[MOD] LDAP Authentication: Page 9

[MOD] LDAP Authentication

The_Intern

DOH! I am not a smart man. I forgot to install the php ldap module....silly me.

Thanks Thane

JK11

LDAP connection problem

@jk11
for an ad you don't need to use rdn, you can set rdn to off and use the filter in the example:
(&(sAMAccountName=%USERNAME%))
I've added rdn for those cases, where you can't bind with a filter.

Thank you for your answer. I set rdn to off. The result of LDAP diagnostic:

Result: Leave empty to use the Administrator in LDAP Settings

calling ldap_connect with: "XXX" and port "XXX"

setting LDAP_OPT_PROTOCOL_VERSION to 3 and LDAP_OPT_REFERRALS to 0

binding to ldap with "XXX" and his password

Invalid credentials

errno: 49

Cannot authenticate with LDAP server.

Any idea?

Thane

@[deleted]

Did you set the correct suffix?

@[deleted]

What kind of webserver do you use?

be606

Authorization

there was a problem with authorization under the domain account. if the user is binded to only one computer, access to the site is prohibited. Someone faced with such?

dzer

disable e-mail / ticket # login

Hi,

we just tried out osticket and the ldap mod, which works great. We´re wondering if it would be possible to force users to login with AD Username/password or accounts managed from inside osticket, and remove the possibility to use e-mail/ticket number.

Why would we do this?

we only use osticket internally, no external support, so everybody has an AD account. In tickets could be senitive information, and if someone ever gets one ticket number of another user he would be able to read all tickets of this user, what we consider as a security issue.

So maybe you have an Idea how to disable the possibility to use e-mail/ticket # to log in?

JK11

@JK11
Did you set the correct suffix?

Suffix is correct.

zhza

1) Whats is the difference between Enabling or Disabling the radio button on

blank

I disabled the button BUT am still able to run the LDAP Diagnostic successfully :

2) If I enabled the above, whenever I click on 'Support Home Center' or 'Open New Ticket', the link will always go to 'Check Ticket Status' (view.php)

blank

Am I missing anything obvious? :

zhza

@[deleted],

Is the mod for osticket new ticket page OR is it for staff login to scp only ?

Am kinda confused :(

Thane

I'm sorry that i'm replying that late.

@[deleted]

try a suffix with like the following: @[deleted]

griffinaaronj could authenticate that way.

@[deleted]06

I didn't encounter your issue yet.

@[deleted]

I'll add that as an option in the next update, probably this weekend, maybe later.

@[deleted]

I've added that radio button to disable a ldap connection. This mod is able to connect to multiple ldap servers and you may want to disable a connection for various reasons or preconfigure an additional connection to use it later.

You have SSO (Single Sign On) activated. It probably fails and redirects you to the login page. Setting SSO to off should fix that.

@[deleted],second post

Both, and with a few extra features.

You can enable/disable the client side stuff with ldap for clientaccess.

Yes i know, the settings are convoluted right now. I'll move the settings that have an influence across all ldap connections to a 'global ldap settings' menu in the next update.

JK11

I'm sorry that i'm replying that late.
@[deleted]
try a suffix with like the following: @[deleted]
griffinaaronj could authenticate that way.

I changed the suffix, but it didn't help :( Any other idea?

Regardless, thank you very much for your time and help.

zhza

direct from LDAP

Thane,

Is there a way to allow staff to login straight from LDAP, without having to have their username created in the staff table ?

velinath

Hey,

Having a bit of an issue. I've set up everything and was able to create the LDAP connection successfully, but whenever I set the Global LDAP settings to enable AD-linked login, I can't save the changes on that page. When I click save changes, the page says "LDAP connection updated successfully", but the settings all reset back to disabled and the PHP server auth variable field clears. Anything you can think of that would cause this?

edit: Never mind. Had to modify settings-ldap-global.inc.php. The query is pointing to "ldap_ldap_config" table when it should be pointing to (your table prefix) + "ldap_config" by default, right?

jdgchc

edit: Never mind. Had to modify settings-ldap-global.inc.php. The query is pointing to "ldap_ldap_config" table when it should be pointing to "ost_ldap_config" by default, right?

Good catch, I had the same issue.

boolainen

Dear Thane,

Thank you for all your hard work! I just managed to get osTicket + your LDAP implementation going. Planning on making SSO working as well.

One thing I noticed is that upon login via a ldap user its phone, email and cn are registered permanently. Meaning that once I change one of these fields in our AD osTicket never updates these field later on.

Is this normal behaviour and how hard would it be to implement an updating mechanism for these fields for newly created tickets (or possibly existing ones as well)?

I currently have ldap v11 + ost 1.7.0 installed.

Cheers.

Thane

@[deleted]

I think it's a configuration issue but without knowledge of your system i can only guess. Perhaps you should try rdn again.

@[deleted]

No, osticket itself has a username verification. I'd have to disable that and the result would leave you unable to log in with the traditional method (osticket-user and password). I've planned to offer user import in a future version.

@[deleted]

Thanks for the find and sorry for the issue.

@[deleted]

Sorry for the issue.

@[deleted]

That's as intended, well... in a way. Osticket saves the userdata in the database and retrieves it with every following ticketcreation. You'd get a similar behaviour with the unmodified version. Currently you'd have to manually update every ticket created by the user.

I'll think on a way to improve that.

@[deleted]

Please update to V12, V11 has a nasty bug.

jdgchc

just updated, thanks for all your work thane

velinath

Just another note while it's on my mind - I don't know if this was an issue with my install specifically, but the checks on the index.php page to change the text between "open ticket as guest" and "open a new ticket" - or between "Log In" and "Check Ticket Status" (the ones that are using LDAP:()) weren't working for me. Everything else is working - my AD users are able to log in successfully - but for some reason those buttons aren't changing.

It's not a big deal since I was planning to disable that page anyway, but I figured I'd ask. Thanks for the quick update on the last problem I ran into, really appreciate it.

boolainen

@[deleted]
That's as intended, well... in a way. Osticket saves the userdata in the database and retrieves it with every following ticketcreation. You'd get a similar behaviour with the unmodified version. Currently you'd have to manually update every ticket created by the user.
I'll think on a way to improve that.

Thank you for your response! Just to clarify what I meant.

For existing tickets I would consider it to be normal behavior to not have the fields updated. They should be regarded as historical archive anyway in a sense.

Though for newly created ticket you would want to most up to date user information from LDAP (AD). Thus a login action should always update the fields mail, phone and such.

Cheers.

velinath

Thane,

Found another fun thing. On the staff side, the "Closed Ticket" still counts tickets with subject ldap_temporary but staff can't see them (so if someone logs in and never creates a ticket for themselves, the Closed Tickets count is higher than the actual number!). My fix:

In \include\class.ticket.php, function getStaffStats, find the part of the SQL query that looks like this:

.' LEFT JOIN '.TICKET_TABLE.' closed

ON (closed.ticket_id=ticket.ticket_id

AND closed.status=\'closed\')'

Change it as follows:

.' LEFT JOIN '.TICKET_TABLE.' closed

ON (closed.ticket_id=ticket.ticket_id

AND closed.status=\'closed\')'

AND closed.subject!=\'ldap_temporary\'

Thanks!

be606

Please help

We need to bind accounts in AD to the names of PCs, but if we will do it, users can`t enter site.

« Previous Page Next Page »