Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now

Problems with passthru plugin once user is authenticated

Hi all,

OSTicket version : 1.9.13
PHP 5.4.16 (cli) (built: Nov  6 2016 00:29:02) 
Server version: Apache/2.4.6 (CentOS)
CentOS Linux release 7.3.1611 (Core) 

I have installed the phar passthru file and enable it (only staff users). We are using Office365 AD to authenticate users, and get the REMOTE_USER value via SAML mod_mellon Apache module. Everything seems, actually I can print the REMOTE_USER and username value returned using this code:

$usernameATdomain = $_SERVER['REMOTE_USER'];
$ATposition = strpos($usernameATdomain,"@");
$username = substr($usernameATdomain, 0, $ATposition);

echo( $_SERVER[ REMOTE_USER ] );
echo ("\r\n");
echo( $username);

So the REMOTE_USER is printed as username@domain, and $username is username value.

I created several agents with Username fields the same as the one printed in REMOTE_USER.  However scp login.php / index.php / tickets.php still is asking me for password?

What should I check?
Should I install ldap plugin even if I am not using ldap/AD?

IMHO seems that I am missing the connection between OSTicket and passthru plugin... I can't see if passthru is working.

Thanks in advance.
Tagged:

Comments

  • forum user @chefkeks wote some good articles here on the forums about using LDAP and passthrough auth.  You might try searching for them.
  • edited February 22
    Hi ntozier (thanks for your quick response),

    I already read a bunch of them, however in my case I cannot use LDAP cause we do not have an AD/Ldap directory reachable. That's why I asked if it's mandatory to have passthrough auth working in addition with ldap plugin... I suspect no.

    Since I already have the REMOTE_USER header feeding OSTicket installation and looking at plugin code in github: https://github.com/osTicket/osTicket-plugins/blob/develop/auth-passthru/authenticate.php

    It looks like passthru plugin gets the username from REMOTE_USER header and makes a lookup in the database in order to check if agent exists:

    if (($user = StaffSession::lookup($username)) && $user->getId()) {
    In my case it exists, cause it's an agent already created locally. 

    Could someone let me know if my assumptions are correct?
    How username/REMOTE_USER Header is ingested into passthru plugin?
    Should work if I just connect to the backend (scp) or I need to connect to some special path in order to activate the passthru plugin?

    Thanks in advance
  • Office365 is not an AD, why are you using pass thru?
  • edited February 22
    Sorry, it's Azure AD (my bad)

    We are using Azure AD to authenticate users using Apache 2 mod_mellon module. This part is working and I am getting the right claim (REMOTE_USER) but I do not know how this variable is consumed by auth passthru plugin.

    Thanks!
  • edited February 22
    All good, but you said you do not have AD/LDAP directory reachable, what exactly do you mean by that?
  • edited February 22
    I meant that I do not have any AD/ldap server able to be connected using ldap plugin. All posts and information i've found details how to use ldap+passthrough plugin together.

    In my case, the user is authenticated against azure ad. Once authenticated, user is authorized to acces scp backend. Also, a claim is returned with the username of the authenticated user. This username is set to REMOTE_USER, where actually I can confirm.

    Finally, I am stuck at this point. I can't see how osticket can consume this information using passthru plugin (I guessed it was possible)

    Apologies if I am not clear enough, feel free to ask for clarification

    Thanks
  • - How come you have not updated to latest stable release?
    - Has this ever worked for you in the past?
  • edited February 23
    Hi,

    1. Did not need it at the moment, however do you suggest me to update to 1.10 or 1.9.15 (currently running 1.9.13)? 
    2. No, first time I try to. Previously we were running OSTicket in our internal network with access to our Active Directory servers using ldap plugin which it was working flawlessly. However right now installation must be moved to DMZ. 

    Since we already have Azure AD and after taking a look at passthru plugin I was expecting to authenticated with Azure AD and ingest the username to the plugin. Looks like similar what my understanding of passthru plugin does:

    - Webserver requests auth to user and webserver authenticates to local AD using domain credentials
    - If it is successfully authenticated, webserver passes the username to OSTicke. Then passthru plugin searches in OSTicket database for the username (either in staff or client). Those usernames, which are created previously, can be created manually (will be my case) or "auto-filled" via ldap plugin in case you have AD accessible.
    - Finally if username exists, user (staff or client) can access to OSTicket without typing credentials again.

    Makes sense?

    Thanks!
  • Hold up, you are using passthru? Try using LDAP plugin and connect it to AZURE. Shouldn't you also have a local DC onsite that replicates with Azure?
  • edited February 23
    Hi,

    We do not have a DC onsite in our DMZ.
    LDAP plugin cannot connect to AZURE AD (It uses federation services). That's why we use mod_mellon (apache saml module) to authenticate.

    Do you know if passthru can only be used with ldap plugin? Is @greezybacon the author of the plugin?


  • Q: Do you know if passthru can only be used with ldap plugin?
    A: no idea..

    Q: Is @greezybacon the author of the plugin?
    A: Pretty sure he is.
  • Hi,

    Anyone knows how passthru plugin actually works besides the documented ldap+passthru integration?

    Thanks!
  • edited February 24
    Good news it worked, sadly I forgot to allow the user which I was testing with to authenticate with any backend...

    I think it is a pretty useful configuration for users who need to run OSTicket in the cloud or in DMZ (without accessing to an ldap source) to be able to authenticate using Azure AD or any other identity provider.

    Let me know if you need further info
  • "I forgot to allow the user which I was testing with to authenticate with any backend"
    /facepalm
    I totally should have asked about that....

    If you need more help with this I think that your best bet would be to open a feature/issue report at:
    https://github.com/osTicket/osTicket-plugins
  • Do you mind explaining a little as to what exactly you did in case someone else needs assistance while searching the forums?
Sign In or Register to comment.