Hello CotterPin,

I'll look into the 'Unknown action'. I probably missed something in a switch case or had a typo somwhere. I'll also look into automatically authenticating users (wanted to do that for our users anyway). If i remember correctly, most browsers can hook into the Windows Session to get the user credentials.

To your second point. Would a diagnostic page be sufficient? I planned to make a diagnostic page for ldap similar to the email one in osticket. Otherwise i could do some debug marked syslogs.

Thanks for the bug report and your suggestions.

Hello Thane,

Your LDAP mod works very well, thanks for your job!

Hello ggdag85,

Glad it works that well, thanks for the feedback

I have a mod request for you

It's possible to force users to log on only using LDAP, disabling the guest mode (and, possibly, also disabling the log on with email/ticketID)?

In this way 'login.php' can be merged with 'view.php', and this became the welcome page. After login the user can be redirected to 'my tickets' page (the search for a specific ticketID it's already possibile in this page).

The 'open.php' must be accessible only after log on, with the forms name/email/phone already filled.

Tell me if I can help to do this job in some way, unfortunately i'm not a good php programmer :(

Thanks again!

This is possible, however i can't remove the email/ticketID authentication altogether (would be unsecure, see first post). I can only block authenticating that way on the login.php. My mod will still login the user via email/ticketid in the background (as it does now). I'll have to make a testing platform, so you'll have to wait a bit till those things are done.

We are already challenging the user for LDAP credentials for SSL negotiation, and using the resulting $_SERVER variable as their user name (email address) within our internal wiki. Is there a way to fully automate the logins (both clients and staff) using that same variable?

I still have to look into SSO, for now you could omit ldap authentication and pass the email-address by itself. You can do that by modifying the following:

replace the line 25 in login.php:

if($_POST) {

with

if($_POST||isset($_SERVER)) {

replace the line 30 in login.php:

if(LDAP:($tmp_user,$tmp_pw))

with

if(isset($_SERVER))

and the line 32:

$tmp_email=strtolower(LDAP:($tmp_user));

with

$tmp_email=$_SERVER;

In theory now calling login.php should automatically send you to the "my tickets" page or the "open.php" page. However i didn't test that, so i can't guarantee that.

Hi Thane,

I edited my login.php file as suggested, and I'm getting an "Invalid method" message (see attached screenshot).

Hi CopperPin,

It seems osTicket has a additional security check for 'automatic logins' (which is a good thing) that i didn't expect. You'll have to make the following additional changes after making the ones i listed above to work around that security feature. Keep in mind you'll authenticate users only via email address.

replace the line

$sqlquery='SELECT ' . TABLE_PREFIX . 'ticket.ticketID, ' . TABLE_PREFIX . 'ticket.email from ' . TABLE_PREFIX . 'ticket WHERE email LIKE "' . $tmp_email .'";';

with the line

$sqlquery='SELECT '. TABLE_PREFIX . 'ticket.ticket_id, ' . TABLE_PREFIX . 'ticket.ticketID, ' . TABLE_PREFIX . 'ticket.email from ' . TABLE_PREFIX . 'ticket WHERE email LIKE "' . $tmp_email .'";';

replace the line

if(($user=Client:($tmp_pw, $tmp_user, null, $errors))) {

with

if(($user=Client:($tmp_pw, $tmp_user, md5($tmp_ht.$tmp_user. SECRET_SALT), $errors))) {

replace the lines

$errors = 'Failed creating a temporary ticket';

if(($user=Client:($tmp_ticketID, $tmp_email, null, $errors))) {

//XXX: Ticket owner is assumed.

@header('Location: open.php');

require_once('open.php'); //Just in case of 'header already sent' error.

exit;

} elseif(!$errors) {

$errors = 'Authentication error - try again!';

}

with

$errors = __('Failed creating a temporary ticket');

$sqlquery='SELECT '. TABLE_PREFIX . 'ticket.ticket_id from ' . TABLE_PREFIX . 'ticket WHERE email LIKE "' . $tmp_email .'";';

if(($tmp_res=db_query($sqlquery)) && db_num_rows($tmp_res)>0)

{

$tmp_ht=db_fetch_array($tmp_res);

if(($user=Client:($tmp_ticketID, $tmp_email, md5($tmp_ht.$tmp_user. SECRET_SALT), $errors))) {

//XXX: Ticket owner is assumed.

@header('Location: open.php');

require_once('open.php'); //Just in case of 'header already sent' error.

exit;

} elseif(!$errors) {

$errors = __('Authentication error - try again!');

}

}

I didn't test the instance a new user would try to login, as i don't have a sufficient test setup yet. But that should work (again in theory). Please report if those changes work or throw errors, thanks.

I tested the additional changes, and it works great if the user already has tickets in the system. However, when I tested it with a client user that had never logged in before, the Full Name field is missing, and won't allow ticket creation with the error "Missing or invalid data - check the errors and try again". Screen shot attached.

I see my mistake. I'll need to create a new function in class.ldap.php to get the username from the email address. I'll have to do that tomorrow, since my samba4 setup still doesn't like me :(

Hi CotterPin,

You'll find modified files (base was ldap_mod_V4) for you here:

(http://thane.dyndns.org/ldap_mod_sso.zip)

You'll have to set a 'ldap user field' in your ldap settings. I hope now it'll all work for you.

@[deleted]

I've noticed the download link of ldap_mod_V4.zip was linking to ldap_mod_V3.zip. I've corrected that mistake. Please check if you downloaded the V4. If that isn't the case please download and use the V4.

Hey Thane,

Thanks again for the quick turnaround! Updating to v.4 worked great, but I'm having an issue with class.ldap.php once I apply the SSO code. I get an error 500 on the site, and a "Parse error: syntax error, unexpected T_PUBLIC in CODE on line 560". I've tried to figure it out, but can't see what the issue is. I'm assuming you wanted me to populate the ldap user field in the LDAP Settings section of osTicket settings. Unfortunately, with the SSO code, I can't get to the Admin panel.

Hey CotterPin,

Sorry, I've removed a '}' too much when removing other mods. Please add a } to line 559 or redownload the ldap_mod_sso.

D'oh! I looked for missing curly braces, but not in that section. Thanks for that.

After updating with the latest code, SSO works great against our local internal LDAP. For the clients, though, we have to use the corporate LDAP, which has our user names as user@domain.com. I think the LDAP mod is appending @[deleted] again for the authentication. So I think what's going to our LDAP server is user@domain.com@domain.com. Is there a way I can set the LDAP suffix to be null? I poked around the files, but as you've probably noticed, my PHP skills are level n00b.

try the following change:

in class.ldap.php replace the function

public static function ldapSqlAuthenticate($username, $password,$ldap_id=-1,&$outp=NULL, $debug=false) {

if($password=='')

{

return false;

}

$sqlquery='SELECT ' . TABLE_PREFIX . 'ldap_config.ldap_id, ' . TABLE_PREFIX . 'ldap_config.ldap_suffix from ' . TABLE_PREFIX . 'ldap_config';

if($ldap_id!=-1)

{

$sqlquery.=' WHERE ' . TABLE_PREFIX . 'ldap_config.ldap_id='.$ldap_id;

}

$sqlquery.=' ORDER BY ' . TABLE_PREFIX . 'ldap_config.priority';

if(($tmp_res=db_query($sqlquery)) && db_num_rows($tmp_res)>0)

{

while($rowset = db_fetch_array($tmp_res)) {

$ldap = LDAP:($rowset);

/*if($ldap!=false)

{

echo 'connected successfully<br>';

}*/

$old_error_reporting = error_reporting();

if($debug==false)

{

error_reporting (E_ERROR);

}

if($debug==true)

{

$outp.='binding to ldap with username "'.$username . $rowset.'" and his password<br>';

}

$bind = ldap_bind($ldap, $username . $rowset, $password);

if(!$bind)

{

if($debug==true)

{

$outp.=ldap_error($ldap).'<br>';

$outp.='errno: '.strval(ldap_errno($ldap)).'<br>';

}

}

ldap_unbind($ldap);

if($debug==false)

{

error_reporting($old_error_reporting);

}

if($bind)

{

break;

}

}

return $bind;

}

else

{

if($debug==true)

{

echo $outp.='no ldap config<br>';

}

}

return false;

}

with

public static function ldapSqlAuthenticate($username, $password,$ldap_id=-1,&$outp=NULL, $debug=false) {

if($password=='')

{

return false;

}

$sqlquery='SELECT ' . TABLE_PREFIX . 'ldap_config.ldap_id, ' . TABLE_PREFIX . 'ldap_config.ldap_suffix from ' . TABLE_PREFIX . 'ldap_config';

if($ldap_id!=-1)

{

$sqlquery.=' WHERE ' . TABLE_PREFIX . 'ldap_config.ldap_id='.$ldap_id;

}

$sqlquery.=' ORDER BY ' . TABLE_PREFIX . 'ldap_config.priority';

if(($tmp_res=db_query($sqlquery)) && db_num_rows($tmp_res)>0)

{

while($rowset = db_fetch_array($tmp_res)) {

$ldap = LDAP:($rowset);

/*if($ldap!=false)

{

echo 'connected successfully<br>';

}*/

$old_error_reporting = error_reporting();

if($debug==false)

{

error_reporting (E_ERROR);

}

$ldapusr="";

if(strpos($username,$rowset)!==false)

{

$ldapusr=$username;

}

else

{

$ldapusr=$username . $rowset;

}

if($debug==true)

{

$outp.='binding to ldap with username "'.$ldapusr.'" and his password<br>';

}

$bind = ldap_bind($ldap, $ldapusr, $password);

if(!$bind)

{

if($debug==true)

{

$outp.=ldap_error($ldap).'<br>';

$outp.='errno: '.strval(ldap_errno($ldap)).'<br>';

}

}

ldap_unbind($ldap);

if($debug==false)

{

error_reporting($old_error_reporting);

}

if($bind)

{

break;

}

}

return $bind;

}

else

{

if($debug==true)

{

echo $outp.='no ldap config<br>';

}

}

return false;

}

This checks if the suffix is there and only adds the suffix if there isn't one already. I can't remove the suffix entirely as it's used in other parts as well.

What also may cause your problem is the one i have in our company. We have to support two different domains. However those two domains don't trust each other and don't even know each other.

The result is the following:

The Webserver that is hosting osticket is in domain A and users from domain A can sso without problems with the way i provided you. The users from domain B however can't, since the webserver doesn't know their domain and thus can't authenticate them.

Thank you for taking the time to create a mod that supports LDAP - I do have a question since I'm coming from a non-AD LDAP server. My LDAP server doesn't use the user principle name format (admin@my.domain.com) for doing LDAP binds - it uses a format similar to uid=admin,cn=users,dc=my,dc=domain

Since I'm not a php guy, could the mod be tweaked to support a bind call other than the user principal one?

It is possible to do (see first comment here: (http://php.net/manual/de/function.ldap-bind.php)).

I'll add the functionality to use rdn bind instead of user principle name in V5 of this mod. I'll also add ggdag85s request to force users to log in.

I'm unfamiliar with rdn type of binding, so could you answer the following questions:

Does it look like in the following site?

(http://www.zytrax.com/books/ldap/apa/dn-rdn.html)

Does 'cn' have to be the full name of the user and is it needed at all?

What do your users enter for username? The uid?

And for the last question, is your ldap based on Opendirectory?

I'll take a few more days, since i have some other problems to deal with at the moment. Sorry to make you wait.

I have it set up, but it does not work for staff.

any ideas ?

Hello Alexander81,

In addition to what CotterPin already wrote, check if your staff members have the same username that they have in your ldap. Osticket checks that one and if they differ authentication fails.

Just to give some feedback, I'm now able to successfully authenticate with both domains. One final thing - if I authenticate with a user that's never created a ticket, the user's Full Name is not getting populated, so they can't create a ticket (see screen shot). If their email address is already in the database, they can login and create tickets fine.

Could you login with a new client-user and check in your osticket db if a ticket with the subject 'ldap_temporary' was created for that user with the fields first name and last name filled? If that isn't the case the mod can't fetch those fields for some reason.