LTB Service Desk Active Directory Support

ltb-project / service-desk

Application for support team who need to check and reset user passwords

https://service-desk.readthedocs.io/

GNU General Public License v3.0

49 stars 19 forks source link

LTB Service Desk Active Directory Support #52

Open optiti opened 2 years ago

optiti commented 2 years ago

Hi,

I'm trying to get ltb service desk to work with Microsoft Active Directory but some features like "Change password" and "Lock account" don't work, so I've been looking for a useful log file to debug this behavior with no luck. I also did not get results activating the debug mode.

So my question is: This application works with Active Directory?

My environment is:

Red Hat Enterprise Linux 8.5
Microsoft Active Directory 2019
PHP versión 7.4
Smarty 3

My config.inc.local.php

$debug = false;
$ldap_url = "ldaps://ip.to.my.ad:636";
$ldap_starttls = false;
$ldap_binddn = "CN=Administrator,CN=Users,DC=mydomain,DC=cnp";
$ldap_bindpw = "MyAdminPassword";
$ldap_base = "DC=mydomain,DC=cnp";
$ldap_user_base = $ldap_base;
$ldap_user_filter = "(objectClass=user)";
$ldap_size_limit = 100;

coudot commented 2 years ago

Service Desk is not designed to work with AD for now. AD and OpenLDAP do not have anything in common regarding password management, a lot of code is required. This would be a major feature to put in the roadmap.

See also #48

klepptor commented 1 year ago

Hi!

I would also love to see (full) Active Directory support in LTB Service Desk in the future.

We are already using Self Service Password but would like to provide the service desk functionality as well.

Keep up your great work!

coudot commented 1 year ago

Thanks for your interest, I know it would be a really cool feature. Hope to get some help or funds to code it.

optikkore commented 1 year ago

you can't use the code from https://self-service-password.readthedocs.io/en/stable/ ? It works in our AD environment amazingly. side note if I modified resetpassword.php unlockaccount.php and lockaccount.php with this library that does work (https://github.com/Adldap2/Adldap2) it shoudn't break anything as long as I return all proper values should it?

optikkore commented 1 year ago

made a new config var $admode = true; changed resetpassword.php as such

if($admode) { // create the unicode password
  $password = "\"" . $password . "\"";
  $uniPass="";
  for ($i=0; $i <strlen($password); $i++){ $uniPass .="{$password{$i}}\000";}
  }
  if ($ldap) {
    if ($admode){
            $entry["unicodePwd"] = $uniPass;
        if ( $pwdreset === "true" ) {
            $entry["pwdLastSet"] = 0;
        }
       }else{
        $entry["userPassword"] = $password;
        if ( $pwdreset === "true" ) {
            $entry["pwdReset"] = "TRUE";
        }

working on locking/checking on locked for ad now

optikkore commented 1 year ago

fixed different time stamps for date in smart.inc.php

function convert_ldap_date($date) {
$end = substr($date, -3);
if ($end === ".0Z")
{ 
  return ldapDate2phpDate( $date );
}else{
  $winSecs       = (int)($date / 10000000); // divide by 10 000 000 to get seconds
  $unixTimestamp = ($winSecs - 11644473600); // 1.1.1600 -> 1.1.1970 difference in seconds
  return date(DateTime::RFC822, $unixTimestamp);
}
}

coudot commented 6 days ago

Main work need to be done in LTB-LDAP: https://github.com/ltb-project/ltb-ldap/issues/16