C
CotterPin

  • Dec 9, 2013
  • Joined Apr 16, 2013
  • 0 best answers
  • There were two things I had to do to get things to be responsive.

    1) Make sure host resolution is working. I'm on RedHat, so I had to make sure /etc/resolv.conf and /etc/nsswitch.conf was correctly configured.

    2) Disable IPv6 if you're not using it.

    Between those two things, my osTicket 1.7.3 installation is very quick.

  • Looks like my previous post got lost in the vBulletin troubles. I've finally upgraded to 1.7.3, and got things working. A couple of notes.

    First is that the upgrade script doesn't work properly if you go directly from pre-1.7.0 to 1.7.3. It will allow you to create your LDAP entries, but when you try to modify your global LDAP settings, it fails, telling you that you need an LDAP entry. I got around this by upgrading to generic 1.7.0 first, letting that upgrade script run, then apply the LDAP mod and adding the LDAP entries. After all of that, upgrading to 1.7.3 went fine.

    The second thing I was running into was that upon initial page load to index.php, it would not automatically login (I've got SSO and force LDAP login enabled). So I moved the call to login.php up to the top, which seems to have resolved the issue.

    After:

    require('client.inc.php');

    I moved this:

    global $ldapcon;

    if($ldapcon->ldapActive())

    {

    if($ldapcon->ldapClientForceLogin())

    {

    if(!$thisclient)

    {

    //XXX: Ticket owner is assumed.

    @[deleted]('Location: login.php');

    require_once('login.php'); //Just in case of 'header already sent' error.

    exit;

    }

    }

    }

  • I've received positive feedback from the testers of our new osTicket with SSO. One request was to add back the ability to open a ticket on another user's behalf for those times when the requester can't or won't do it themselves. Can we add a button on the "Open a New Ticket" dialog to enable changing the Full Name and email address?

    Second thing - when a user creates a new ticket, their phone number doesn't show up in the phone field on the My Tickets page.

  • please ignore.
    Since this wasn't needed, I've cleaned up my post as to not confuse anyone.

  • Thanks to Rich_C for posting this. I implemented it in our 1.7 version, and found the following changes are appropriate:

    In the file 'include/staff/preference.inc.php' find:

    I decided to put this in the Admin Control Panel under Alerts & Notices. I created a new table section to separate it from the ticket alerts. In the 'include/staff/settings-alerts.inc.php' find:

    <table class="form_table settings_table" width="940" border="0" cellspacing="0" cellpadding="2">

    Add this code underneath:

    <thead>

    <tr>

    <th>

    <h4>HelpDesk Status</h4>

    </th>

    </tr>

    </thead>

    <tbody>

    <tr><th><em><b>Helpdesk Message:</b> Banner message for all clients</em></th></tr>

    <tr>

    <td><textarea rows="6" cols="114" name="helpdesk_message"><?=$config?></textarea>

    </td>

    </tr>

    </tbody>

    Next, we want to add the section of code that will display the message. Rich_C put it in index.php:

    Now in index.php find:

    However, instead of on the main page, I wanted it on all pages. So I edited 'include/client/header.inc.php'. In that file, find:

    <?php

    }elseif($nav){ ?>

    Guest User - login.php">Log In

    <?php

    } ?>

    and add the following after:

    Current HelpDesk Status

    <?php echo $cfg->HelpDeskMessage(); ?>

    The next bit is the same:

    Now in 'include/class.config.php' after the following

    function getBaseUrl(){ //Same as above with no trailing slash.

    return rtrim($this->getUrl(),'/');

    }

    Add this code:

    function HelpDeskMessage(){

    return $this->config;

    }

    Now we need to update the Config class:

    In the same file 'include/class.config.php' after:

    We're still tracking with Rich_C, but this one is a little different as well. In the same file 'include/class.config.php', look for the function:

    function updateAlertsSettings($vars, &$errors) {

    Scroll down until you find:

    $sql= 'UPDATE '.CONFIG_TABLE.' SET updated=NOW() '

    After that, add this code:

    .',helpdesk_message='.db_input($vars)

    The MySQL commands are the same:

    Now run the following query on your database:

    ALTER TABLE ost_config

    ADD helpdesk_message text;

    Now you can go into the Admin Control Panel => Settings => Alerts & Notices, and update your banner message. My screen shots are attached.

    CotterPin

    Banner1.JPG

    Banner2.JPG

  • many thanks to you to, you've done some extensive testing there!

    If you like I'll add a special thanks section in the first post with you in it, you've earned it.

    No worries, I was happy to do it. As I see it, I learned some things about php and I got a great custom mod out of the deal!

  • So you could check if the users with unfilled fields have an empty ldap_temporary ticket. If thats the case, delete those tickets. Then try again.

    That was it. The ldap_temporary ticket that was in the database for that user did not show up in the osTicket interface, only through a MySQL query. I deleted that record, and now the user's fields fully populate in the Open New Ticket dialog, and tickets are creating successfully. Success!

    Thane, many many thanks for all your work on this!

  • Ok, i was considering that i have to strip the @[deleted] for the other functions. But it should work as it is now. Do new users get the fields filled now?

    Yes, the users can login, and the fields populate. Mostly. It appears we have two cases:

    If the user already has tickets in the database, the Open New Ticket dialog works fine, and they can create a new ticket and view their other tickets.

    If the user does not have tickets in the database, it shows them logged in with 0 tickets. Whey they try to create a new one, only the Email Address field populates. Full Name is blank, and they get the error "Missing or invalid data - check the errors and try again" when they try to create one.

    Also, the ldap_temporary database record is only created if they create the ticket while not logged in (guest). I'm thinking that's by design, but wanted to mention it for clarity.

  • The normal binding is in a while loop and tries all of your ldap entries. Thats why authentication with not trusted domains is possible. Though it creates a bit of overhead. I'll think of a way to remove the overhead later, i have to optimize the code anyway.

    Regarding the error, i didn't expect a username@domain to return from ldapGetUsernameFromEmail. Do your users in the domain.com enter their email address/user@domain or just the username?

    Sorry I wasn't clearer about that before -- the confusion comes from having two different domains to work with. In our local domain (for Staff), they use a user name as expected. However, our corporate domain (I obfuscated with domain.com) uses email as uid, so we authenticate to almost everything with our email address as user name. So in this case, I'm using uid for both user name and email, as reflected in the debug.

    So for clarity, here's what we've got:

    uid = user name

    uid = email address

    cn = full name

    givenname = first name

    sn = last name

    please try using this class.ldap.php. It breaks out of the while loops when it gets results. It may be that the second run overwrites the first. That shouldn't happen with this class.ldap.php.

    Yep, that works:

    Result: Leave empty to use the Administrator in LDAP Settings

    calling ldap_connect with: "ldaps://ldap.domain.com"

    setting LDAP_OPT_PROTOCOL_VERSION to 3 and LDAP_OPT_REFERRALS to 0

    binding to ldap with "cn=ESCEAUTH,ou=Applications,o=domain.com" and his password

    using the filter: "(&(uid=user@domain.com))"

    calling ldap_search with the domain: "o=domain.com", the Filter: "(&(uid=user@domain.com))" and the Attributes: "array("givenname")"

    LDAP returned field data: "Firstname"

    Debug of function ldapGetEmail():

    getting the email of user: "user@domain.com"

    binding to ldap with "cn=ESCEAUTH,ou=Applications,o=domain.com" and his password

    calling ldap_search with the domain: "o=domain.com", the Filter: "(&(uid=user@domain.com))" and the Attributes: "array("uid")"

    LDAP returned field data: "user@domain.com"

    Debug of function ldapGetUsernameFromEmail():

    getting the user of email: "user@domain.com"

    binding to ldap with "cn=ESCEAUTH,ou=Applications,o=domain.com" and his password

    calling ldap_search with the domain: "o=domain.com", the Filter: "(&(uid=user@domain.com))" and the Attributes: "array("uid")"

    LDAP returned field data: "user@domain.com"

  • @CotterPin

    I've noticed that both phone fields are empty too. The cause is probably the ldapGetUsernameFromEmail function. So i've added diagnostic messages to this and the ldapGetEmail function. Please Download the V7 and check Ldap Diagnostic again.

    It appears to be binding to both LDAP entries - domain.com and lex.adapps.domain.com are different LDAP domains. Anyway, here's my diagnostic output for user@domain.com:

    Result: Leave empty to use the Administrator in LDAP Settings

    calling ldap_connect with: "ldaps://ldap.domain.com"

    setting LDAP_OPT_PROTOCOL_VERSION to 3 and LDAP_OPT_REFERRALS to 0

    binding to ldap with "cn=ESCEAUTH,ou=Applications,o=domain.com" and his password

    using the filter: "(&(uid=user@domain.com))"

    calling ldap_search with the domain: "o=domain.com", the Filter: "(&(uid=user@domain.com))" and the Attributes: "array("givenname")"

    LDAP returned field data: "FirstName"

    Debug of function ldapGetEmail():

    getting the email of user: "user@domain.com"

    binding to ldap with "cn=ESCEAUTH,ou=Applications,o=domain.com" and his password

    calling ldap_search with the domain: "o=domain.com", the Filter: "(&(uid=user@domain.com))" and the Attributes: "array("uid")"

    LDAP returned field data: "user@domain.com"

    Debug of function ldapGetEmail():

    getting the email of user: "user@domain.com"

    binding to ldap with "admin@lex.adapps.domain.com" and his password

    calling ldap_search with the domain: "DC=lex,DC=adapps,DC=domain,DC=com", the Filter: "(&(sAMAccountName=user@domain.com))" and the Attributes: "array("mail")"

    LDAP returned nothing...

    Debug of function ldapGetUsernameFromEmail():

    getting the user of email: "user@domain.com"

    binding to ldap with "cn=ESCEAUTH,ou=Applications,o=domain.com" and his password

    calling ldap_search with the domain: "o=domain.com", the Filter: "(&(uid=user@domain.com))" and the Attributes: "array("uid")"

    LDAP returned field data: "user@domain.com"

    Debug of function ldapGetUsernameFromEmail():

    getting the user of email: "user@domain.com"

    binding to ldap with "admin@lex.adapps.domain.com" and his password

    calling ldap_search with the domain: "DC=lex,DC=adapps,DC=domain,DC=com", the Filter: "(&(mail=user@domain.com))" and the Attributes: "array("sAMAccountName")"

    LDAP returned nothing...

  • I installed V5 and still can't connect. Can you provide me with a few different filter commands? I'm a bit new to the filters.

    I'd suggest using V6. For the LDAP Filter, I use: (&(uid=%USERNAME%)) So when users login, I want LDAP to use what's in the uid field for the user name in osTicket. It is helpful to connect to your LDAP with an LDAP explorer and map out which field is which. I use (JXplorer) for this, and to ensure I have the correct fields for the rest of the LDAP configuration as well. Then I use the LDAP Diagnostic tool to ensure it's getting the field correctly - I found that though my LDAP Explorer said "givenName", it actually needed "givenname" (as suggested by Thane).

  • Ok, SSO is done. You'll have to set use SSO and your PHP_AUTH_USER in the LDAP Settings. Hopefully your setup will completely work with that. I've tested it with a Samba4 server with ldaps enabled, with osticket hosted on a IIS7.

    Looks like we're getting close. SSO works for users that already have tickets in the database. However, if I get a new user to login, Full Name is still blank on the Open a New Ticket dialog. I've double checked the user through the LDAP diagnostic, and it is successfully returning givenname and sn from LDAP. These are the fields I've populated in the LDAP config as First Name and Last Name. I looked in the database, and it does create a blank record with subject "ldap_temporary":

    ticket_id: 2055

    ticketID: 646229

    dept_id: 1

    sla_id: 1

    priority_id: 1

    topic_id: 1

    staff_id: 0

    team_id: 0

    email:

    name:

    subject: ldap_temporary

    helptopic: NULL

    phone:

    phone_ext:

    ip_address:

    status: closed

    source: Other

    isoverdue: 0

    isanswered: 0

    duedate: NULL

    reopened: NULL

    closed: NULL

    lastmessage: NULL

    lastresponse: NULL

    created: 0000-00-00 00

    updated: 0000-00-00 00

  • Hello CotterPin,

    "givenName" returns nothing for me. I have to write in in all lowercase ('givenname') to make it work. Ldap seems very picky with the attributes. Another nice example is samaccaountname. I have to write 'sAMAccountName' to get the filter working. However if i want the content of samaccountname i have to use the attribute 'samaccountname'. So try 'givenname'. If that also doesn't work for you I'll have to patch the class.ldap.php a bit.

    Ok, that worked. I now am able to use the LDAP Diagnostic to verify that I am using the correct filter for First and Last Names. However, client login is not working with the V5 mod. It leaves me as a Guest User, even after clicking "Log In". Clicking "Log In" takes me to the Check Ticket Status dialog for the Guest User.

  • @[deleted]

    Hello CotterPin,

    could you also check if the customizable filter works for you. Also thanks for the extensive testing.

    Thane,

    No worries, it's the least I could do for the extensive mod work. :) Looks like I've got it working with V5, but it appears that our corporate LDAP won't let me read the givenName attribute. I can only pull down the cn (Full Name) or sn (Last Name). Is there a way I can use the cn attribute for client tickets?

  • Could you check in LDAP Diagnostic if the ldap_firstname_field and ldap_lastname_field are returning anything from that username?

    Oh! I missed that you'd added the diagnostic php file. I ran the ldaptest.php, and it looks like it's failing authentication with LDAP. It appears that it's not using the custom LDAP User Field (for us the LDAP User Field is uid, not sAMAccountName). It says:

    calling ldap_search with the domain: "o=", the Filter: "(&(objectCategory=person)(sAMAccountName=))" and the Attributes: "array("ldap_firstname_field")"

  • Could you login with a new client-user and check in your osticket db if a ticket with the subject 'ldap_temporary' was created for that user with the fields first name and last name filled? If that isn't the case the mod can't fetch those fields for some reason.

    There is an 'ldap_temporary' ticket in the database for that user, but the name field is blank.

  • I have it set up, but it does not work for staff.

    any ideas ?

    Alexnader81,

    Double-check your LDAP configuration of the LDAP connection page within the Admin Panel under Settings. I used JXplorer to validate my LDAP settings to ensure I had the correct field names. Also, make sure you've selected the enabled radio button in the LDAP Settings section.

  • Just to give some feedback, I'm now able to successfully authenticate with both domains. One final thing - if I authenticate with a user that's never created a ticket, the user's Full Name is not getting populated, so they can't create a ticket (see screen shot). If their email address is already in the database, they can login and create tickets fine.

    osTicket LDAP3.PNG

  • D'oh! I looked for missing curly braces, but not in that section. Thanks for that.

    After updating with the latest code, SSO works great against our local internal LDAP. For the clients, though, we have to use the corporate LDAP, which has our user names as user@domain.com. I think the LDAP mod is appending @[deleted] again for the authentication. So I think what's going to our LDAP server is user@domain.com@domain.com. Is there a way I can set the LDAP suffix to be null? I poked around the files, but as you've probably noticed, my PHP skills are level n00b.

  • Hey Thane,

    Thanks again for the quick turnaround! Updating to v.4 worked great, but I'm having an issue with class.ldap.php once I apply the SSO code. I get an error 500 on the site, and a "Parse error: syntax error, unexpected T_PUBLIC in CODE on line 560". I've tried to figure it out, but can't see what the issue is. I'm assuming you wanted me to populate the ldap user field in the LDAP Settings section of osTicket settings. Unfortunately, with the SSO code, I can't get to the Admin panel.