DOH! I am not a smart man. I forgot to install the php ldap module....silly me.

Thanks Thane

LDAP connection problem

@jk11

for an ad you don't need to use rdn, you can set rdn to off and use the filter in the example:

(&(sAMAccountName=%USERNAME%))

I've added rdn for those cases, where you can't bind with a filter.

Thank you for your answer. I set rdn to off. The result of LDAP diagnostic:

Result: Leave empty to use the Administrator in LDAP Settings

calling ldap_connect with: "XXX" and port "XXX"

setting LDAP_OPT_PROTOCOL_VERSION to 3 and LDAP_OPT_REFERRALS to 0

binding to ldap with "XXX" and his password

Invalid credentials

errno: 49

Cannot authenticate with LDAP server.

Any idea?

Authorization

there was a problem with authorization under the domain account. if the user is binded to only one computer, access to the site is prohibited. Someone faced with such?

disable e-mail / ticket # login

Hi,

we just tried out osticket and the ldap mod, which works great. We´re wondering if it would be possible to force users to login with AD Username/password or accounts managed from inside osticket, and remove the possibility to use e-mail/ticket number.

Why would we do this?

we only use osticket internally, no external support, so everybody has an AD account. In tickets could be senitive information, and if someone ever gets one ticket number of another user he would be able to read all tickets of this user, what we consider as a security issue.

So maybe you have an Idea how to disable the possibility to use e-mail/ticket # to log in?

@JK11

Did you set the correct suffix?

Suffix is correct.

1) Whats is the difference between Enabling or Disabling the radio button on

I disabled the button BUT am still able to run the LDAP Diagnostic successfully :

2) If I enabled the above, whenever I click on 'Support Home Center' or 'Open New Ticket', the link will always go to 'Check Ticket Status' (view.php)

Am I missing anything obvious? :

@[deleted],

Is the mod for osticket new ticket page OR is it for staff login to scp only ?

Am kinda confused :(

I'm sorry that i'm replying that late.

@[deleted]

try a suffix with like the following: @[deleted]

griffinaaronj could authenticate that way.

I changed the suffix, but it didn't help :( Any other idea?

Regardless, thank you very much for your time and help.

direct from LDAP

Thane,

Is there a way to allow staff to login straight from LDAP, without having to have their username created in the staff table ?

Hey,

Having a bit of an issue. I've set up everything and was able to create the LDAP connection successfully, but whenever I set the Global LDAP settings to enable AD-linked login, I can't save the changes on that page. When I click save changes, the page says "LDAP connection updated successfully", but the settings all reset back to disabled and the PHP server auth variable field clears. Anything you can think of that would cause this?

edit: Never mind. Had to modify settings-ldap-global.inc.php. The query is pointing to "ldap_ldap_config" table when it should be pointing to (your table prefix) + "ldap_config" by default, right?

edit: Never mind. Had to modify settings-ldap-global.inc.php. The query is pointing to "ldap_ldap_config" table when it should be pointing to "ost_ldap_config" by default, right?

Good catch, I had the same issue.

Dear Thane,

Thank you for all your hard work! I just managed to get osTicket + your LDAP implementation going. Planning on making SSO working as well.

One thing I noticed is that upon login via a ldap user its phone, email and cn are registered permanently. Meaning that once I change one of these fields in our AD osTicket never updates these field later on.

Is this normal behaviour and how hard would it be to implement an updating mechanism for these fields for newly created tickets (or possibly existing ones as well)?

I currently have ldap v11 + ost 1.7.0 installed.

Cheers.

just updated, thanks for all your work thane

Just another note while it's on my mind - I don't know if this was an issue with my install specifically, but the checks on the index.php page to change the text between "open ticket as guest" and "open a new ticket" - or between "Log In" and "Check Ticket Status" (the ones that are using LDAP:()) weren't working for me. Everything else is working - my AD users are able to log in successfully - but for some reason those buttons aren't changing.

It's not a big deal since I was planning to disable that page anyway, but I figured I'd ask. Thanks for the quick update on the last problem I ran into, really appreciate it.

@[deleted]

That's as intended, well... in a way. Osticket saves the userdata in the database and retrieves it with every following ticketcreation. You'd get a similar behaviour with the unmodified version. Currently you'd have to manually update every ticket created by the user.

I'll think on a way to improve that.

Thank you for your response! Just to clarify what I meant.

For existing tickets I would consider it to be normal behavior to not have the fields updated. They should be regarded as historical archive anyway in a sense.

Though for newly created ticket you would want to most up to date user information from LDAP (AD). Thus a login action should always update the fields mail, phone and such.

Cheers.

Thane,

Found another fun thing. On the staff side, the "Closed Ticket" still counts tickets with subject ldap_temporary but staff can't see them (so if someone logs in and never creates a ticket for themselves, the Closed Tickets count is higher than the actual number!). My fix:

In \include\class.ticket.php, function getStaffStats, find the part of the SQL query that looks like this:

.' LEFT JOIN '.TICKET_TABLE.' closed

ON (closed.ticket_id=ticket.ticket_id

AND closed.status=\'closed\')'

Change it as follows:

.' LEFT JOIN '.TICKET_TABLE.' closed

ON (closed.ticket_id=ticket.ticket_id

AND closed.status=\'closed\')'

AND closed.subject!=\'ldap_temporary\'

Thanks!

Please help

We need to bind accounts in AD to the names of PCs, but if we will do it, users can`t enter site.

Hello Thane, is it possible to enable LDAP debugging in your module, if this functional are present?

I'm working with be606 on the same problem that he describes, maybe i can fix it with some debug output and black magic...

Fatal error: Class 'Mcrypt' not found

Hello Thane, I am trying out osticket v1.71 and I have installed v13 of your mod. I get the following message when I try to save a password in the LDAP settings: "Fatal error: Class 'Mcrypt' not found in /var/www/osticket/include/class.ldap.php on line 875" I have verified that Mcrypt is setup properly via phpinfo.

I have not installed any other mods and I am running Ubuntu v12.04.

Thank you for providing this functionality,

-David

Hello Thane, I am trying out osticket v1.71 and I have installed v13 of your mod. I get the following message when I try to save a password in the LDAP settings: "Fatal error: Class 'Mcrypt' not found in /var/www/osticket/include/class.ldap.php on line 875" I have verified that Mcrypt is setup properly via phpinfo.

I have not installed any other mods and I am running Ubuntu v12.04.

Thank you for providing this functionality,

-David

Mcrypt class was replaced with Crypto class in 1.7.1-rc1: https://github.com/osTicket/osTicket-1.7/releases/tag/v1.7.1-rc1(https://github.com/osTicket/osTicket-1.7/releases/tag/v1.7.1-rc1)

You'll have to change Mcrypt to Crypto in class.ldap.php on lines 566 and 875.

Mcrypt class was replaced with Crypto class in 1.7.1-rc1: https://github.com/osTicket/osTicket-1.7/releases/tag/v1.7.1-rc1(https://github.com/osTicket/osTicket-1.7/releases/tag/v1.7.1-rc1)

You'll have to change Mcrypt to Crypto in class.ldap.php on lines 566 and 875.

That fixed it. Thanks! :)

@[deleted]

osTicket 1.7.1, ldap mod 14

My setting :

LDAP Domain=mydomain,DC=local

LDAP Filter:(&(sAMAccountName=%USERNAME%))

LDAP Controller.168.1.5

LDAP Port

LDAP Suffix:@mydomain.local

RDN Scheme=%CN%,cn=Users,dc=mydomain,dc=local

Use RDN Binding

LDAP Admin

LDAP Admins CS=Users,DC=mydomain,DC=local

LDAP Admin Password:********

But cannot connect to LDAP with this error :

The website encountered an error while retrieving http://xxx.xxx.xxx.22/support/scp/settings.php?t=ldap&id=1(http://xxx.xxx.xxx.22/support/scp/settings.php?t=ldap&id=1). It may be down for maintenance or configured incorrectly

What setting I have to check ?

Thank you in advanced.

Client name not populating after logging in with AD credentials

I just installed the Mod on version 1.7.1 and it worked fine. The only problem is the name field and the telephone field does not get populated even though i enabled it in the settings. Is there a reason for this or am I doing something wrong?

Also, It used to be if the user did not have an account on osTicket, then they can't log in even if they have correct credentials in AD. Is there any way to only allow users from a specific security group to login to osTicket?

Thanks for the help in advance!

I just installed the Mod on version 1.7.1 and it worked fine. The only problem is the name field and the telephone field does not get populated even though i enabled it in the settings. Is there a reason for this or am I doing something wrong?

Also, It used to be if the user did not have an account on osTicket, then they can't log in even if they have correct credentials in AD. Is there any way to only allow users from a specific security group to login to osTicket?

Thanks for the help in advance

I am having this exact same problem, Full Name is not being populated for the Ad accounts accessing osTicket. Because of this, no one can submit a ticket. I get an error that states "Missing or invalid data - check the errors and try again" but there are no red fields, so I assume because Full Name isn't populating that this is why I receive this. Anyone have input on this?

LDAP Field settings:

LDAP Email: mail

LDAP First Name: givenname

LDAP Last Name: sn

LDAP User Field: sAMAccountName

LDAP Phone Field: telephonenumber (also doesnt populate)

Kdeal: have you tried submitting a ticket without those fields populated? Do you get those errors too?

Here is what it looks like:

osTicket 1.7.1, ldap mod 14

My setting :

LDAP Domain=mydomain,DC=local

LDAP Filter:(&(sAMAccountName=%USERNAME%))

LDAP Controller.168.1.5

LDAP Port

LDAP Suffix:@mydomain.local

RDN Scheme=%CN%,cn=Users,dc=mydomain,dc=local

Use RDN Binding

LDAP Admin

LDAP Admins CS=Users,DC=mydomain,DC=local

LDAP Admin Password:********

But cannot connect to LDAP with this error :

The website encountered an error while retrieving http://xxx.xxx.xxx.22/support/scp/settings.php?t=ldap&id=1(http://xxx.xxx.xxx.22/support/scp/settings.php?t=ldap&id=1). It may be down for maintenance or configured incorrectly

What setting I have to check ?

Thank you in advanced.

Anyone can help me on this ? Appreciate.

I am having this exact same problem, Full Name is not being populated for the Ad accounts accessing osTicket. Because of this, no one can submit a ticket. I get an error that states "Missing or invalid data - check the errors and try again" but there are no red fields, so I assume because Full Name isn't populating that this is why I receive this. Anyone have input on this?

I figured this out on my install, have not tested it or dug into it to see why this is.

change sAMAccountName and givenName to samaccountname and givenname all lowercase. This is NOT what active directory expects so it shouldn't work, but in this case for whatever reason it makes it work.

Like I said, I have not yet dug deeper to fix this, just made the changes to get it to work until I have time to do that.

Hi Thane,

You are right!!! problem with the xampp web server. Thank you very very much!

Sorry for the late reply, i had a lot to do.

@sucek

That looks like a server error to me. You could try to enable error reporting in php, to see if there are any programming errors. To enable that set

ini_set('display_errors', 0);

ini_set('display_startup_errors', 0);

To

ini_set('display_errors', 1);

ini_set('display_startup_errors', 1);

in main.inc.php

@kdeal108(first question), Crestmark

Up till V15, the mod fetched the clientdata (name, phone, etc) only the first time. After that osticket would fill those fields by itself with the data of the older tickets. That could lead to the behaviour you are experiencing. To check that, see if you have any tickets in your database with 'ldap_temporary' as subject and if they have an empty name.

You can test if the mod can get the contents of those fields with the ldap diagnostic page. Set the Field to 'givenname' and the username to the one, that has those problems. Then click on Test. you should get something like the following as an output if everything is set up correctly:

calling ldap_connect with: "192.168.178.40" and port "389"

setting LDAP_OPT_PROTOCOL_VERSION to 3 and LDAP_OPT_REFERRALS to 0

binding to ldap with "administrator@vpg.local" and his password

using the filter: "(&(sAMAccountName=ostclient))"

calling ldap_search with the domain: "DC=vpg,DC=local", the Filter: "(&(sAMAccountName=ostclient))" and the Attributes: "array("givenname")"

LDAP returned field data: "osticket"

Debug of function ldapGetEmail():

getting the email of user: "ostclient"

binding to ldap with "administrator@vpg.local" and his password

calling ldap_search with the domain: "DC=vpg,DC=local", the Filter: "(&(sAMAccountName=ostclient))" and the Attributes: "array("mail")"

LDAP returned field data: "ost.client@vpg.de"

Debug of function ldapGetUsernameFromEmail():

getting the user of email: "ost.client@vpg.de"

binding to ldap with "administrator@vpg.local" and his password

calling ldap_search with the domain: "DC=vpg,DC=local", the Filter: "(&(mail=ost.client@vpg.de))" and the Attributes: "array("samaccountname")"

LDAP returned field data: "ostclient"

The line LDAP returned field data: "osticket" is the important one here. ("osticket" is the given name of that user)

If you update to V15 and make sure that your ldap connection is set up correctly you should get everything populated.

@kdeal108(second question)

Currently you have to create a staff user (in osticket) with exactly the same username as the one in ldap, to allow them to log in with ldap credentials. That limits the users that can log in as staff. On client-side there is no limitation. To my knowledge there never was one. At least not in this mod.

can not change email

Hi Thane,

After success connect to LDAP, then I cannot change the email address. Email address is populated from LDAP server and its running well. But sometimes user need to use their alt email address instead of LDAP email. Or in condition that staff get the issue by phone and need to put the user email address in new ticket. How to set that ? Thank you in advanced.

First I want to thank you for putting your time into this mod and posting it!

Unfortunately I'm having an issue related to authentication. When I test from the LDAP Diag page it works quickly, however, when I try to log in from the client page most of the time it takes up to 3-5 minutes before it'll finish the authentication and allow the login. It also will happen on the admin page but it doesn't seem to happen as often there.

EDIT: To further clarify the issue... I can run ldapsearch from the command line and it will come back with the query almost instantly. I just don't know what the difference is in the login process using the ldap mod.

Bug in RDN bind and Phone Ext

For RDN bind to work is needed to use the admin login id from db:

Original Code:

if(!LDAP:($rowset))

Fixed code:

if(!LDAP:($rowset))

The phone extension will be set to the value of the phone if ldap_ext_length is 0:

Original Code:

if($info > 0){

$phone=$info[$rowset;

$extlen=$rowset;

$phone=substr($phone,$extlen*(-1));

$phone=trim($phone);

if($phone!="")

{

break;

}

Fixed Code:

if($info > 0){

if($rowset>0)

{

$phone=$info[$rowset;

$extlen=$rowset;

$phone=substr($phone,$extlen*(-1));

$phone=trim($phone);

if($phone!="")

{

break;

}

}

@[deleted]

There are multiple (about 8) ldap queries (and logins of course) per osticket client login and a single ldap login for scp side. Yes that's inefficient, but i didn't have a lot of time to optimize that. Still that shouldn't result in 5 minutes of fetching. I get the pages within 3 seconds. ldap server is a samba4 running in ubuntu 12.10 on a vmware host. Webserver is a Windows Server 2008 R2 with IIS and PHP 5.4, also on a vmware host (the same one).

Are the pages loading slowly (>5 seconds) in a unmodded osticket?

No, the pages load really quickly on an unmodded version. Our webserver is a Ubuntu 12.04 box and the LDAP authentication is being done against our corporate AD server (obviously Windows).

I know this is the line it stops on for that long period of time but haven't got further down to figure out the problem yet because I have to get this implemented soon so didn't have any more time to play. Having to skip the client LDAP authentication for now unfortunately.

if($_POST||(LDAP:()&&LDAP:()&&(isset($_SERVER)&&$_SERVER!="")))