alright to me. Binding seems to work and you get data from the fields.
  • But I have reason to create a new ticket is not automatically assigned a user name and e-mail. Maybe I'm doing something wrong?
  • Ok. First check with ldap diagnostic if the fields for email, first and last name return the correct data. Please do the test with a user that has only ascii content in your ldap. If you don't have such a user, create one. You can delete him after everything works.

    Please post results for all three fields here. Use the same user to create a new ticket. If that works your settings are fine. If not, we'll have to look for the error, but i'll need the results for that.

    Do not use a user that has created a ticket before, that won't work unless you delete all his tickets first.
  • Result: Leave empty to use the Administrator in LDAP Settings
    calling ldap_connect with: "192.168.0.3" and port "389"
    setting LDAP_OPT_PROTOCOL_VERSION to 3 and LDAP_OPT_REFERRALS to 0
    binding to ldap with "admin@***.local" and his password
    using the filter: "(&(sAMAccountName=osticket))"
    calling ldap_search with the domain: "DC=***,DC=local", the Filter: "(&(sAMAccountName=osticket))" and the Attributes: "array("telephonenumber")"
    LDAP returned field data: "1234567"


    Debug of function ldapGetEmail():

    getting the email of user: "osticket"
    binding to ldap with "admin@***.local" and his password
    calling ldap_search with the domain: "DC=***,DC=local", the Filter: "(&(sAMAccountName=osticket))" and the Attributes: "array("mail")"
    LDAP returned field data: "osticket@mail.***.ru"


    Debug of function ldapGetUsernameFromEmail():

    getting the user of email: "osticket@mail.***.ru"
    binding to ldap with "admin@elara.local" and his password
    calling ldap_search with the domain: "DC=***,DC=local", the Filter: "(&(mail=osticket@mail.***.ru))" and the Attributes: "array("sAMAccountName")"
    LDAP returned field data: ""

    LDAP returned field data: "" could not determine the
  • I got to connect to the AP. But now, when you connect with User - Password - connection occurs at E-mail - Ticket ID - white screen
  • I'm quite interested in using this mod for my service desk installation, however, from my looking in the files, they aren't clearly commented on which code is needed. I have other mods, so I cannot replace the files. Can anyone provide more insight on which code needs to be added/changed in which files?
  • @vladsn
    Sorry, but i can't understand what you wrote in your last post. Please provide more information (look at my previous post to see what i need), i can't help you with the bits you've written here.

    @Matteius
    I can offer a diff patch to the clean version, posting search/replace instructions here would probably take 5-6 full posts.
  • @Thane

    That would be wonderful
  • One user can't Login

    I have everything setup for ldap with no problems except on person tries to login and they can't. I have observed that when they input the credentials and click log in the url chages to tickets.php but still displays the login screen. It shows no errors. Please Help!
  • BAD;39961 said:
    I have everything setup for ldap with no problems except on person tries to login and they can't. I have observed that when they input the credentials and click log in the url chages to tickets.php but still displays the login screen. It shows no errors. Please Help!
    Does it happen on the client/customer or on staff site?
  • Thane;39962 said:
    Does it happen on the client/customer or on staff site?
    Client side
Sign In or Register to comment.