LDAP-Plugin: Use without registration?

zabbx

I wish to authenticate users via our openldap server.
I have set up the ldap-plugin, and users now can authenticate using their credentials, I can also see them automatically added to the user list in the Agent Panel.
Problem is, now I still allow anyone to register, meaning anyone who has access to the website could make an account.
But I want ONLY ldap-users to be able to use the ticket system.
I have tried setting "Registration Method" to "Private" and "Disabled", but when it was Private, users who did not log in previously couldn't authenticate via LDAP, and when it was Disabled the login field (as expected) completely disappeared.

What is the proper way to use LDAP plugin to ONLY allow ldap users to use the system?

probably irrelevant info about setup:
php 8.3 (I have checked, it has non-breaking changes)
ldap plugin 0.6.2 (latest as of writing)
osTicket v1.18.1 (latest as of writing)
modules and libraries probably all in latest version, I made this fresh yesterday for testing

KevinTheJedi

zabbx

PHP 8.3 is not supported yet so downgrade asap.
Set registration to private. Users can still login if you have registration set to private. Any user via ldap that doesn’t have an account will still be auto-registered even with registration set to private as they are pre-authorized users. Only users who don’t already have an account can’t register themselves.

Cheers.

zabbx

I have downgraded php and sadly I cannot replicate the described behaviour.

In Settings under "users" I have set "Registration Method" to "private - only admins can register users", then my LDAP user could not log in.
Afterwards I have set it to "public - anyone can register" and LDAP login worked again, I could also see the user in the agent with backend-LDAP, so I must assume that LDAP is configured correctly.

As far as I can get users can NOT auto register via LDAP when registration is set to private.
However, if I log in as a user whilst registration is public and the account gets created in the backend, that user can log in again when registration gets toggled to private, but I need LDAP-users to authenticate even when they only have an LDAP account, not yet an OSTicket account.

Please view attached images to check if my settings are otherwise correct, thanks.

My settings when I want it to be private:
OSticket formal response when a LDAP user tries to first time login with above settings:

LDAP-instance config showing I have client auth enabled:

KevinTheJedi

zabbx

Hmm that’s interesting then. I’ll have to add this to my list to look into. Won’t be for a while though.

Cheers.

zabbx

What may be relevant is that I use OpenLDAP, not Active Directory.
I also found out that I cannot lookup users no matter what, however the settings for the plugin claim that I can successfully bind.

KevinTheJedi

zabbx

I use OpenLDAP (not a windows shop) and do not have such issues. So again, I will need to test this which will take some time.

Cheers.

zabbx

I have encountered future issues with the plugin which may be related,
Situation: I have a big OpenLDAP tree that has both IT- Admins and "normal" users in seperate branches.
I desire to allow staff/agent login via LDAP too, so I have configured another LDAP Instance, identical to the client login one, except that I allow staff login instead of client login:

However, staff login (and registration on first time login) does not work.
My first guess looking at the code is that when a user that is not locally known tries to login, osticket scans all backends for that user if they are inside there, and if the user is not found it will not attempt to register them locally.
I think all my issues are related to the ldap plugin not being able to lookup users, but with manual console commands I can confirm that using normal ldaptools the server does indeed have the ability to lookup users and admins as an anonymous user.
Perhaps this could help you trace the problem KevinTheJedi

KevinTheJedi

zabbx

There are known issues with multi-instance ldap plugin. For now you must use single instance.

Cheers.

zabbx

I see, I have also noticed that I can register as a staff member when I register the Agent manually and set backend to LDAP, I previously assumed that the plugin designates the search tree automatically as users which are privileged.

KevinTheJedi

zabbx

Only users not agents. Agents always need to be created manually first as you have to configure access, etc.

Cheers.