Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now

[MOD] LDAP Authentication

124678

Comments

  • BAD;39963 said:
    Client side
    Ok, if the client had a successful log in and he never created a ticket before, there should be a new ticket in your db with the subject ldap_temporary. It should contain a valid email address a full name and maybe phone and phone extension. Phone and phone extension are not important for now.
    If he already created a ticket or email and/or full name are missing in the ldap_temporary you'll have to check via the ldap diagnostics if the fields return any valid data for that user.
  • Thane;39964 said:
    Ok, if the client had a successful log in and he never created a ticket before, there should be a new ticket in your db with the subject ldap_temporary. It should contain a valid email address a full name and maybe phone and phone extension. Phone and phone extension are not important for now.
    If he already created a ticket or email and/or full name are missing in the ldap_temporary you'll have to check via the ldap diagnostics if the fields return any valid data for that user.
    I created a ticket for them and then they tried to log in. How would I check to see if the ladp temp is in the db? I also checked ldap for the user and I do get an email and username response.
  • BAD;39969 said:
    How would I check to see if the ladp temp is in the db?
    You'll have to look in the db itself, for example with phpmyadmin. The tickets are in the table ost_ticket. The user should have at least one real ticket (for example the one you've created) or a temporary one with the subject ldap_temporary.

    Did you enable the force client login or the sso option for your ldap configuration?
  • Thane;39978 said:
    You'll have to look in the db itself, for example with phpmyadmin. The tickets are in the table ost_ticket. The user should have at least one real ticket (for example the one you've created) or a temporary one with the subject ldap_temporary.

    Did you enable the force client login or the sso option for your ldap configuration?
    I have the force client login on. I did find one blank ldap_temporary.
  • Delete all blank ldap_temporary tickets. Then try to log in with the user again.
    If the problem persists, delete all blank ldap_temporary tickets again, deactivate the 'force clients to login' option and try to log in with the user.
  • Thane;39989 said:
    Delete all blank ldap_temporary tickets. Then try to log in with the user again.
    If the problem persists, delete all blank ldap_temporary tickets again, deactivate the 'force clients to login' option and try to log in with the user.
    I have deleted the temp tickets but they still can't login but they can however use the link from the previous open ticket to access the system.

    The login for the person gives no errors but returns the tickets.php url with a login screen. Again this is only one person in the whole system.
  • BAD;39992 said:
    I have deleted the temp tickets but they still can't login but they can however use the link from the previous open ticket to access the system.

    The login for the person gives no errors but returns the tickets.php url with a login screen. Again this is only one person in the whole system.
    Ah, if it's only one peson then i may have a solution for you. I had a similar case a while ago where for one person the log in worked but the session was deemed invalid by osticket for some reason. The source of the issue was, that in the ticket of that person the email-address had some upper case letters. As soon as i changed that email-address to all lower case the log in worked.

    So, look again in your db in the ost_ticket table, if you have email-addresses that are not all lower case. Change them to all lower case letters.
  • Thane;39993 said:
    Ah, if it's only one peson then i may have a solution for you. I had a similar case a while ago where for one person the log in worked but the session was deemed invalid by osticket for some reason. The source of the issue was, that in the ticket of that person the email-address had some upper case letters. As soon as i changed that email-address to all lower case the log in worked.

    So, look again in your db in the ost_ticket table, if you have email-addresses that are not all lower case. Change them to all lower case letters.
    I checked the email address and the user in question is all lower case. Also I did see another user with some caps and they are able to login.
  • Please make the following change:
    In the file login.php change the line
    $tmp_user=trim($tmp_email);

    to
    $tmp_user=$tmp_ht['email'];


    This change uses the email from the db instead of the one ldap returns. That hopefully fixes your issue.
  • Thane;40004 said:
    Please make the following change:
    In the file login.php change the line
    $tmp_user=trim($tmp_email);

    to
    $tmp_user=$tmp_ht['email'];


    This change uses the email from the db instead of the one ldap returns. That hopefully fixes your issue.
    Will this cause any problems with other new users?
  • No, the code from line 55 to line 85 of the login.php only applies for users that already have tickets.
  • Thank you for all your help everything works great!!
  • Thanks for the bug report and helping with testing.
  • hi, sorry in advance for this stupid question...

    how to use this mod??

    I have downloaded it and replace all of the files into my current, then the website just blank.. :eek:

    Sorry again. :o
  • @omgkenny

    hello omgkenny,
    Did you install any other mods that modify these files? If so then simply overwriting will break things. You could try to get some error output by setting the following lines in main.inc.php

        ini_set('display_errors', 0);
    ini_set('display_startup_errors', 0);

    to
        ini_set('display_errors', 1);
    ini_set('display_startup_errors', 1);

    If there are any errors, they should show after this change.
  • Thane;40579 said:
    @omgkenny

    hello omgkenny,
    Did you install any other mods that modify these files? If so then simply overwriting will break things. You could try to get some error output by setting the following lines in main.inc.php

        ini_set('display_errors', 0);
    ini_set('display_startup_errors', 0);

    to
        ini_set('display_errors', 1);
    ini_set('display_startup_errors', 1);

    If there are any errors, they should show after this change.
    it showed this error :-
    Parse error: syntax error, unexpected T_DNUMBER in /var/www/html/support2/include/class.staff.php on line 105
    here is the line :-


    105-106 :-
    $ds=ldap_connect(10.180.200.250) or die(_(\"Couldn't connect to LDAP!\"));
    $domain=\"uid=zimbra\".$this->username.\",ou=admins,dc=zimbra,dc=zimbra\";
  • thats strange, class.staff.php shouldn't contain anything like that. The error is thrown because the first parameter of ldap_connect isn't a string. You can look here for a reference.
  • Thane;40581 said:
    thats strange, class.staff.php shouldn't contain anything like that. The error is thrown because the first parameter of ldap_connect isn't a string. You can look here for a reference.
    kinda blurry.. im not so good with codes..

    how to use the hostname via ip? :confused:
  • Well, that depends.

    But first, why the code in class.staff.php? You don't have to code the connection. If you go to scp->adminpanel->settings there is a ldap register. You can set everything there.

    If you insist on modifying code, you'll have to ask yourself a few questions. Do you want to connect with ssl encryption or not? Do you want to use user@domain or do you want to use rdn to bind?
  • Thane;40584 said:
    Well, that depends.

    But first, why the code in class.staff.php? You don't have to code the connection. If you go to scp->adminpanel->settings there is a ldap register. You can set everything there.

    If you insist on modifying code, you'll have to ask yourself a few questions. Do you want to connect with ssl encryption or not? Do you want to use user@domain or do you want to use rdn to bind?
    go to "scp --> admin panel --> settings" is by log in into the osticket ?? :confused::confused:

    i cannot log in into the osticket, when i type my ticket address, it only shows the earlier error mentioned.

    as for the question given, connect with ssl and want to use user@domain.
  • Then another question from me. Do you have any other mods installed?
    The error you've mentioned doesn't originate from the ldap_mod_v8.zip. The files in there do not contain any hardcoded ip adresses. class.ldap.php does all the ldap connections so there can't be any in class.staff.php. To be sure i've searched for the string '$ds=ldap_connect' in the modded files, and not one of them contais it.
    I'd suggest you do a rollback and try to apply this mod again.
    Also make a backup of your database and files before you apply any mods.
  • Thane;40586 said:
    Then another question from me. Do you have any other mods installed?
    The error you've mentioned doesn't originate from the ldap_mod_v8.zip. The files in there do not contain any hardcoded ip adresses. class.ldap.php does all the ldap connections so there can't be any in class.staff.php. To be sure i've searched for the string '$ds=ldap_connect' in the modded files, and not one of them contais it.
    I'd suggest you do a rollback and try to apply this mod again.
    Also make a backup of your database and files before you apply any mods.
    nope. no other mod installed.
  • Then do the following:
    [LIST=1]
    [*]Backup the include/ost-config.php. It contains the mysql access configuration.
    [*]Delete all the files of your osticket installation.
    [*]Redownload osticket 1.7 and make a clean install.
    [*]Redownload the ldap_mod_v8.zip (It has the MD5 hash CBCF07A5B862C698E4EA6C879E0CF642)
    [*]Extract the files in the .zip, then overwrite the osticket folder with the contents
    [/LIST]

    Expected behaviour after installing the ldap mod:
    • It'll create another table in your mysql db to save your ldap settings
    • If you didn't configure anything in ldap osticket will behave like a vanilla installation. (except another category in settings)
    NOTE: If you want to add staff members you'll have to add them the traditional way first and make sure the username is exactly the same as the one in your ldap server. You'll essentially login two times when using ldap, first via ldap then in osticket. This allows to you to use the osticket passwords as well as a ldap based login at the same time.
  • OK. Will do.

    I will update to you the output later.

    Thanks.

    ====================================================================================

    updates :-

    after creating the new ldap connection, then i used the ldap diagnostic and this error

    Result: Leave empty to use the Administrator in LDAP Settings
    calling ldap_connect with: "10.180.200.250" and port "389"
    setting LDAP_OPT_PROTOCOL_VERSION to 3 and LDAP_OPT_REFERRALS to 0
    using rdn for binding
    binding to ldap with "uid=zimbra,cn=admins,cn=zimbra" and his password
    using the filter: "(&(sAMAccountName=zimbra))"
    calling ldap_search with the domain: "DC=silk,DC=my", the Filter: "(&(sAMAccountName=zimbra))" and the Attributes: "array("zimbraAccountStatus")"

    -------

    what i entered in the field and username is zimbraAccountStatus & jesper
  • Authorization working, but login does not proceed

    I've got the mod installed, and the diagnostic works.
    I can give osticket credentials, and if they are wrong, it will say they are wrong, but if they are correct then it just stays at the login screen.
    Any thoughts? I was thinking that it might have something to do with the PHP_AUTH_USER setting, but I'm unsure.
  • Thane;40589 said:
    Then do the following:
    [LIST=1]
    [*]Backup the include/ost-config.php. It contains the mysql access configuration.
    [*]Delete all the files of your osticket installation.
    [*]Redownload osticket 1.7 and make a clean install.
    [*]Redownload the ldap_mod_v8.zip (It has the MD5 hash CBCF07A5B862C698E4EA6C879E0CF642)
    [*]Extract the files in the .zip, then overwrite the osticket folder with the contents
    [/LIST]

    Expected behaviour after installing the ldap mod:
    • It'll create another table in your mysql db to save your ldap settings
    • If you didn't configure anything in ldap osticket will behave like a vanilla installation. (except another category in settings)
    NOTE: If you want to add staff members you'll have to add them the traditional way first and make sure the username is exactly the same as the one in your ldap server. You'll essentially login two times when using ldap, first via ldap then in osticket. This allows to you to use the osticket passwords as well as a ldap based login at the same time.

    ok.. discard the above error.

    already can get it working with the diagnostic.

    now i want to know how to log in for staff.

    as now we want current users in the ldap server (zimbra) can access into the osticket via /scp and without manually create the username in the osticket itself.
  • @mujizac

    Please change the following line in the file login.php
    $tmp_user=trim($tmp_email);

    to
    $tmp_user=$tmp_ht['email'];


    That should fix your issue.

    @omgkenny
    You have to create the users for scp in osticket first. I can't work around that, since there are other checks for the username in osticket (the username must exist in the database). You could try to batchcreate the users with sql, but i can't help you with that.
    Also, please apply the patch mentioned above.
  • Thane,

    My login.php is like this

    OST||(LDAP::ldapClientActive()&&LDAP::useSSO()&&(isset($_SERVER[LDAP::ldapGetAuthvar()])&&$_SERVER[LDAP::ldapGetAuthvar()]!=\"\"))) {
    $tmp_user=trim($_POST['lemail']);
    $tmp_pw=trim($_POST['lticket']);


    so how do i change it?
  • @omgkenny
    There is a line (it should be line 59) in login.php with the content
    $tmp_user=trim($tmp_email);

    you search for it in the login.php and replace the complete line with
    $tmp_user=$tmp_ht['email'];
  • i got more questions to ask.. :confused:

    1st. can i remove the ldap suffix request when edit the ldap connection??

    2nd. the last code that you gave me is to do what actually? :confused:

    3rd. how can the user create the ticket as it request for User/E-Mail Address:
    Password/Ticket ID: ?? :confused:

    Sorry for all these questions. :o
Sign In or Register to comment.