[MOD] Simplified staff LDAP authentication

hawkhead99

Don't get me wrong, I like the LDAP authentication concept that was given in http://osticket.com/forums/showthread.php?t=13731(http://osticket.com/forums/showthread.php?t=13731)... But I just don't need all of that for my version of osticket.

This version ONLY lets your staff log in with their AD credentials.

*NOTE* when you set them up in osticket - make sure their username matches their AD username

I kept it basic like I had it in 1.6 - with a few add-ons to make it work in this version:

Steps (all in class.staff.php):

1. In function load - search for:

$this->id = $this->ht;

2. directly below it - paste the following:

$this->username = $this->ht;

3. Find function check_passwd

4. past the following directly above it:

function check_ldap_passwd($password)

{$ds=ldap_connect('ldap://your.domain') or die("Couldn't connect to AD!"); 
         
if ($ds) { 
// use your AD domain below
$domain="Domain"; 
             
$ldapbind = ldap_bind($ds);
if (!@ldap_bind( $ds, $domain."\\".$this->username, $password) ) return $this->check_passwd($password);
else return true; 
}else return $this->check_passwd($password);

}

5. Find:

if(($user=new StaffSession(trim($username))) && $user->getId() && $user->check_passwd($passwd)) in function_login

6. Change the above line to:

if(($user=new StaffSession(trim($username))) && $user->getId() && $user->check_ldap_passwd($passwd))

That's it, hope someone enjoys :)... I've also attached a copy if you haven't already modified your own file - make sure to update it with your ad info

[class.staff.zip](https://forum.osticket.com/assets/files/migrated/1/c47c75fa5ef84c0d7bc924a12437f4e.zip)

anderus

Thanks for this! Replaced the class.staff.php wholesale on a new install, and it works great. However, it seems accounts can still auth against both the database and AD. Not a big problem, will probably replace the database passwords with random sequences.

hawkhead99

No problem!

It will first try to login with AD and if that is not found, it will check against the osticket database. Nice to have if you have some maintenance users in osticket - or just users not in AD.

If you don't want that functionality - the following should take care of it:

1. The part of the code that says this:

if (!@ldap_bind( $ds, $domain."\\".$this->username, $password) ) return $this->check_passwd($password);

else return true;

}else return $this->check_passwd($password);

}

2. Change it to this:

if (@ldap_bind( $ds, $domain."\\".$this->username, $password) ) return true;

}else return false;

}

and then you can delete the whole check_passwd function

zhza

@[deleted]

Your snippets work great !!

Would appreciate if you could include the snippets for the Check Ticket Status page, such that the public can login with only their email (default behavior) but staff must login with their AD account. TIA.