Issues when checking if user is in group

[jonahbohlmann]

Hello,

I configured the plugin but has issues with account-creation for users.

For staff members, I could analyze that authentication against AD was successful. The issue is in: File: auth.php

$ldap->checkGroup($username, $staff_group)

I checked the "checkGroup" function deeper and got the following error:

"Decoding error"

After some more time, I saw this:

$info = @ldap_get_entries( $this->connection, $this->result);

And checked what's in there. Then I saw that correct group with correct settings and also the "members" section where my user is in.

But I could not see a section "uniqueMember", which is required to check the username inside the group, is missing.

Any idea how I can make "uniqueMember" available? In the UI settings for LDAP, I have most of the default values.

Thanks!

[philbertphotos]

never seen or heard of this issue. will have to dig

[philbertphotos]

the plugin does no check what group users in to create an account ... that is literally something done internally for staff only

[jonahbohlmann]

For stuff members, the plugin does check if the user is in the required group from the backend. Magic is here: https://github.com/philbertphotos/osticket-multildap-auth/blob/master/multi-ldap/auth.php#L592

And the LDAP Magic is here: https://github.com/philbertphotos/osticket-multildap-auth/blob/master/multi-ldap/class.AuthLdap.php#L367

The problem is, I get something like:

"members" "CN=Lastname\, Firstname,OU=Sub,OU=corp,OU=local"

but I have no "uniqueMember" attribute in my query-result from active directory:

if ( !$values = @ldap_get_values( $this->connection, $entry, "uniqueMember")) {

But anyway, also when I comment out or try for clients, the users are not created in osTicket with data from Active directory.

For instance, this method is called (checked with a var_dump for debugging), but no user is created

Staff::create($staff, $errors);

Same on client side.

I think the user should be created in database or am I wrong?

What I know from other software:

• Connect with AD
• If a user tries to login and no account exists, create one

I think this is done by this plugin too, but the save-method is not working. I have no errors found.

Version: osTicket-Version | osTicket PLUS v1.15.1 (fe1d1f8) Patch-3 — Deutsche Version —  Aktuell

[philbertphotos]

make sure registration is open ... account creation uses the internal method to create users so if you deny it users wont be created. Staff must be in the group and login the /scp back end this is a obvious security feature. I made the plugin logic and the LDAP logic uniquemember is part of AD core and cant works without it https://docs.microsoft.com/en-us/windows/win32/adschema/a-uniquemember

[philbertphotos]

turn on debug in the plugin and check php errors

[jonahbohlmann]

Hi,

thanks!

PHP-Debugging is enabled.

I will try with allow-register. Maybe it is a special thing that I only want my employee from AD to can use the ticket system. In general, I don't want the register-possibilities.

About uniquemember" and your links: I have Windows server 2019 - any idea how I can enable it there? Could not fin any information.

[philbertphotos]

like i said Windows AD cannot work without that attribute its part of AD there is nothing to disable. Microsoft will not change this and I know it works with 2019. if they decided to change it then not only this plug breaks every app that depends on MS LDAP is dead in the water.

The library uses this from the Group DN attribute