ldap not enter whit user : Page 2

ldap not enter whit user

KevinTheJedi

Can you look at the backend for the Users in the ost_user_account table? Want to see if the ones having to do full domain and username is related to ones with backend set to old way instead of new way with multi-instance.

Cheers.

dgcupit

KevinTheJedi

Well, I would, but I'm no expert at SQL, so I'm not sure how I'd go about doing it. Do you have a query I could run to gather the info you're requesting?

Seems like there should be an LDAP checkmark in the user's account, or some front-end method to set the auth method, as you have in the Agents account settings, or better a universal first-method for auth configuration. LDAP first, internal 2nd, etc.

pcjkollmorgen

We are seeing the same issue.

Some people have used their email address as their username.

The top account worked without needing any prefix to the username, however that is likely because I've not signed in with that account before until today.

Our LDAP Schema setting in the plugin settings is set to Microsoft Active Directory.

KevinTheJedi

pcjkollmorgen

Okay yea that was my suspicion. You see the backend for the top account has p then the plugin ID then i then the instance ID added to it. So the other ones it doesn’t know which plugin and which instance to use so it must be defaulting to something else or back to local login. So you can simply run an SQL query to update all user account with backend equal to ldap.client to the value set for the working account. Then everything should be good. We can look at writing and upgrader script to do this upon upgrade but for now running the query manually will do.

Cheers.

davidbuzz

I fixed it in my private branch to not require plugins naming conventions in getAllowedBackends() and getBkId() to be a precise match... allowing the old and new format/s to match as "close enough"... it a bit verbose with a few extra intermediate variables than it had before, so that debugging is easier. :-) Feel free to use this, or take inspiration from it.... or to improve the plugin migration code to upgrade plugin names . applying this diff "worked for me".

diff --git a/include/class.auth.php b/include/class.auth.php
index 6039b24..1ff487a 100644
--- a/include/class.auth.php
+++ b/include/class.auth.php
@@ -327,10 +327,19 @@ abstract class AuthenticationBackend extends ServiceRegistry {
             return false;
 
         $backends =  static::getAllowedBackends($username);
-        foreach (static::allRegistered() as $bk) {
+        $x = static::allRegistered();
+        foreach ($x as $bk) {
+
+            $y = $bk->supportsInteractiveAuthentication();
+            $ii = $bk->getBkId(); //might not be formatted the same as the $backends array, with or without the .pXXiYY extension.
+            $z = in_array($ii, $backends); //check if the backend is in the list of allowed backends for this user - exact check first.
+            foreach ($backends as $idx => $val ) { // fuzzy check by prefix, allowing either of the strings to be a prefix of the other.
+                if ( stripos($val, $ii) === 0 ) { $z = true; break;}
+                if ( stripos($ii, $val) === 0 ) { $z = true; break;}
+            }
             if ($backends //Allowed backends
-                    && $bk->supportsInteractiveAuthentication()
-                    && !in_array($bk->getBkId(), $backends))
+                    && $y
+                    && !$z)
                 // User cannot be authenticated against this backend
                 continue;

KevinTheJedi

dgcupit

No, but it's quite simple. You need to find a working user and copy their backend (eg. ldap.client.p123i123). Then you need to run a query like:

UPDATE `ost_user_account` SET `backend` = 'ldap.client.p123i123' WHERE `backend` = 'ldap.client';

For agents do the same thing but the query will look like:

UPDATE `ost_staff` SET `backend` = 'ldap.p123i123' WHERE `backend` = 'ldap';

Cheers.

dgcupit

KevinTheJedi

"You need to find a working user" - Can you clarify how I can find this person? Do you mean just identify a user, or is this something I'm supposed to look for in the DB, and if so, how?

I have a feeling this is beyond my abilities, as 'Then you need to run a query like' would require me to know what I am doing, which clearly I do not.

leo425

KevinTheJedi

Thanks for the help worked perfectly! 😃

MarkMansveld

We do not have a working user in the table, they all have ldap.client as a backend. Any way to find out what the plugin id and instance id are?

KevinTheJedi

MarkMansveld

Yes, there are three ways.

Login as an ldap user in the client portal that does not already exist in osticket. This will create a new account with the appropriate backend.
If you have LDAP available for agents you can go to any agent account in the admin panel, right click the Authentication drop-down, click Inspect to view the raw HTML, and look at the name for the ldap selection.
(Probably easiest) Go to the database, go to the plugin table, note the ldap plugin id (eg. 3), go to the plugin_instance table, search for where plugin_id equal to the ID of the plugin, and note the instance id (eg. 6). Now in my example query just replace p123i123 with the IDs you copied (eg. ldap.client.p3i6).

For agents you can simply set any agents Authentication dropdown to LDAP and view their account in the database and they should have the appropriate backend set.

Cheers.

dgcupit

KevinTheJedi Kevin,

Is there any plans to make a GUI-Selectable choice in the Admin panel for the client logins, or just a universal preference for login authentication first-try, where we can set LDAP as first try, then Internal Auth as 2nd, etc?

Basically, I'd like to not have to rummage thru the database, as I'm not skilled in doing so, in order to get the users to LDAP login without having to specify the domain\id

MarkMansveld

KevinTheJedi
This worked for us. Thanks

KevinTheJedi

dgcupit

We can add it to the feature request list for possible future development in v2.0. Stay tuned!

Cheers.

dgcupit

KevinTheJedi Would anyone be able to assist me in writing a script to fix whatever needs to be fixed on my system?

Here's a further question - If I delete a client from the Helpdesk, and then have that same user login again, will that fix the need for the domain? I ask because I created a test user in AD and logged into the Helpdesk with no need for specifying the domain, and I was surprised to see that it said that this test user had existing tickets. I clicked on them and it appears to be tickets created by my agent account, since for the test user account I put my agent email address. So it seems like the Helpdesk thinks that this test account owns these tickets due to the email address matching? So, if I delete a user from osTicket that has existing tickets in the system, and then have them login to the helpdesk again, will it allow them to login without the need for the domain, and will it still locate all of their previous tickets due to the email address matching in AD?

KevinTheJedi

dgcupit

If you delete a user from the helpdesk it requires the deletion of all associated tickets as well. So no, if you delete the user you will lose their tickets.

We can do so with our Professional Support services (go to our website and fill out the Contact Us form to submit a request) but honestly it's rather simple with the steps I outlined above; I even provided the queries you'll need.

Otherwise you can wait for a community member to chime in here for further assistance.

Cheers.

abeermuh

I am having the very same issue - I also tried login with a new user as well as deleting a user from existing DB including its associated tickets and tried relogin in from it and from a new user, but the result remains same - showing a blank page. Seems like the LDAP plugin is not working for staff to create a ticket. regardless of existing user tried to login or a new user. Could someone please help?

abeermuh

It worked for Agents. But not working for staff. Even cannot signin from new LDAP user that was not already exist in osticket.

geseronta

We are also having LDAP problems on 1.17 .. things worked fine on 1.15.4 but now we have agents only able to login via username (instead of username@domain.com UPN/email address), and clients/users cannot login to post a ticket at all. I posted our PHP errors in another thread but no replies there yet..

pcjkollmorgen

@geseronta

Have you tried the fix in post #15 ? https://forum.osticket.com/d/101553-ldap-not-enter-whit-user/15

i.e find your backend ID for the ldap plugin and update the backend field on all your users.

geseronta

pcjkollmorgen

username First Last ldap.p1i3 username@domain.net

The above person is in osticket.ost_staff and can login as an agent using 'username', but NOT 'username@domain.net'. All agents are setup with ldap.p1i3 backend.

All of the users in osticket.ost_user_account have the backend set to ldap.client

Brand new non registered users cannot sign into the client new ticket portal either, so I don't have any working user_account references to look at. (PLus the problem of email address login's not working too). Any suggestions?

Edit - looks like abeermuh has the same issues that I do, so we are not alone at least!

abeermuh

Yes, I did that but that only working for agents but not staff - As I mentioned above, even the new user is not able to signin to create a ticket. It shows blank screen after entering LDAP credentials .

ntozier

abeermuh

A blank screen indicates that there is a PHP error.
You will want to take a look at the PHP error logs to see what the logged error is.

I see that after posting that you resolved this by changing to PHP 8.0.
I haven't tried 8.1 with 1.17 yet.

« Previous Page Next Page »