LDAP connection problem

@jk11

for an ad you don't need to use rdn, you can set rdn to off and use the filter in the example:

(&(sAMAccountName=%USERNAME%))

I've added rdn for those cases, where you can't bind with a filter.

Thank you for your answer. I set rdn to off. The result of LDAP diagnostic:

Result: Leave empty to use the Administrator in LDAP Settings

calling ldap_connect with: "XXX" and port "XXX"

setting LDAP_OPT_PROTOCOL_VERSION to 3 and LDAP_OPT_REFERRALS to 0

binding to ldap with "XXX" and his password

Invalid credentials

errno: 49

Cannot authenticate with LDAP server.

Any idea?

Authorization

there was a problem with authorization under the domain account. if the user is binded to only one computer, access to the site is prohibited. Someone faced with such?

disable e-mail / ticket # login

Hi,

we just tried out osticket and the ldap mod, which works great. We´re wondering if it would be possible to force users to login with AD Username/password or accounts managed from inside osticket, and remove the possibility to use e-mail/ticket number.

Why would we do this?

we only use osticket internally, no external support, so everybody has an AD account. In tickets could be senitive information, and if someone ever gets one ticket number of another user he would be able to read all tickets of this user, what we consider as a security issue.

So maybe you have an Idea how to disable the possibility to use e-mail/ticket # to log in?

@JK11

Did you set the correct suffix?

Suffix is correct.

1) Whats is the difference between Enabling or Disabling the radio button on

I disabled the button BUT am still able to run the LDAP Diagnostic successfully :

2) If I enabled the above, whenever I click on 'Support Home Center' or 'Open New Ticket', the link will always go to 'Check Ticket Status' (view.php)

Am I missing anything obvious? :

@[deleted],

Is the mod for osticket new ticket page OR is it for staff login to scp only ?

Am kinda confused :(

I'm sorry that i'm replying that late.

@[deleted]

try a suffix with like the following: @[deleted]

griffinaaronj could authenticate that way.

I changed the suffix, but it didn't help :( Any other idea?

Regardless, thank you very much for your time and help.

direct from LDAP

Thane,

Is there a way to allow staff to login straight from LDAP, without having to have their username created in the staff table ?

Hey,

Having a bit of an issue. I've set up everything and was able to create the LDAP connection successfully, but whenever I set the Global LDAP settings to enable AD-linked login, I can't save the changes on that page. When I click save changes, the page says "LDAP connection updated successfully", but the settings all reset back to disabled and the PHP server auth variable field clears. Anything you can think of that would cause this?

edit: Never mind. Had to modify settings-ldap-global.inc.php. The query is pointing to "ldap_ldap_config" table when it should be pointing to (your table prefix) + "ldap_config" by default, right?

edit: Never mind. Had to modify settings-ldap-global.inc.php. The query is pointing to "ldap_ldap_config" table when it should be pointing to "ost_ldap_config" by default, right?

Good catch, I had the same issue.

Dear Thane,

Thank you for all your hard work! I just managed to get osTicket + your LDAP implementation going. Planning on making SSO working as well.

One thing I noticed is that upon login via a ldap user its phone, email and cn are registered permanently. Meaning that once I change one of these fields in our AD osTicket never updates these field later on.

Is this normal behaviour and how hard would it be to implement an updating mechanism for these fields for newly created tickets (or possibly existing ones as well)?

I currently have ldap v11 + ost 1.7.0 installed.

Cheers.

just updated, thanks for all your work thane

Just another note while it's on my mind - I don't know if this was an issue with my install specifically, but the checks on the index.php page to change the text between "open ticket as guest" and "open a new ticket" - or between "Log In" and "Check Ticket Status" (the ones that are using LDAP:()) weren't working for me. Everything else is working - my AD users are able to log in successfully - but for some reason those buttons aren't changing.

It's not a big deal since I was planning to disable that page anyway, but I figured I'd ask. Thanks for the quick update on the last problem I ran into, really appreciate it.

@[deleted]

That's as intended, well... in a way. Osticket saves the userdata in the database and retrieves it with every following ticketcreation. You'd get a similar behaviour with the unmodified version. Currently you'd have to manually update every ticket created by the user.

I'll think on a way to improve that.

Thank you for your response! Just to clarify what I meant.

For existing tickets I would consider it to be normal behavior to not have the fields updated. They should be regarded as historical archive anyway in a sense.

Though for newly created ticket you would want to most up to date user information from LDAP (AD). Thus a login action should always update the fields mail, phone and such.

Cheers.

Thane,

Found another fun thing. On the staff side, the "Closed Ticket" still counts tickets with subject ldap_temporary but staff can't see them (so if someone logs in and never creates a ticket for themselves, the Closed Tickets count is higher than the actual number!). My fix:

In \include\class.ticket.php, function getStaffStats, find the part of the SQL query that looks like this:

.' LEFT JOIN '.TICKET_TABLE.' closed

ON (closed.ticket_id=ticket.ticket_id

AND closed.status=\'closed\')'

Change it as follows:

.' LEFT JOIN '.TICKET_TABLE.' closed

ON (closed.ticket_id=ticket.ticket_id

AND closed.status=\'closed\')'

AND closed.subject!=\'ldap_temporary\'

Thanks!

Please help

We need to bind accounts in AD to the names of PCs, but if we will do it, users can`t enter site.