D'oh! I looked for missing curly braces, but not in that section. Thanks for that.
After updating with the latest code, SSO works great against our local internal LDAP. For the clients, though, we have to use the corporate LDAP, which has our user names as user@domain.com. I think the LDAP mod is appending @[deleted] again for the authentication. So I think what's going to our LDAP server is user@domain.com@domain.com. Is there a way I can set the LDAP suffix to be null? I poked around the files, but as you've probably noticed, my PHP skills are level n00b.
try the following change:
in class.ldap.php replace the function
public static function ldapSqlAuthenticate($username, $password,$ldap_id=-1,&$outp=NULL, $debug=false) {
if($password=='')
{
return false;
}
$sqlquery='SELECT ' . TABLE_PREFIX . 'ldap_config.ldap_id, ' . TABLE_PREFIX . 'ldap_config.ldap_suffix from ' . TABLE_PREFIX . 'ldap_config';
if($ldap_id!=-1)
{
$sqlquery.=' WHERE ' . TABLE_PREFIX . 'ldap_config.ldap_id='.$ldap_id;
}
$sqlquery.=' ORDER BY ' . TABLE_PREFIX . 'ldap_config.priority';
if(($tmp_res=db_query($sqlquery)) && db_num_rows($tmp_res)>0)
{
while($rowset = db_fetch_array($tmp_res)) {
$ldap = LDAP:($rowset);
/*if($ldap!=false)
{
echo 'connected successfully<br>';
}*/
$old_error_reporting = error_reporting();
if($debug==false)
{
error_reporting (E_ERROR);
}
if($debug==true)
{
$outp.='binding to ldap with username "'.$username . $rowset.'" and his password<br>';
}
$bind = ldap_bind($ldap, $username . $rowset, $password);
if(!$bind)
{
if($debug==true)
{
$outp.=ldap_error($ldap).'<br>';
$outp.='errno: '.strval(ldap_errno($ldap)).'<br>';
}
}
ldap_unbind($ldap);
if($debug==false)
{
error_reporting($old_error_reporting);
}
if($bind)
{
break;
}
}
return $bind;
}
else
{
if($debug==true)
{
echo $outp.='no ldap config<br>';
}
}
return false;
}
with
public static function ldapSqlAuthenticate($username, $password,$ldap_id=-1,&$outp=NULL, $debug=false) {
if($password=='')
{
return false;
}
$sqlquery='SELECT ' . TABLE_PREFIX . 'ldap_config.ldap_id, ' . TABLE_PREFIX . 'ldap_config.ldap_suffix from ' . TABLE_PREFIX . 'ldap_config';
if($ldap_id!=-1)
{
$sqlquery.=' WHERE ' . TABLE_PREFIX . 'ldap_config.ldap_id='.$ldap_id;
}
$sqlquery.=' ORDER BY ' . TABLE_PREFIX . 'ldap_config.priority';
if(($tmp_res=db_query($sqlquery)) && db_num_rows($tmp_res)>0)
{
while($rowset = db_fetch_array($tmp_res)) {
$ldap = LDAP:($rowset);
/*if($ldap!=false)
{
echo 'connected successfully<br>';
}*/
$old_error_reporting = error_reporting();
if($debug==false)
{
error_reporting (E_ERROR);
}
$ldapusr="";
if(strpos($username,$rowset)!==false)
{
$ldapusr=$username;
}
else
{
$ldapusr=$username . $rowset;
}
if($debug==true)
{
$outp.='binding to ldap with username "'.$ldapusr.'" and his password<br>';
}
$bind = ldap_bind($ldap, $ldapusr, $password);
if(!$bind)
{
if($debug==true)
{
$outp.=ldap_error($ldap).'<br>';
$outp.='errno: '.strval(ldap_errno($ldap)).'<br>';
}
}
ldap_unbind($ldap);
if($debug==false)
{
error_reporting($old_error_reporting);
}
if($bind)
{
break;
}
}
return $bind;
}
else
{
if($debug==true)
{
echo $outp.='no ldap config<br>';
}
}
return false;
}
This checks if the suffix is there and only adds the suffix if there isn't one already. I can't remove the suffix entirely as it's used in other parts as well.
What also may cause your problem is the one i have in our company. We have to support two different domains. However those two domains don't trust each other and don't even know each other.
The result is the following:
The Webserver that is hosting osticket is in domain A and users from domain A can sso without problems with the way i provided you. The users from domain B however can't, since the webserver doesn't know their domain and thus can't authenticate them.