Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now

[MOD] LDAP Authentication

123468

Comments

  • Testing

    @Thane
    I have tried logging into both the client and the staff side with no luck unless I use the password I set on install for my admin user.


    RDN Scheme:
    cn=%CN%,ou=proxies,dc=my,dc=domain

    LDAP Admins CN is set to 'mycn' which fills in correctly in the RDN scheme on the diagnostics page.

    Here are my diagnostic results

    Result: Leave empty to use the Administrator in LDAP Settings
    calling ldap_connect with: "ldaps://myauth.mydomain.edu:636"
    setting LDAP_OPT_PROTOCOL_VERSION to 3 and LDAP_OPT_REFERRALS to 0
    using rdn for binding
    binding to ldap with "cn=mycn,ou=proxies,dc=my,dc=domain" and his password
    using the filter: "(&(uid=myuser))"
    calling ldap_search with the domain: "ou=people,ou=primary,ou=eid,dc=my,dc=domain", the Filter: "(&(uid=myuser))" and the Attributes: "array("givenname")"
    LDAP returned field data: "FirstName"


    Debug of function ldapGetEmail():

    getting the email of user: "myuser"
    using rdn for binding
    binding to ldap with "cn=mycn,ou=myou,dc=my,dc=domain" and his password
    calling ldap_search with the domain: "ou=people,ou=primary,ou=eid,dc=my,dc=domain", the Filter: "(&(uid=myuser))" and the Attributes: "array("mail")"
    LDAP returned field data: "myuser@my.domain"


    Debug of function ldapGetUsernameFromEmail():

    getting the user of email: "myuser@my.domain"
    using rdn for binding
    binding to ldap with "cn=mycn,ou=myou,dc=my,dc=domain" and his password
    calling ldap_search with the domain: "ou=people,ou=primary,ou=eid,dc=my,dc=domain", the Filter: "(&(mail=myuser@my.domain))" and the Attributes: "array("uid")"
    LDAP returned field data: "myuser"
  • @atreyu

    Try a rdn that contains uid=%UID% like uid=%UID%,cn=mycn,ou=proxies,dc=my,dc=domain, as it's set now you don't provide a user to bind.
    If set correctly the diagnostic page will show something like uid=admin,cn=mycn,ou=proxies,dc=my,dc=domain.

    Note: %UID% is caps sensitive.
  • LDAP connection problem

    Hi all,

    We have problem with LDAP connection. We used LDAP Diagnostic and We got this result:

    Result: Leave empty to use the Administrator in LDAP Settings
    calling ldap_connect with: "my ip address" and port "my port"
    setting LDAP_OPT_PROTOCOL_VERSION to 3 and LDAP_OPT_REFERRALS to 0
    using rdn for binding
    binding to ldap with "uid=administrator,dc=my domain,dc=sk" and his password
    Invalid credentials
    errno: 49
    Cannot authenticate with LDAP server.

    PHP error:
    Warning: ldap_bind() [function.ldap-bind]: Unable to bind to server: Invalid credentials in PATH\include\class.ldap.php on line 111

    We are using Active Directory 2003, is necessary configure it??

    We also have multiple organizational units with users that are within other OU with users. What should our OU=xxx looks like, is it enough to specify only top level OU or do I have to specify them all?
    Can someone post his LDAP configuration as an example?


    Thanks for any help.
  • RDN Problem

    @Thane - I think I discovered the problem. I'm trying to use an LDAP server that requires RDN binds. I worked with the admin on campus that's responsible for LDAP and we looked through the logs. When the diagnostic is run - everything works great - the admin base DN connects and the password stored in the admin panel LDAP authenticates.

    However, from the client login screen (submitting a ticket for the first time as a new user with authentication required) - the connection string looks exactly identical to the one that is successful, but the log shows that the password is wrong, so I started wondering where is this other password for the admin user coming from?

    I tried, just for fun, using the LDAP super user password on the login screen with a standard user account name - and voila - a new user that had never logged in before had their account created, name and email were grabbed fine, and everything worked.

    So the problem is - with RDN enabled - the initial bind is set to use the password that the user enters on the login page, with the RDN admin user account scheme, instead of the password stored in the LDAP settings for the mod. Login is failing because it's trying to bind as the admin with the current users password entered in the login form instead of the actual admin password.

    I'm going to look into the code, but I wanted to post this as quickly as I found out.

    Thanks.
    Thane;41635 said:
    @atreyu

    Try a rdn that contains uid=%UID% like uid=%UID%,cn=mycn,ou=proxies,dc=my,dc=domain, as it's set now you don't provide a user to bind.
    If set correctly the diagnostic page will show something like uid=admin,cn=mycn,ou=proxies,dc=my,dc=domain.

    Note: %UID% is caps sensitive.
  • @jk11
    for an ad you don't need to use rdn, you can set rdn to off and use the filter in the example:
    (&(sAMAccountName=%USERNAME%))
    I've added rdn for those cases, where you can't bind with a filter.

    @atreyu
    That's actually as intended. After all you want to authenticate the user. Otherwise you could type anything and log in as admin.
  • Hello,

    I can't seem to get this to work. I am not familiar with php or LDAP binding, but maybe someone can point me in the right direction.

    I successfully installed the mod and I can see the LDAP page. I add the LDAP info however when I enable the settings and save I get the following error.

    Fatal error: Call to undefined function ldap_connect() in /var/www/html/osticket/upload/include/class.ldap.php on line 751

    Here is the line 751
    $ldap = ldap_connect($vars['ldap_controller'], $vars['ldap_port']);


    At first I thought it could be failing because of another mods i had installed, so I scrapped it and installed a clean ostickets, but still no luck.

    I also don't think its the AD, because I can connect to it with Softerra.

    It could be something I entered, but I am not sure, like I said I am not to familiar with ldap binding. Here is what I got.

    http://i.imgur.com/g8pxnYG.jpg

    Thanks
  • @The_Intern
    Please make sure that you have the ldap extension enabled in your php.ini. It is required for this mod.
  • @atreyu

    I was having a similar problem. I could not get it to work with out RDN bind, however, when attempting to log in via other users, I couldn't log in and the LDAP admin account would become locked (we have lockout set after 3 failed attempts in AD). When I were to use the LDAP admin password, regardless of the username, it would log me in. I thought RDN binding was my issue, however, i stumbled upon another thought.

    Our domain is setup like: w2k.domain.com however, users log in via w2k\username and our addresses username@domain.com.

    I was originally trying the suffux @domain.com and it would not work. When I tried @w2k.domain.com everything worked perfectly fine. I do not have RDN bind enabled now also. Try that out and disable RDN bind.
  • @Thane

    Thank you once again for this mod. I am trying to get SSO working. I tried the example auth variables but it doesn't seem to work with that. I am trying to figure out how our domain was set up with auth variables. There has not been much documentation as to how our infrastructure was setup and nobody really knows much.
  • DOH! I am not a smart man. I forgot to install the php ldap module....silly me.

    Thanks Thane
  • LDAP connection problem
    Thane;41775 said:
    @jk11
    for an ad you don't need to use rdn, you can set rdn to off and use the filter in the example:
    (&(sAMAccountName=%USERNAME%))
    I've added rdn for those cases, where you can't bind with a filter.
    Thank you for your answer. I set rdn to off. The result of LDAP diagnostic:

    Result: Leave empty to use the Administrator in LDAP Settings
    calling ldap_connect with: "XXX" and port "XXX"
    setting LDAP_OPT_PROTOCOL_VERSION to 3 and LDAP_OPT_REFERRALS to 0
    binding to ldap with "XXX" and his password
    Invalid credentials
    errno: 49
    Cannot authenticate with LDAP server.

    Any idea?
  • @JK11
    Did you set the correct suffix?

    @griffinaaronj
    What kind of webserver do you use?
  • Authorization

    there was a problem with authorization under the domain account. if the user is binded to only one computer, access to the site is prohibited. Someone faced with such?
  • disable e-mail / ticket # login

    Hi,

    we just tried out osticket and the ldap mod, which works great. We´re wondering if it would be possible to force users to login with AD Username/password or accounts managed from inside osticket, and remove the possibility to use e-mail/ticket number.

    Why would we do this?
    we only use osticket internally, no external support, so everybody has an AD account. In tickets could be senitive information, and if someone ever gets one ticket number of another user he would be able to read all tickets of this user, what we consider as a security issue.

    So maybe you have an Idea how to disable the possibility to use e-mail/ticket # to log in?
  • Thane;41995 said:
    @JK11
    Did you set the correct suffix?
    Suffix is correct.
  • 1) Whats is the difference between Enabling or Disabling the radio button on
    image

    I disabled the button BUT am still able to run the LDAP Diagnostic successfully :confused:

    2) If I enabled the above, whenever I click on 'Support Home Center' or 'Open New Ticket', the link will always go to 'Check Ticket Status' (view.php)
    image


    Am I missing anything obvious? :confused:
  • @Thane,
    Is the mod for osticket new ticket page OR is it for staff login to scp only ?
    Am kinda confused :(
  • I'm sorry that i'm replying that late.
    @JK11
    try a suffix with like the following: @adserver.domain.com
    griffinaaronj could authenticate that way.

    @be606
    I didn't encounter your issue yet.

    @dzer
    I'll add that as an option in the next update, probably this weekend, maybe later.

    @zhza
    1)
    I've added that radio button to disable a ldap connection. This mod is able to connect to multiple ldap servers and you may want to disable a connection for various reasons or preconfigure an additional connection to use it later.
    2)
    You have SSO (Single Sign On) activated. It probably fails and redirects you to the login page. Setting SSO to off should fix that.
    @zhza,second post
    Both, and with a few extra features.
    You can enable/disable the client side stuff with ldap for clientaccess.
    Yes i know, the settings are convoluted right now. I'll move the settings that have an influence across all ldap connections to a 'global ldap settings' menu in the next update.
  • Thane;42849 said:
    I'm sorry that i'm replying that late.
    @JK11
    try a suffix with like the following: @adserver.domain.com
    griffinaaronj could authenticate that way.
    I changed the suffix, but it didn't help :( Any other idea?

    Regardless, thank you very much for your time and help.
  • direct from LDAP

    Thane,
    Is there a way to allow staff to login straight from LDAP, without having to have their username created in the staff table ?
  • Hey,

    Having a bit of an issue. I've set up everything and was able to create the LDAP connection successfully, but whenever I set the Global LDAP settings to enable AD-linked login, I can't save the changes on that page. When I click save changes, the page says "LDAP connection updated successfully", but the settings all reset back to disabled and the PHP server auth variable field clears. Anything you can think of that would cause this?


    edit: Never mind. Had to modify settings-ldap-global.inc.php. The query is pointing to "ldap_ldap_config" table when it should be pointing to (your table prefix) + "ldap_config" by default, right?
  • velinath;43391 said:

    edit: Never mind. Had to modify settings-ldap-global.inc.php. The query is pointing to "ldap_ldap_config" table when it should be pointing to "ost_ldap_config" by default, right?

    Good catch, I had the same issue.
  • Dear Thane,

    Thank you for all your hard work! I just managed to get osTicket + your LDAP implementation going. Planning on making SSO working as well.

    One thing I noticed is that upon login via a ldap user its phone, email and cn are registered permanently. Meaning that once I change one of these fields in our AD osTicket never updates these field later on.

    Is this normal behaviour and how hard would it be to implement an updating mechanism for these fields for newly created tickets (or possibly existing ones as well)?

    I currently have ldap v11 + ost 1.7.0 installed.

    Cheers.
  • @JK11
    I think it's a configuration issue but without knowledge of your system i can only guess. Perhaps you should try rdn again.

    @zhza
    No, osticket itself has a username verification. I'd have to disable that and the result would leave you unable to log in with the traditional method (osticket-user and password). I've planned to offer user import in a future version.

    @velinath
    Thanks for the find and sorry for the issue.

    @jdgchc
    Sorry for the issue.

    @boolainen
    That's as intended, well... in a way. Osticket saves the userdata in the database and retrieves it with every following ticketcreation. You'd get a similar behaviour with the unmodified version. Currently you'd have to manually update every ticket created by the user.
    I'll think on a way to improve that.

    @all
    Please update to V12, V11 has a nasty bug.
  • just updated, thanks for all your work thane
  • Just another note while it's on my mind - I don't know if this was an issue with my install specifically, but the checks on the index.php page to change the text between "open ticket as guest" and "open a new ticket" - or between "Log In" and "Check Ticket Status" (the ones that are using LDAP::ldapClientActive()) weren't working for me. Everything else is working - my AD users are able to log in successfully - but for some reason those buttons aren't changing.

    It's not a big deal since I was planning to disable that page anyway, but I figured I'd ask. Thanks for the quick update on the last problem I ran into, really appreciate it.
  • Thane;43489 said:

    @boolainen
    That's as intended, well... in a way. Osticket saves the userdata in the database and retrieves it with every following ticketcreation. You'd get a similar behaviour with the unmodified version. Currently you'd have to manually update every ticket created by the user.
    I'll think on a way to improve that.
    Thank you for your response! Just to clarify what I meant.

    For existing tickets I would consider it to be normal behavior to not have the fields updated. They should be regarded as historical archive anyway in a sense.

    Though for newly created ticket you would want to most up to date user information from LDAP (AD). Thus a login action should always update the fields mail, phone and such.

    Cheers.
  • Thane,

    Found another fun thing. On the staff side, the "Closed Ticket" still counts tickets with subject ldap_temporary but staff can't see them (so if someone logs in and never creates a ticket for themselves, the Closed Tickets count is higher than the actual number!). My fix:

    In \include\class.ticket.php, function getStaffStats, find the part of the SQL query that looks like this:

    .' LEFT JOIN '.TICKET_TABLE.' closed
    ON (closed.ticket_id=ticket.ticket_id
    AND closed.status=\'closed\')'

    Change it as follows:

    .' LEFT JOIN '.TICKET_TABLE.' closed
    ON (closed.ticket_id=ticket.ticket_id
    AND closed.status=\'closed\')'
    AND closed.subject!=\'ldap_temporary\'

    Thanks!
  • Please help

    We need to bind accounts in AD to the names of PCs, but if we will do it, users can`t enter site.
  • Fatal error (yaml) after install

    Hi there,

    Needing LDAP authentication here. I installed the mod, but after installing, I get "Fatal error: Class 'Error' not found in /media/www0/support.website.com/include/class.yaml.php on line 38" when trying to access all pages (either client or staff).

    Any suggestions? Thanks!
    ~Laz
Sign In or Register to comment.