Active Directory User Authentication Doesn't Work - Agents Do..?

eagletech

I appreciate you working with me. Last week we were on Spring Break so I had some cycles to spend on this. Unfortunately, I don't have time to spend right at the moment. I will try to get back to you. Thank you!

purush

KevinTheJedi

Thank you for those tips - after debugging this (to some extent), I think the issue might be related to PHP 8.1.0 migrating from ldap resource to LDAP classes. So ldap result is replaced with LDAP\Result and ldap result entry is replaced with LDAP\ResultEntry. The same functions now return objects instead of resources. This seems to be causing issues in parsing search search results where checks using is_resource() are failing.

Am I on the right track here?

KevinTheJedi

purush

If that's the case how come I can use PHP 8.1 with LDAP with no issues?

Cheers.

purush

That's a good question. I was able to track the LDAP logs and saw the search result being returned, but when the auth-ldap code was trying to convert the search results into Net_LDAP2_Entry objects, it was not able to convert them.

When I added debugs, I got this error from the shiftEntry() method:
" Unable to create connected entry: Parameter $entry needs to be a ldap entry resource! "

When I printed the actual object it was trying to convert, it was of type LDAP\ResultEntry. That is what got me looking at PHP 8.1.

I honestly don't know how its working for you. Sorry I could not help more with the debugging.

BTW, if I try to hack it temporarily and accept the search result as a LDAP\ResultEntry object, I am able to successfully authenticate (the problem was when it was trying to retrieve the DN from the search result).

purush

I also found another minor issue with the configuration.php file in auth-ldap.phar - when we specify a port number in the ldap servers information (as host:port) in the instance detail screen, it assumes the port number is at most 4 digits, I think it needs to be adjusted to allow up to 5 digits.

KevinTheJedi

purush

Nevermind...I feel SO stupid right now.. this ENTIRE time I forgot I had already made those changes to convert is_resource() to valid checks and that's why mine has been working... the reason I didn't know about the changes is because I was editing the raw plugin from within my normal core osTicket git not the osTicket-plugin git so it didn't track the plugin changes..

Your comment really helped me by making me question my own sanity and I can't thank you enough lol 🙌

Cheers.

purush

My environment is as follows:

php --version

PHP 8.1.17 (cli) (built: Apr 9 2023 16:48:03) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.1.17, Copyright (c) Zend Technologies
with Zend OPcache v8.1.17, Copyright (c), by Zend Technologies

lsb_release -a

No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster

KevinTheJedi

purush

What changes did you make so far? Please post them here.

Cheers.

purush

in config.php, line 161 changed to:
if (preg_match('/([^:]+):(\d{1,5})/', $host, $matches))

in authentication.php, line 120 changed to:
if (preg_match('/([^:]+):(\d{1,5})/', $h, $matches))

KevinTheJedi

purush

I'm talking about this part:

BTW, if I try to hack it temporarily and accept the search result as a LDAP\ResultEntry object, I am able to successfully authenticate (the problem was when it was trying to retrieve the DN from the search result).

I'm curious to see what you did to authenticate successfully.

Cheers.

KevinTheJedi

Everyone,

We will have a pull request made and a new build of the plugin released soon that should resolve the user login issue.

Cheers.

KevinTheJedi

Here is the pull if anyone is interested:

https://github.com/osTicket/osTicket-plugins/pull/271

KevinTheJedi

Everyone,

Below is a custom build of the plugin until we make new releases. This has the PHP 8.1 support patches as well as a patch to fix a fatal error included. Just replace your current plugin build with this build (after unzipping of course).

auth-ldapphar.zip

116kB

mtovar

Updated the plugin with this one KevinTheJedi and client authentication works as expected. Thanks

gamerclassn7

If anyone have same problem whitch is not respolved by build from @"KevinTheJedi" i created separed thread where i am trying to troubleshoot it 🙂

https://github.com/osTicket/osTicket-plugins/issues/273

KevinTheJedi

gamerclassn7

That's because your issue is completely unrelated to this thread. Your issue is with LDAPS not connecting at all. This thread is about LDAP is able to connect but user authentication is not working.

Cheers.

gamerclassn7

KevinTheJedi OK sorry should i remove the message ?

soiledhalo

Sigh, I have a similar issue using the LDAP plugin, inclusive of the one that @KevinTheJedi submitted. I installed it, configured it and it works fine for agent creation, but no matter what, the user accounts get access denied.
OS: AlmaLinux 9.2
OSTicket v1.17.3
Apache: 2.4.53
MySQL: 10.5.16
PHP: 8.1.19

I have all of the recommended extensions installed as well.
I also checked the ost_user_account table and can confirm that the backend is ldap.client.pxxx

Is there anything else I can check to get this to work?

Regards.

KevinTheJedi

soiledhalo

Clear the cache/cookies and retest. Have them try a different browser/device. Make sure you restart the webserver and PHP-FPM (if you're running it) to clear any file cache. If you use a shared host ask them if there is anything else you need to do to clear any file cache. Most of the time PHARs are heavily cached so even if you replace the PHAR file it will still serve the cached version.

Other than that look into your logs on the AD server to see if their authentication attempts are actually going through and if they are successful or not.

Cheers.

soiledhalo

KevinTheJedi To confirm, I deleted the file and restarted the server before replacing it. I manage the server so I have full access. I see in Event Viewer the successful LDAP authentication on the AD server "An account was successfully logged on."
Will continue to read, but I'm unsure on what else I can do. Is there a way to run OSTicket or the Plugin in a debug mode?

KevinTheJedi

soiledhalo

No, you'll need to add debug statements in the code yourself. It does sound like the new plugin is not loading for some reason. Check your logs (general server logs, webserver error logs, PHP error logs, MySQL/MariaDB error logs, osTicket System Logs, Browser Console logs, etc.) for any related errors on User login.

Cheers.

« Previous Page Next Page »