Active Directory Auth for staff

jpastin

This turned out to be pretty easy. Just create OSTicket staff members with the username matching the AD username. You also need php-ldap installed and enabled.

in include/class.staff.php

function getInfo() {

return $this->udata;

}

/*compares user password*/

function check_passwd($password){

// Change made for LDAP Auth

// J. Pastin 1-6-10

//return (strlen($this->passwd) && strcmp($this->passwd, MD5($password))==0)?(TRUE):(FALSE);

// Change this line to the FQDN of your domain controller

$ds=ldap_connect('ldap://mydc.mydomain.com') or die("Couldn't connect to AD!");

// Change this line to the name of your Active Directory domain

$domain="mydomain";

if (!@ldap_bind( $ds, $domain."\\".$this->username, $password) ) {

// Auth failed!

return(FALSE);

}

else{

// Auth succeeded!

return(TRUE);

}

// End Changes

}

function getTZoffset(){

global $cfg;

$offset=$this->udata;

return $offset?$offset:$cfg->getTZoffset();

}

CraigG

This Works Great!

Just wanted to thank you for this bit of code. I implemented pretty easily. The only thing I had to trial-and-error was the domain. Initially I did our full domain: DOMAIN.TLD and it didn't work for some reason. When I changed it to just the NETBIOS domain, it worked great.

I did it on Centos 5.4 64 backended to MySQL and our AD is 2003.

Thanks again for a great mod-hopefully it'll get incorporated as an option in the next release!

jpastin

Glad you found it useful. If you use AD, you might be interested in this MOD as well:

AD lookup of Name and Email

http://osticket.com/forums/showthread.php?t=2675(http://osticket.com/forums/showthread.php?t=2675)

JoseLuis

Thank you jpastin,

Works great!

I just made a litle change.

After checking AD and if FAIL try to authenticate agaisnt osTicket database. Why ?

Because I created some users (backdoor users) that are only present in osTicket..

I will share if someone think usefull

/*compares user password*/

function check_passwd($password){

// Change made for LDAP Auth based on -> http://osticket.com/forums/showthread.php?t=3312

// Change this line to the FQDN of your domain controller

$ds=ldap_connect('mydc.mydomain.local') or die("Couldn't connect to AD!");

// Change this line to the name of your Active Directory domain

if ($ds) {

$domain="mydomain";

$ldapbind = ldap_bind($ds);

if (!@ldap_bind( $ds, $domain."\\".$this->username, $password) ) {

// Auth failed! lets try at osTicket database

return (strlen($this->passwd) && strcmp($this->passwd, MD5($password))==0)?(TRUE):(FALSE);

// return(FALSE);

}

else{

// Auth succeeded!

return(TRUE);

}

// End Changes

}

ern

Hi guys,

I can not read user/pass from openldap server (@SLES)

Could You tell me please what is the corrent syntax:

$ds=ldap_connect('mydc.mydomain.local')

$ds=ldap_connect('ldap://mydc.mydomain.com')

Does anybody connent successfully with linux ldap server?

How to check where is the problem?:/

Ldap server is configured from this:

http://vavai.net/2010/03/30/how-to-samba-pdcopenldap-on-opensusesles-part-2-finish(http://vavai.net/2010/03/30/how-to-samba-pdcopenldap-on-opensusesles-part-2-finish)

and it's working as PDC perfectly, I'm configured Joomla and Redmine to authenticate with it, working great:)

Thanks for help,

Lucas

Marinity

Usefull thing. thanks a lot of for such information

x09

openldap fix

function getInfo() {

return $this->udata;

}

/*compares user password*/

function check_passwd($password){

// Change made for LDAP Auth

// J. Pastin 1-6-10

//return (strlen($this->passwd) && strcmp($this->passwd, MD5($password))==0)?(TRUE):(FALSE);

// Change this line to the FQDN of your domain controller

$ds=ldap_connect('ldap://domain.zone') or die("Couldn't connect to LDAP!");

// Change this line to the name of your Active Directory domain

$domain="uid=".$this->username.",ou=Users,dc=sub1,dc=org1";

if (!@ldap_bind( $ds, $domain, $password) ) {

// Auth failed!

return(FALSE);

}

else{

// Auth succeeded!

return(TRUE);

}

// End Changes

}

function getTZoffset(){

global $cfg;

sven123

Im a confused, do you still need the create local osticket user, or is al the userinfo stored in the ad and when you type the username/password it checks against the database?

snoop168

has anyone gotten this to work from a Linux (ubuntu to be exact) webserver to a windows AD? I just keep getting login failed messages eventually locking it out. Ive tried setting the FQDN to the actual xxxx.local and also just xxxx and the domain variable to just xxxx. No luck. Does anyone know the code i could try in a php file by itself to debug this and see if its even making the connection. I read that I may need to make the connection over SSL... Don't know how to do that... And yes "php5-ldap" package has been installed via apt-get...

cloudpointoh

Is there a possibility of taking this code and using it to authenticate regular users to AD? I'm thinking that we could easily create an Active Directory Group for OS Ticket users and then allowing them to use their AD account or even using the current Windows user for authentication. Thoughts?

JoseLuis

has anyone gotten this to work from a Linux (ubuntu to be exact) webserver to a windows AD? I just keep getting login failed messages eventually locking it out. Ive tried setting the FQDN to the actual xxxx.local and also just xxxx and the domain variable to just xxxx. No luck. Does anyone know the code i could try in a php file by itself to debug this and see if its even making the connection. I read that I may need to make the connection over SSL... Don't know how to do that... And yes "php5-ldap" package has been installed via apt-get...

A good utility to help find the correct DN for you is JXplorer. It is an LDAP browser that can give raw table data. http://www.jxplorer.org(http://www.jxplorer.org) Just navigate to the OU you want, flip to the 'Table Editor' tab and select the value of 'distinguishedName'

***Be careful with JXplorer, you can screw up your AD if you start changing stuff***

pixelbaker

Is there a possibility of taking this code and using it to authenticate regular users to AD? I'm thinking that we could easily create an Active Directory Group for OS Ticket users and then allowing them to use their AD account or even using the current Windows user for authentication. Thoughts?

This would be my preference as well. It simplifies things for the end-user, but still requires manual creation of an account in the system. This gets to be a huge pain. Anyone have any ideas?

ems

Thankyou!!

Thank you!!

This worked perfectly & took only a minute to get working!

Windows Server 2008R2

Maxplayer14

Anyone got this to work lately? I have been unable to, and I was wondering why on ldap_bind there isn't any login info? Like why aren't we?:

$ldapbind_user =

$ldapbind_pwd =

At the staff login screen now when I use this, I put in the username and password and it just says "Invalid Login."

Maxplayer14

This is how I have modified to try and get it to work, but still no dice:

/*compares user password*/

function check_passwd($password){

// Change made for LDAP Auth

// J. Pastin 1-6-10, Modified by J. Malone

//return (strlen($this->passwd) && strcmp($this->passwd, MD5($password))==0)?(TRUE):(FALSE);

//Domain info

$ldap_url = 'pdc.xxxxx.org';

$ldap_domain = 'xxxxx.org';

$ldap_dn = "OU=IS Staff,dc=xxxxx,dc=org";

//Account for LDAP connection

$ldapbind_usr = "xxxxxx";

$ldapbind_pwd = "xxxxxxx";

// Change this line to the FQDN of your domain controller

$ds = ldap_connect( $ldap_url )or die("Couldn't connect to LDAP!");

ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);

ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

$login = ldap_bind( $ds, "$ldapbind_usr@$ldap_domain", $ldapbind_pwd );

// Change this line to the name of your Active Directory domain

$domain="uid=".$this->username."ldap_dn";

if (!@ldap_bind( $ds, $domain, $password) ) {

// Auth failed!

return(FALSE);

}

else{

// Auth succeeded!

return(TRUE);

}

// End Changes

}

Maxplayer14

Wish I could resolve this... Has anyone been successful at it?

jhochwald

Here is how i implement it

This works well with OpenLAP and Open Directory (Apple Implementation based on OpenLDAP):

Download adLDAP from sourceforge (Tested with 3.3.2): (http://prdownloads.sourceforge.net/adldap/adLDAP_3.3.2.zip?download)

At the top of class.staff.php

include("adLDAP/adLDAP.php");

Search for function check_passwd

Replace the Function with this:

/*compares user password*/

function check_passwd($password){

// Change made for LDAP Auth

// Joerg Hochwald <http://www.bewoelkt.net>

//return (strlen($this->passwd) && strcmp($this->passwd, MD5($password))==0)?(TRUE):(FALSE);

<s>**</s>return (strlen($this->passwd) && strcmp($this->username,$password))?(TRUE):(FALSE);<e>**</e>

// Change this line to the FQDN of your LDAP Server

$ds=ldap_connect('ldap://<s>**</s>YOURLDAPSERVER<e>**</e>) or die("Couldn't connect to LDAP!");

// Change this line to the name of your LDAP Tree

$domain="uid=".$this->username.",<s>**</s>cn=users,dc=admins,dc=bewoelkt,dc=net<e>**</e>";

if (!@ldap_bind( $ds, $domain, $password) ) {

// Auth failed!

return(FALSE);

}

else{

// Auth succeeded!

return(TRUE);

}

// End Changes

}

You have to create a user in OST with excatly the same login as the login in your LDAP Directory! Give him a dummy password!

There a a few stange things: The user has to login with the Dummy password an change it to whatever he like.

After that he is able to login with the password from LDAP and the local one in OST.

And a hint about security:

If your LDAP Server and OST are not in a private network (behind a firewall?) you shoul use Secured LDAP (aka LDAPS)!

And last but not least: If your Directory need a bind to connect, you have to change the code above. Read the adLDAP for further infos about binding ;-)