Could you login with a new client-user and check in your osticket db if a ticket with the subject 'ldap_temporary' was created for that user with the fields first name and last name filled? If that isn't the case the mod can't fetch those fields for some reason.
There is an 'ldap_temporary' ticket in the database for that user, but the name field is blank.
There is an 'ldap_temporary' ticket in the database for that user, but the name field is blank.
Could you check in LDAP Diagnostic if the ldap_firstname_field and ldap_lastname_field are returning anything from that username?
Could you check in LDAP Diagnostic if the ldap_firstname_field and ldap_lastname_field are returning anything from that username?
Oh! I missed that you'd added the diagnostic php file. I ran the ldaptest.php, and it looks like it's failing authentication with LDAP. It appears that it's not using the custom LDAP User Field (for us the LDAP User Field is uid, not sAMAccountName). It says:
calling ldap_search with the domain: "o=", the Filter: "(&(objectCategory=person)(sAMAccountName=))" and the Attributes: "array("ldap_firstname_field")"
Oh! I missed that you'd added the diagnostic php file. I ran the ldaptest.php, and it looks like it's failing authentication with LDAP. It appears that it's not using the custom LDAP User Field (for us the LDAP User Field is uid, not sAMAccountName). It says:
ok, i'll have to adjust that along with opendirectory support. I'm afraid you'll have to wait a few more days for that.
Hi Thane,
thank you for this great job.
Due to a problem with SSO module in my AD, I just modify the login.php line 32
From:
$tmp_email=$_SERVER;
To:
$tmp_email=LDAP:($_SERVER);
And now it work perfectly with me.
Regards,
LDAP Connection failed
I installed the mod and provided the info for a connection but when I run the diagnostics it says LDAP Connection failed.
Here are the details:
Result: Leave empty to use the Administrator in LDAP Settings
calling ldap_connect with: "hh-dc1.hhinc.org" and port "389"
setting LDAP_OPT_PROTOCOL_VERSION to 3 and LDAP_OPT_REFERRALS to 0
binding to ldap with username "admin@hhinc.org" and his password
calling ldap_search with the domain: "CN=AllUsers,DC=hhinc,DC=org", the Filter: "(&(objectCategory=person)(sAMAccountName=admin))" and the Attributes: "array("givenName")"
I've tried changing the domain to different values but get the same results.
Thanks,
Augustus
I installed the mod and provided the info for a connection but when I run the diagnostics it says LDAP Connection failed.Here are the details:
Result: Leave empty to use the Administrator in LDAP Settings
calling ldap_connect with: "hh-dc1.hhinc.org" and port "389"
setting LDAP_OPT_PROTOCOL_VERSION to 3 and LDAP_OPT_REFERRALS to 0
binding to ldap with username "admin@hhinc.org" and his password
calling ldap_search with the domain: "CN=AllUsers,DC=hhinc,DC=org", the Filter: "(&(objectCategory=person)(sAMAccountName=admin))" and the Attributes: "array("givenName")"
I've tried changing the domain to different values but get the same results.
Thanks,
Augustus
if you get to calling ldap_search with the domain: "CN=AllUsers,DC=hhinc,DC=org", the Filter: "(&(objectCategory=person)(sAMAccountName=admin))" and the Attributes: "array("givenName")" without an error, binding should be ok. The error in your case can be one of the following:
your LDAP doesn't like the field 'givenName', which is unlikely
your ldap doesn't like the Filter, which is more likely the case
The filter is hardcoded in all current versions, if it's the cause of your error you'll have to wait for v5. I think i'll get that done tomorrow. I'd suggest you test your settings with another program. CotterPin suggested some in earlier posts.
@[deleted]
Hello wbart,
please check if the V5 works for you.
@[deleted]
Hello CotterPin,
could you also check if the customizable filter works for you. Also thanks for the extensive testing.
@[deleted]
Hello CotterPin,
could you also check if the customizable filter works for you. Also thanks for the extensive testing.
Thane,
No worries, it's the least I could do for the extensive mod work. :) Looks like I've got it working with V5, but it appears that our corporate LDAP won't let me read the givenName attribute. I can only pull down the cn (Full Name) or sn (Last Name). Is there a way I can use the cn attribute for client tickets?
Thane,No worries, it's the least I could do for the extensive mod work. :) Looks like I've got it working with V5, but it appears that our corporate LDAP won't let me read the givenName attribute. I can only pull down the cn (Full Name) or sn (Last Name). Is there a way I can use the cn attribute for client tickets?
Hello CotterPin,
"givenName" returns nothing for me. I have to write in in all lowercase ('givenname') to make it work. Ldap seems very picky with the attributes. Another nice example is samaccaountname. I have to write 'sAMAccountName' to get the filter working. However if i want the content of samaccountname i have to use the attribute 'samaccountname'. So try 'givenname'. If that also doesn't work for you I'll have to patch the class.ldap.php a bit.
Hello CotterPin,"givenName" returns nothing for me. I have to write in in all lowercase ('givenname') to make it work. Ldap seems very picky with the attributes. Another nice example is samaccaountname. I have to write 'sAMAccountName' to get the filter working. However if i want the content of samaccountname i have to use the attribute 'samaccountname'. So try 'givenname'. If that also doesn't work for you I'll have to patch the class.ldap.php a bit.
Ok, that worked. I now am able to use the LDAP Diagnostic to verify that I am using the correct filter for First and Last Names. However, client login is not working with the V5 mod. It leaves me as a Guest User, even after clicking "Log In". Clicking "Log In" takes me to the Check Ticket Status dialog for the Guest User.
Ok, that worked. I now am able to use the LDAP Diagnostic to verify that I am using the correct filter for First and Last Names. However, client login is not working with the V5 mod. It leaves me as a Guest User, even after clicking "Log In". Clicking "Log In" takes me to the Check Ticket Status dialog for the Guest User.
I've removed part of the sso stuff. It was V4-specific and partially hardcoded. I'll add a slightly better configurable Sso in V6, maybe even later today (pretty shure that i'll get that done today). Sorry, i forgot to mention that.
@[deleted]
Ok, SSO is done. You'll have to set use SSO and your PHP_AUTH_USER in the LDAP Settings. Hopefully your setup will completely work with that. I've tested it with a Samba4 server with ldaps enabled, with osticket hosted on a IIS7.
How if I have multi domain ?
Thank you very much Thane,
Your mod help me very much .
But how if I have multi domain ? Ex: I have 2 user jack and john , jack have UserPrincipalName (UPN) jack@test.net , johns' is john@test.org . My internal domain is test.com
How should I create LDAP connections ?
LDAP Domain : dc=test,dc=com
LDAP Suffix : <USERMENTION username="test.net">@test.net</USERMENTION> , <USERMENTION username="test.org">@test.org</USERMENTION> or <USERMENTION username="test.net">@test.net</USERMENTION> ; <USERMENTION username="test.org">@test.org</USERMENTION> ... ?
LDAP Controller : ad01.test.com
It don't allow me to create 2 LDAP connections with same LDAP Domain and LDAP Controller
How if I have multi domain ?
Thank you very much Thane,
Your mod help me very much but how if I have muti-domain ?
Ex : I have 2 users jack and john , jack has UserPrincipalName (UPN) jack@test.net , and johns' is john@test.org , my local domain is test.com
How should I create LDAP connections ?
LDAP Domain : dc=test,dc=com
LDAP Suffix : <USERMENTION username="test.net">@test.net</USERMENTION> ; test.org or <USERMENTION username="test.net">@test.net</USERMENTION> , test.org ... ?
LDAP Controller : ad01.test.com
It don't allow me to create 2 LDAP connections with same LDAP Domain and Controller
Ok, SSO is done. You'll have to set use SSO and your PHP_AUTH_USER in the LDAP Settings. Hopefully your setup will completely work with that. I've tested it with a Samba4 server with ldaps enabled, with osticket hosted on a IIS7.
Looks like we're getting close. SSO works for users that already have tickets in the database. However, if I get a new user to login, Full Name is still blank on the Open a New Ticket dialog. I've double checked the user through the LDAP diagnostic, and it is successfully returning givenname and sn from LDAP. These are the fields I've populated in the LDAP config as First Name and Last Name. I looked in the database, and it does create a blank record with subject "ldap_temporary":
ticket_id: 2055
ticketID: 646229
dept_id: 1
sla_id: 1
priority_id: 1
topic_id: 1
staff_id: 0
team_id: 0
email:
name:
subject: ldap_temporary
helptopic: NULL
phone:
phone_ext:
ip_address:
status: closed
source: Other
isoverdue: 0
isanswered: 0
duedate: NULL
reopened: NULL
closed: NULL
lastmessage: NULL
lastresponse: NULL
created: 0000-00-00 00
updated: 0000-00-00 00
Filter help
if you get to calling ldap_search with the domain: "CN=AllUsers,DC=hhinc,DC=org", the Filter: "(&(objectCategory=person)(sAMAccountName=admin))" and the Attributes: "array("givenName")" without an error, binding should be ok. The error in your case can be one of the following:your LDAP doesn't like the field 'givenName', which is unlikely
your ldap doesn't like the Filter, which is more likely the case
The filter is hardcoded in all current versions, if it's the cause of your error you'll have to wait for v5. I think i'll get that done tomorrow. I'd suggest you test your settings with another program. CotterPin suggested some in earlier posts.
I installed V5 and still can't connect. Can you provide me with a few different filter commands? I'm a bit new to the filters.
I installed V5 and still can't connect. Can you provide me with a few different filter commands? I'm a bit new to the filters.
I'd suggest using V6. For the LDAP Filter, I use: (&(uid=%USERNAME%)) So when users login, I want LDAP to use what's in the uid field for the user name in osTicket. It is helpful to connect to your LDAP with an LDAP explorer and map out which field is which. I use (JXplorer) for this, and to ensure I have the correct fields for the rest of the LDAP configuration as well. Then I use the LDAP Diagnostic tool to ensure it's getting the field correctly - I found that though my LDAP Explorer said "givenName", it actually needed "givenname" (as suggested by Thane).
@[deleted]
I've noticed that both phone fields are empty too. The cause is probably the ldapGetUsernameFromEmail function. So i've added diagnostic messages to this and the ldapGetEmail function. Please Download the V7 and check Ldap Diagnostic again.
My diagnostic output is:
calling ldap_connect with: "ldaps://192.168.178.40"
setting LDAP_OPT_PROTOCOL_VERSION to 3 and LDAP_OPT_REFERRALS to 0
binding to ldap with "administrator@vpg.local" and his password
using the filter: "(&(sAMAccountName=ostclient))"
calling ldap_search with the domain: "DC=vpg,DC=local", the Filter: "(&(sAMAccountName=ostclient))" and the Attributes: "array("cn")"
LDAP returned field data: "ost client"
Debug of function ldapGetEmail():
getting the email of user: "ostclient"
binding to ldap with "administrator@vpg.local" and his password
calling ldap_search with the domain: "DC=vpg,DC=local", the Filter: "(&(sAMAccountName=ostclient))" and the Attributes: "array("mail")"
LDAP returned field data: "ost.client@vpg.de"
Debug of function ldapGetUsernameFromEmail():
getting the user of email: "ost.client@vpg.de"
binding to ldap with "administrator@vpg.local" and his password
calling ldap_search with the domain: "DC=vpg,DC=local", the Filter: "(&(mail=ost.client@vpg.de))" and the Attributes: "array("samaccountname")"
LDAP returned field data: "ostclient"
@CotterPinI've noticed that both phone fields are empty too. The cause is probably the ldapGetUsernameFromEmail function. So i've added diagnostic messages to this and the ldapGetEmail function. Please Download the V7 and check Ldap Diagnostic again.
It appears to be binding to both LDAP entries - domain.com and lex.adapps.domain.com are different LDAP domains. Anyway, here's my diagnostic output for user@domain.com:
Result: Leave empty to use the Administrator in LDAP Settings
calling ldap_connect with: "ldaps://ldap.domain.com"
setting LDAP_OPT_PROTOCOL_VERSION to 3 and LDAP_OPT_REFERRALS to 0
binding to ldap with "cn=ESCEAUTH,ou=Applications,o=domain.com" and his password
using the filter: "(&(uid=user@domain.com))"
calling ldap_search with the domain: "o=domain.com", the Filter: "(&(uid=user@domain.com))" and the Attributes: "array("givenname")"
LDAP returned field data: "FirstName"
Debug of function ldapGetEmail():
getting the email of user: "user@domain.com"
binding to ldap with "cn=ESCEAUTH,ou=Applications,o=domain.com" and his password
calling ldap_search with the domain: "o=domain.com", the Filter: "(&(uid=user@domain.com))" and the Attributes: "array("uid")"
LDAP returned field data: "user@domain.com"
Debug of function ldapGetEmail():
getting the email of user: "user@domain.com"
binding to ldap with "admin@lex.adapps.domain.com" and his password
calling ldap_search with the domain: "DC=lex,DC=adapps,DC=domain,DC=com", the Filter: "(&(sAMAccountName=user@domain.com))" and the Attributes: "array("mail")"
LDAP returned nothing...
Debug of function ldapGetUsernameFromEmail():
getting the user of email: "user@domain.com"
binding to ldap with "cn=ESCEAUTH,ou=Applications,o=domain.com" and his password
calling ldap_search with the domain: "o=domain.com", the Filter: "(&(uid=user@domain.com))" and the Attributes: "array("uid")"
LDAP returned field data: "user@domain.com"
Debug of function ldapGetUsernameFromEmail():
getting the user of email: "user@domain.com"
binding to ldap with "admin@lex.adapps.domain.com" and his password
calling ldap_search with the domain: "DC=lex,DC=adapps,DC=domain,DC=com", the Filter: "(&(mail=user@domain.com))" and the Attributes: "array("sAMAccountName")"
LDAP returned nothing...
