LDAP authentication not working

poncho

Hi,we're using OTRS at the moment but I'm searching for an alternative. So I try to set up osTicket with LDAP authentication for agents (later for customers too). But it doesn't work.Is somewre a more detailed error log? I switched to DEBUG in the settings but it only shows a failed login in event logs.I used the same LDAP settings as for OTRS. But in osTicket it doesn't work.I'm also wondering why I have to set a default domain for Active Directory... I only want to setup LDAP. blank

ntozier

Your DNS server line appears to be blank.I think your DN is probably wrong as it appears to be a lot more than a username (DN).

poncho

I also tried to add the DNS server - made no difference. And it is for AD. I don't want to use AD.A DN is not a username, so this should work as it is the same like in OTRS. It is the DN of the search user. If I only user the username, I get an "invalid DN syntax" error.My OTRS config looks like this and works: $Self->{'AuthModule'} = 'Kernel:::'; $Self->{'AuthModule::'} = 'ldaps://ldap.XXX.de'; $Self->{'AuthModule::'} = 'ou=user,dc=XXX,dc=de'; $Self->{'AuthModule::'} = 'uid'; $Self->{'AuthModule::'} = 'uid=svc-ub-otrs,ou=user,dc=XXX,dc=de'; $Self->{'AuthModule::'} = 'XXX'; $Self->{'AuthModule::'} = 'memberUid'; $Self->{'AuthModule::'} = 'UID'; $Self->{'AuthModule::'} = { port => 636, version => 3, scope => 'sub', };How to get this working in osTicket?

ntozier

My DN is set to: domain\username.

Chefkeks

Just out of curiosity when you say that I don't want to use AD what ldap do you use? OpenLDAP?Asking since we use osTicket with AD here and it works like a charm. Going to post our config tomorrow ;)Beside, can you post more info about your server running osTicket?Cheers,MichaelEDIT/UPDATE:Attached our LDAP plugin config below - as you can see I just replaced the default domain, the dns servers and the ldap servers - but our search/bind user and the rest is shown as we use it with our AD.

Chefkeks

Oneil

I have nothing entered in Connection Informationimportant the plugin also enable;-) in east ticket and the php module

poncho

II'm currently not on a computer with access to our network but I just analysed the source code of the LDAP plugin. It looks like the schema is the problem. I'll check that tomorrow and try some code modifications.

Chefkeks

Sounds promising, let us know what you've then found out :)

poncho

OK, I modified the LDAP plugin. This is the schema I'm using now: 'XXX' => array( 'user' => array( 'filter' => '(objectClass=person)', 'first' => 'givenName', 'last' => 'sn', 'full' => 'cn', 'email' => 'mail', 'username' => 'uid', 'dn' => 'uid={username},{search_base}', 'search' => '(&(objectClass=person)(|(uid={q}*)(cn={q}*)))', 'lookup' => '(&(objectClass=person)({attr}={q}))', ), ),But that's not enough to login. I found out that after authentication the plugin searches the agent in local database, not in LDAP. The agent does not exist, so it fails.Is it necessary to add agents to osticket before they want to authenticate via LDAP?

Chefkeks

Q: Is it necessary to add agents to osticket before they want to authenticate via LDAP?A: Yes! So maybe that's the issue?! ;)

poncho

I didn't test with an existing agent. But the code shouldn't work either way.But so I don't have to try anymore. I don't want to create all users seperatly.Thanks for your help guys!

Chefkeks

Don't know if it is interesting for you, but you could combine ldap and HTTP auth plugins to achieve SSO. That way (under certain settings) the user accounts get automatically created when the users access the page and hit the sign in button.

That's btw. how we use osTicket and never had any trouble with that. For more info take a look at the following discussion: http://forum.osticket.com/d/discussion//http-passthru#latest

poncho

Thanks for that hint. I'll have a look at it.