Hey Thane,

Thanks again for the quick turnaround! Updating to v.4 worked great, but I'm having an issue with class.ldap.php once I apply the SSO code. I get an error 500 on the site, and a "Parse error: syntax error, unexpected T_PUBLIC in CODE on line 560". I've tried to figure it out, but can't see what the issue is. I'm assuming you wanted me to populate the ldap user field in the LDAP Settings section of osTicket settings. Unfortunately, with the SSO code, I can't get to the Admin panel.

Hey Thane,

Thanks again for the quick turnaround! Updating to v.4 worked great, but I'm having an issue with class.ldap.php once I apply the SSO code. I get an error 500 on the site, and a "Parse error: syntax error, unexpected T_PUBLIC in CODE on line 560". I've tried to figure it out, but can't see what the issue is. I'm assuming you wanted me to populate the ldap user field in the LDAP Settings section of osTicket settings. Unfortunately, with the SSO code, I can't get to the Admin panel.

Hey CotterPin,

Sorry, I've removed a '}' too much when removing other mods. Please add a } to line 559 or redownload the ldap_mod_sso.

D'oh! I looked for missing curly braces, but not in that section. Thanks for that.

After updating with the latest code, SSO works great against our local internal LDAP. For the clients, though, we have to use the corporate LDAP, which has our user names as user@domain.com. I think the LDAP mod is appending @[deleted] again for the authentication. So I think what's going to our LDAP server is user@domain.com@domain.com. Is there a way I can set the LDAP suffix to be null? I poked around the files, but as you've probably noticed, my PHP skills are level n00b.

D'oh! I looked for missing curly braces, but not in that section. Thanks for that.

After updating with the latest code, SSO works great against our local internal LDAP. For the clients, though, we have to use the corporate LDAP, which has our user names as user@domain.com. I think the LDAP mod is appending @[deleted] again for the authentication. So I think what's going to our LDAP server is user@domain.com@domain.com. Is there a way I can set the LDAP suffix to be null? I poked around the files, but as you've probably noticed, my PHP skills are level n00b.

try the following change:

in class.ldap.php replace the function

public static function ldapSqlAuthenticate($username, $password,$ldap_id=-1,&$outp=NULL, $debug=false) {

if($password=='')

{

return false;

}

$sqlquery='SELECT ' . TABLE_PREFIX . 'ldap_config.ldap_id, ' . TABLE_PREFIX . 'ldap_config.ldap_suffix from ' . TABLE_PREFIX . 'ldap_config';

if($ldap_id!=-1)

{

$sqlquery.=' WHERE ' . TABLE_PREFIX . 'ldap_config.ldap_id='.$ldap_id;

}

$sqlquery.=' ORDER BY ' . TABLE_PREFIX . 'ldap_config.priority';

if(($tmp_res=db_query($sqlquery)) && db_num_rows($tmp_res)>0)

{

while($rowset = db_fetch_array($tmp_res)) {

$ldap = LDAP:($rowset);

/*if($ldap!=false)

{

echo 'connected successfully<br>';

}*/

$old_error_reporting = error_reporting();

if($debug==false)

{

error_reporting (E_ERROR);

}

if($debug==true)

{

$outp.='binding to ldap with username "'.$username . $rowset.'" and his password<br>';

}

$bind = ldap_bind($ldap, $username . $rowset, $password);

if(!$bind)

{

if($debug==true)

{

$outp.=ldap_error($ldap).'<br>';

$outp.='errno: '.strval(ldap_errno($ldap)).'<br>';

}

}

ldap_unbind($ldap);

if($debug==false)

{

error_reporting($old_error_reporting);

}

if($bind)

{

break;

}

}

return $bind;

}

else

{

if($debug==true)

{

echo $outp.='no ldap config<br>';

}

}

return false;

}

with

public static function ldapSqlAuthenticate($username, $password,$ldap_id=-1,&$outp=NULL, $debug=false) {

if($password=='')

{

return false;

}

$sqlquery='SELECT ' . TABLE_PREFIX . 'ldap_config.ldap_id, ' . TABLE_PREFIX . 'ldap_config.ldap_suffix from ' . TABLE_PREFIX . 'ldap_config';

if($ldap_id!=-1)

{

$sqlquery.=' WHERE ' . TABLE_PREFIX . 'ldap_config.ldap_id='.$ldap_id;

}

$sqlquery.=' ORDER BY ' . TABLE_PREFIX . 'ldap_config.priority';

if(($tmp_res=db_query($sqlquery)) && db_num_rows($tmp_res)>0)

{

while($rowset = db_fetch_array($tmp_res)) {

$ldap = LDAP:($rowset);

/*if($ldap!=false)

{

echo 'connected successfully<br>';

}*/

$old_error_reporting = error_reporting();

if($debug==false)

{

error_reporting (E_ERROR);

}

$ldapusr="";

if(strpos($username,$rowset)!==false)

{

$ldapusr=$username;

}

else

{

$ldapusr=$username . $rowset;

}

if($debug==true)

{

$outp.='binding to ldap with username "'.$ldapusr.'" and his password<br>';

}

$bind = ldap_bind($ldap, $ldapusr, $password);

if(!$bind)

{

if($debug==true)

{

$outp.=ldap_error($ldap).'<br>';

$outp.='errno: '.strval(ldap_errno($ldap)).'<br>';

}

}

ldap_unbind($ldap);

if($debug==false)

{

error_reporting($old_error_reporting);

}

if($bind)

{

break;

}

}

return $bind;

}

else

{

if($debug==true)

{

echo $outp.='no ldap config<br>';

}

}

return false;

}

This checks if the suffix is there and only adds the suffix if there isn't one already. I can't remove the suffix entirely as it's used in other parts as well.

What also may cause your problem is the one i have in our company. We have to support two different domains. However those two domains don't trust each other and don't even know each other.

The result is the following:

The Webserver that is hosting osticket is in domain A and users from domain A can sso without problems with the way i provided you. The users from domain B however can't, since the webserver doesn't know their domain and thus can't authenticate them.

Question about bind process

Thank you for taking the time to create a mod that supports LDAP - I do have a question since I'm coming from a non-AD LDAP server. My LDAP server doesn't use the user principle name format (admin@my.domain.com) for doing LDAP binds - it uses a format similar to uid=admin,cn=users,dc=my,dc=domain

Since I'm not a php guy, could the mod be tweaked to support a bind call other than the user principal one?

Thank you for taking the time to create a mod that supports LDAP - I do have a question since I'm coming from a non-AD LDAP server. My LDAP server doesn't use the user principle name format (admin@my.domain.com) for doing LDAP binds - it uses a format similar to uid=admin,cn=users,dc=my,dc=domain

Since I'm not a php guy, could the mod be tweaked to support a bind call other than the user principal one?

It is possible to do (see first comment here: (http://php.net/manual/de/function.ldap-bind.php)).

I'll add the functionality to use rdn bind instead of user principle name in V5 of this mod. I'll also add ggdag85s request to force users to log in.

I'm unfamiliar with rdn type of binding, so could you answer the following questions:

Does it look like in the following site?

(http://www.zytrax.com/books/ldap/apa/dn-rdn.html)

Does 'cn' have to be the full name of the user and is it needed at all?

What do your users enter for username? The uid?

And for the last question, is your ldap based on Opendirectory?

I'll take a few more days, since i have some other problems to deal with at the moment. Sorry to make you wait.

Is this just for client side ?

I have it set up, but it does not work for staff.

any ideas ?

Just to give some feedback, I'm now able to successfully authenticate with both domains. One final thing - if I authenticate with a user that's never created a ticket, the user's Full Name is not getting populated, so they can't create a ticket (see screen shot). If their email address is already in the database, they can login and create tickets fine.

osTicket LDAP3.PNG

I have it set up, but it does not work for staff.

any ideas ?

Alexnader81,

Double-check your LDAP configuration of the LDAP connection page within the Admin Panel under Settings. I used JXplorer to validate my LDAP settings to ensure I had the correct field names. Also, make sure you've selected the enabled radio button in the LDAP Settings section.

I have it set up, but it does not work for staff.

any ideas ?

Hello Alexander81,

In addition to what CotterPin already wrote, check if your staff members have the same username that they have in your ldap. Osticket checks that one and if they differ authentication fails.

Just to give some feedback, I'm now able to successfully authenticate with both domains. One final thing - if I authenticate with a user that's never created a ticket, the user's Full Name is not getting populated, so they can't create a ticket (see screen shot). If their email address is already in the database, they can login and create tickets fine.

Could you login with a new client-user and check in your osticket db if a ticket with the subject 'ldap_temporary' was created for that user with the fields first name and last name filled? If that isn't the case the mod can't fetch those fields for some reason.

Could you login with a new client-user and check in your osticket db if a ticket with the subject 'ldap_temporary' was created for that user with the fields first name and last name filled? If that isn't the case the mod can't fetch those fields for some reason.

There is an 'ldap_temporary' ticket in the database for that user, but the name field is blank.

There is an 'ldap_temporary' ticket in the database for that user, but the name field is blank.

Could you check in LDAP Diagnostic if the ldap_firstname_field and ldap_lastname_field are returning anything from that username?

Could you check in LDAP Diagnostic if the ldap_firstname_field and ldap_lastname_field are returning anything from that username?

Oh! I missed that you'd added the diagnostic php file. I ran the ldaptest.php, and it looks like it's failing authentication with LDAP. It appears that it's not using the custom LDAP User Field (for us the LDAP User Field is uid, not sAMAccountName). It says:

calling ldap_search with the domain: "o=", the Filter: "(&(objectCategory=person)(sAMAccountName=))" and the Attributes: "array("ldap_firstname_field")"

Oh! I missed that you'd added the diagnostic php file. I ran the ldaptest.php, and it looks like it's failing authentication with LDAP. It appears that it's not using the custom LDAP User Field (for us the LDAP User Field is uid, not sAMAccountName). It says:

ok, i'll have to adjust that along with opendirectory support. I'm afraid you'll have to wait a few more days for that.

Hi Thane,

thank you for this great job.

Due to a problem with SSO module in my AD, I just modify the login.php line 32

From:

$tmp_email=$_SERVER;

To:

$tmp_email=LDAP:($_SERVER);

And now it work perfectly with me.

Regards,

LDAP Connection failed

I installed the mod and provided the info for a connection but when I run the diagnostics it says LDAP Connection failed.

Here are the details:

Result: Leave empty to use the Administrator in LDAP Settings

calling ldap_connect with: "hh-dc1.hhinc.org" and port "389"

setting LDAP_OPT_PROTOCOL_VERSION to 3 and LDAP_OPT_REFERRALS to 0

binding to ldap with username "admin@hhinc.org" and his password

calling ldap_search with the domain: "CN=AllUsers,DC=hhinc,DC=org", the Filter: "(&(objectCategory=person)(sAMAccountName=admin))" and the Attributes: "array("givenName")"

I've tried changing the domain to different values but get the same results.

Thanks,

Augustus

I installed the mod and provided the info for a connection but when I run the diagnostics it says LDAP Connection failed.

Here are the details:

Result: Leave empty to use the Administrator in LDAP Settings

calling ldap_connect with: "hh-dc1.hhinc.org" and port "389"

setting LDAP_OPT_PROTOCOL_VERSION to 3 and LDAP_OPT_REFERRALS to 0

binding to ldap with username "admin@hhinc.org" and his password

calling ldap_search with the domain: "CN=AllUsers,DC=hhinc,DC=org", the Filter: "(&(objectCategory=person)(sAMAccountName=admin))" and the Attributes: "array("givenName")"

I've tried changing the domain to different values but get the same results.

Thanks,

Augustus

if you get to calling ldap_search with the domain: "CN=AllUsers,DC=hhinc,DC=org", the Filter: "(&(objectCategory=person)(sAMAccountName=admin))" and the Attributes: "array("givenName")" without an error, binding should be ok. The error in your case can be one of the following:

your LDAP doesn't like the field 'givenName', which is unlikely

your ldap doesn't like the Filter, which is more likely the case

The filter is hardcoded in all current versions, if it's the cause of your error you'll have to wait for v5. I think i'll get that done tomorrow. I'd suggest you test your settings with another program. CotterPin suggested some in earlier posts.

@[deleted]

Hello wbart,

please check if the V5 works for you.

@[deleted]

Hello CotterPin,

could you also check if the customizable filter works for you. Also thanks for the extensive testing.

@[deleted]

Hello CotterPin,

could you also check if the customizable filter works for you. Also thanks for the extensive testing.

Thane,

No worries, it's the least I could do for the extensive mod work. :) Looks like I've got it working with V5, but it appears that our corporate LDAP won't let me read the givenName attribute. I can only pull down the cn (Full Name) or sn (Last Name). Is there a way I can use the cn attribute for client tickets?

Thane,

No worries, it's the least I could do for the extensive mod work. :) Looks like I've got it working with V5, but it appears that our corporate LDAP won't let me read the givenName attribute. I can only pull down the cn (Full Name) or sn (Last Name). Is there a way I can use the cn attribute for client tickets?

Hello CotterPin,

"givenName" returns nothing for me. I have to write in in all lowercase ('givenname') to make it work. Ldap seems very picky with the attributes. Another nice example is samaccaountname. I have to write 'sAMAccountName' to get the filter working. However if i want the content of samaccountname i have to use the attribute 'samaccountname'. So try 'givenname'. If that also doesn't work for you I'll have to patch the class.ldap.php a bit.