Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now

Restrict Logins to AD Users Only

We are about to take our OSTicket install live and ditch OTRS, and love we now have end user AD support, the only thing left that OSTicket is missing (and we can live without it for now but would awesome to have in the future), is the ability to restrict account creation so that only AD users can sign up. 99% of our users will be fine as is but I just know we will get a few that end up creating a seperate OSticket account rather than using their AD account and if we could prevent this by only letting AD users create an account that would be perfect I think.


  • We had the same issue, but found a workaround...
    First we thought we restrict ticket creation to require an account and make the registration for an account by staff only (Private). But then we had the issue that no new users could create new tickets without asking staff to create an account first. So we decided to change the registration to Public, but also wanted to prevent that users (easily) created an separate osticket account.
    Our workaround is to redirect the link for "register for an account"-page to the main page using an apache rewrite condition :D
    So any AD users gets logged in via SSO (using http-passthru plugin) and if they try to sign up for an separate osticket account they will always be redirected to the main page.
    Maybe this is also a solution for you.
  • why you use http-passthru and not the LDAP plugin?

  • Let me explain...

    We use both, passthru-auth and ldap-auth, and combined it (which is possible without any modification to the plugins) to get our users logged in via SSO (apache + AD).

    First we've set up ldap auth plugin to work like expected. After that we added the auth-passthru plugin by downloading the files from the github repo and building the phar with php - so we are sure client passthru auth is working (currently the auth-passthru plugin downloadable under includes only passthru-auth for staff). We especially added the auth-passthru so that the users/staff get automatically signed in via SSO using IE, Chrome or Firefox (for firefox we added a special group policy to enable SSO for specific webservers - it's not enabled by default, but using with the right preferences it can be enabled domain-wide ;) ).

    Since the web-server is doing the authentication, the people just open the ticket website (e.g. click on "New Ticket" or "Check ticket status" and do not need to enter anything - they are signed in right away by the webserver and can instantly start by viewing their tickets / creating new tickets.

    Same for staff. Staff just opens the scp page (e.g. and is instantly signed in without the need for entering username or password again since the http-passthru auth matches AD account to the staff account and then you are signed in. In case an AD account is not in the staff, they will just see the normal scp auth page and can still login their with a local osticket account.

    So we basically use it to make it easier for our users to get signed in to the ticket system (either client or staff page). Hope you now understand why we use it ;) Btw: we use osTicket only internally (which made the decision to use passthru-auth / SSO really easy)
Sign In or Register to comment.