Hello, We've recently added the LDAP authenticate plugin and trying to get osticket to connect properly with the directory server. We're using Open Directory in our office network. Our osticket is actually placed externally in the cloud. We setup a IPSEC tunnel for LDAPS to allow communication from our osticket to the local office network with connection to the Open Directory. We've tested communication to check port 636 and have confirmed that communication can work between the two systems. Now, we've gone into the LDAP Authentication plugin to set the configuration and seem to be having a problem. All details are set correctly (to our knowledge) but it gives an error "Bind failed: Can't contact LDAP server: Unknown Net_LDAP2 Error (-1): Unable to bind to opendirectory.ourserver.com"We tried both enabling/disabling "Use TLS" option and with/without the port number but still gives same error. Any ideas?Thank you in advance

Maybe inside the web server php log there is more info.If there is not more info, you could try to place the NET_LDAP2 files on the server and try to connect directly with the example script (which I guess can be found on the web) or by copy and pasting the necessary sections from the manual over at http://pear.php.net/manual/en/package.networking.net-ldap2.php into an example / test script.I don't have any other idea what could cause the issue at the moment.

Thanks for the quick reply. I tried looking in /var/log/apache2/error.log file but don't see anything related to this. Can you tell me which sections I need to copy out of the manual you provided? Or is there an existing script that can be used?

I have not yet looked around in the web, but I am sure there are some example files for NET_LDAP2 to easily add your connection settings and details and see what error it gives you. In case there is really no example at all, have a look at my osTicket Addon - we use it in my company to fill our osTicket database with LDAP info - which also uses NET_LDAP2 and is something like an example. But make sure to delete all the unneccessary code or copy and paste the code you need for testing ;)Just look here:https://github.com/Chefkeks/osTicket-AddonsNET_LDAP2 is used in that file:https://github.com/Chefkeks/osTicket-Addons/blob/master/ldap_user_info/update_user_info.php

Thanks so much. So the point here is to just put it on the server to see if we can get it to connect to the Open Directory or give a more useful error message, right?According to your update user file I'll need Net/LDAP2.php, config.php, class_function.php - can I just put this all in one folder and then run the update_user_info.php from server?Lastly, what is the purpose of $ldap_attributes and $ldap_filter - sorry this is just sort of new to me :)

Our script is not designed to debug such errors - you won't need all that stuff (config.php and class_function.php) - just create a new php file on your web server and copy the parts at the beginning of the update user file which contain the NET_LDAP2 part to your script and execute it in the browser. You will also need to modify some parts of that new php script to get some output what's going on and to see if it succeeds or fails. So my script was more like an additional help or reference, but when it does not help you it's maybe better to look around in the web for a test script to verify LDAP connection. I'm sure there are some around out there ;)

Thanks for the information. Does the LDAP authentication plugin require that we bind the servers? It was my impression that when it is read only there is no need to bind the servers...I did find another script on the net. It gave me the following output:Unable to bind to server.msg:'Can't contact LDAP server'-1Unable to bind anonymouslymsg't contact LDAP serverBelow is the code:<?php$username = 'user';$password = 'pass';$ldapconfig = 'host';$ldapconfig = '636';$ldapconfig = 'DC=od,DC=server,dc=com';$ds=ldap_connect($ldapconfig, $ldapconfig);ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);ldap_set_option($ds, LDAP_OPT_NETWORK_TIMEOUT, 10);$dn="".$username."";if ($bind=ldap_bind($ds, $dn, $password)) {  echo("Login correct");} else {  echo("Unable to bind to server.</br>");  echo("msg:'".ldap_error($ds)."'</br>".ldap_errno($ds)."");  if ($bind=ldap_bind($ds)) {    $filter = "(cn=*)";    if (!($search=@ldap_search($ds, $ldapconfig, $filter))) {      echo("Unable to search ldap server<br>");      echo("msg:'".ldap_error($ds)."'</br>");    } else {      $number_returned = ldap_count_entries($ds,$search);      $info = ldap_get_entries($ds, $search);      echo "The number of entries returned is ". $number_returned."<p>";      for ($i=0; $i<$info; $i++) {        var_dump($info);      }    }  } else {    echo("Unable to bind anonymously<br>");    echo("msg:".ldap_error($ds)."<br>");  }}?>

[testldap1.php.zip](https://forum.osticket.com/assets/files/migrated/FileUpload/12/9628f25932588eb11d403ba899389a.zip)

I'm not super up on LDAP/AD but my understanding is that binding in ldap is where the LDAP server authenticates the client, and if successful allows the client to access the server based on that client's privileges.

Yes, bind with username and password is required for the osTicket ldap plugin. As far as I know it is currently not possible to do an anonymous bind. So I suggest you should try an "non-anonymous" bind ;)

Thanks for quick response. Good to know the "non-anonymous" bind isn't an option :)

I thought that anonymous bind was something that one has to setup server side for it to work...

Yes, that's what I thought as well. I was actually told this was enabled (server-side) however according to the script above it clearly displays "Unable to bind anonymously". So I'm assuming we need to actually bind the machines to get the plugin to work properly. Going to try to do this and will report back :)

Please let us know what what you learn. :)

10 days later

So I have an update :)We were able to get the bind working. Two things were changed that allowed for us to move forward.Create an entry for the LDAP server on our DNS serverChanged the the port from 636 to 389 - this had to be done on our firewall. However, because the traffic is setup using an IPsec tunnel the fact that we're using port 389 is fine because traffic is already encrypted.Now, while the we got the success message "LDAP  configuration update successfully" we still appear to have an issue. We have select to do Client Authentication, so when we go to Check ticket status to login as a client it gives us an error "Access denied"....Is it possible that it's not looking at the correct field in the LDAP server? Again, we're using Open Directory and it should be using the uid field, how can we check this? Or maybe there is something else different between Open Directory and Active Directory?

my understanding (and I could be wrong) is that the AD samAccountName field is that one that used.

So this could be why it doesn't allow our users to connect? Is there a way I can change which Field is used?

If there is it would probably be to not use Active Directory in the drop down select in the plugin.  Other wise you would probably have to look at the plugin source and alter it to suit your needs.

Okay, I tried both Active Directory and Posix account for the LDAP Schema and no luck. You mean edit the auth-ldap.phar file? Any idea which part I need to edit? Pretty sure only need to change the samAccountName to use UID instead. 

I have no idea which part you would want to edit, as I haven't really looked at it in a while.Since its a phar though you would have to un-Phar it first

I found the place in the auth-ldap.phar file to change samAccountNameUnfortunately it didn't seem to help, but must I first un-Phar? And if so, how is that done?

Write a Reply...