- Edited
This MOD was programmed for the company that I'm employed at, to ease access to osticket for our users.
A Warning first: If you use osticket for external users or customers, you should at least force https on your webserver. You don't want to send your username+password in plaintext.
Required to use this mod:
php ldap extension in php.ini
Installation Instructions:
Make sure you have the php ldap extension enabled
Create a backup of your osticket folder and the database
If you don't have any other mods installed or are sure that the files this mod provides don't influence your other mods, you can simply overwrite your osticket files with those in the *.zip. Otherwise you'll have to apply the changes by hand (PHP knowledge required).
After you've installed this mod you have to log into scp
Go to Admin-Panel
Go into the Settings, there you'll find the ldap settings.
You'll have to click on 'New LDAP Cconnection' and set everything there.
Save and test your Settings with LDAP Diagnostic. In LDAP Diagnostic choose a field you want to display the content of, for example 'cn'. If you get the expected content the settings correct.
To enable your staff/support crew to log in to scp with ldap credentials you have to create them like you usually do in osticket, with one catch, the username has to be exactly the same as in your ldap server. Osticket also compares the username you've entered in scp and will abort the log in if it doesn't find the username. I've left that in to enable admins/staff to log in without ldap even if it's configured.
You can set up multiple ldap connections to different domains. Set them up with a priority and this mod will try to log in to them with the entered username one after another. If all log in to ldap entries fails this mod will try to log in to osticket the old way (it assumes you didn't enter a ldap username).
This has a downside. If multiple ldap domains have the same username, but with a different password (example: Administrator) and you log in to domain with priority 3, let's say 10 times, that user will probably be locked in the domains with priority 1 and 2.
So make sure that doesn't happen. I warned you.
Logon Example:
User+PW in domain1 -> failed
User+PW in domain2 -> failed
User+PW in osticket -> ok
Result: You've logged in
Other features:
Client-side authentication with ldap credentials can be toggled. It's a global setting, if at least one ldap connection has it set to on it'll be on.
You can let this mod automatically complete a part of the Ticket-Form. It can fetch the Full Name+Email-Address+Phone Number of Clients/Users. This requires (obviously) Client-side authentication to be on in that connection.
You can also force Client-side authentication. This'll restrict Ticket creation to only those Users/Clients, that can log in.
Autofill will only be used with the first ticket, that the user/customer creates. After that osticket will Autofill by itself. That also means that Autofill will not work for the users, that had tickets prior to this mod.
How Client Log on works:
It's a simplified version without sso and various other stuff.
A guest can create tickets without logging in, that is if you don't force clients to log in. But he has to fill the fields by himself, since osticket doesn't know him.
If a user logs in instead of using the username+pw that the user typed in to log into osticket, the ldap mod uses that to try and log the user into an ldap session. And if a valid ldap session could be created the ldap mod closes that session, then uses the admin credentials to fetch the email of the user. At this point i assume you have the client autofill feature on. The mod checks if he already has tickets, if thats the case 3. happens, else 4 happens
The mail of the user and a ticketid of the user are userd to log him into osticket. The user will then be redirected to the overview of his tickets and can create new tickets (see 5.), look at his tickets or log out.
The ldap mod creates a new ticket for this user (subject is ldap_temporary) with all the info the ldap mod can get (first name + last name, phone, phone_ext), then fetches the ticket_id of that new ticket, creates a new session for that user as if he logged in with email+ticketid and finally redirects him to open.php (the create ticket page). Then happens 5.
Osticket sees that this is a user with a valid session (requires a ticket) and tries to autofill the fields with the known info in the tickets of the user. Then step 6.
Osticket creates a new ticket for that user. On creation of the new ticket the ldap mod checks, if the user has any tickets with the subject ldap_temporary and deletes them. At this point they are not needed anymore.
LDAPS/LDAP over SSL:
This Feature requires the openssl php extension and correct setup of openssl.
Here is an example on openssl configuration for ldaps: http://greg.cathell.net/php_ldap_ssl.html(http://greg.cathell.net/php_ldap_ssl.html)
You probably can omit step 2 in that example. After step 6 you should be able to set up an ldaps connection.
Single Sign On
For SSO you need to configure your webserver to authenticate the login.php with ntlm/kerberos/etc. Depending on your webserver you get a Server variable like PHP_AUTH_USER or AUTH_USER that contains the username. You have to write that variable in the PHP Server Auth Variable textfield.
Special thanks to:
CotterPin
velinath
If you have any questions or found any bugs don't hesitate to ask/post.
Suggestions/Ideas for improvements are also welcome.
Changelog:
whole Changelog here: http://thane.dyndns.org/osticket-ldap-changelog.htm(http://thane.dyndns.org/osticket-ldap-changelog.htm)
07.09.2013 (ldap_mod_V13):
Fixed a bug in the SQL-Query of the staff statistics. (thanks to velinath)
Ported the mod to osticket 1.7.1 (DO NOT USE V13 for osticket 1.7)
16.09.2013 (ldap_mod_V14):
Fixed the mcrypt bug. Sorry, I've overlooked that when I've tested it. (thanks to webvoyant)
Note: You'll have to re-save the LDAP Admin-Password in your connection settings.
21.09.2013 (ldap_mod_V15):
The mod now populates the new tickets with up to date clientinfo
Updated to osTicket 1.7.1.3
26.09.2013 (ldap_mod_V16):
Added the fix for RDN by iconoeugen, sorry that i didn't see that myself
Compatible with 1.7.1.4
23.10.2013 (ldap_mod_V167):
updated to 1.7.2
optimized database access and queries
fixed a few bugs
added ability to overwrite email addresses in the open ticket form, !!!use this sparingly. Currently the users won't be able to access the tickets with a modified email-address via ldap-login, as long as it isn't their default email-address. osticket doesn't support additional email-addresses for a user.
Also a side-effect: After creating such a ticket, the user logs out, since osticket tries to log in the user with the other email-address (and fails).
added debug logging, toggle it in the global settings
added timestaps (with microseconds) to the debug entries. I've used a fairly new way (since mysql 5.6.4 or mariadb 5.3) to save those timestamps (the datetime(6)). If the debug logging doesn't work for you or if you get error messages associented with ldap logs please tell me.
added a limit to debug entries (default 2000)
added a "ldap logs" page to display the debug logs
moved global settings to a separate table
improved ldap database table upgrades
removed unnecessary comments
Regular Downloads:
osticket 1.7:
(ldap_mod.zip)
(ldap_mod_V2.zip)
(ldap_mod_V3.zip)
(ldap_mod_V4.zip)
(ldap_mod_V5.zip)
(ldap_mod_V6.zip)
(ldap_mod_V7.zip)
(ldap_mod_V8.zip)
(ldap_mod_v9.zip)
(ldap_mod_V10.zip)
(ldap_mod_V11.zip)
(ldap_mod_V12.zip)
osticket 1.7.1.1:
(ldap_mod_V13.zip)
(ldap_mod_V14.zip)
osticket 1.7.1.3 and 1.7.1.4:
(ldap_mod_V15.zip)
(ldap_mod_V16.zip)
osticket 1.7.2:
(ldap_mod_V17.zip)
Added since i was asked if i could combine my two mods.
These Multilanguage versions require a working Multilanguage mod setup. After your multilanguage mod works you copy the content of these zip over it. I've translated only the most necessary ldap stuff for now.
Multilanguage Downloads:
osticket 1.7:
(ldap_mod_ml_V8.zip)
