Query on how this works

[EBS-DarkD]

I've got myself into a bit of a bind trying to get your mod working

The LDAP Auth and Lookup has allowed me to setup agents (autoregister didn't work) who can then use their domain credentials to login. If I login on the user side with domain credentials, it creates a 'registered' user account and all I need to do is add them to the correct organisation. We have 20 organisations and 4 domains so the plain LDAP auth isn't any good for what we need.

If I enable your Multi LDAP Auth and Lookup with the same ldap config as I used above and try use the same user credentials that worked with the LDAP Auth, I get access denied. I've tried username - access denied message but nothing in the error log domain\username - access denied message and login error in error log username@domain - access denied message and failed login attempt

I've got Staff Auth and Client Auth ticked in the settings and have user + agent sync set to 10 minutes The sync results are totalldap:0 totalagents:8 updatedusers:0 The sync results are also showing as log type error.

The fact you've got this working on your setup points to something I'm doing wrong with the config or me not understanding how this works. After the last few weeks in work, my brain is frazzled and I'm struggling with joined up thinking beyond 'eat food, drink booze' level! Let me know if there is anymore info you need to assist as I desperately need to get this working.

[philbertphotos]

Before our domain consolidation I had it working with 3 domains with out issues at all ... The login format it accepts is "username" only. To help you I would need more information and a look at the log when someone attempts to login. I suggest only add one domain and test that it works first then add the rest.

[philbertphotos]

Becasue of the limited UI I had the be creative please go over the wiki correctly and get back to me. https://github.com/philbertphotos/osticket-multildap-auth/wiki/LDAP-Config

[EBS-DarkD]

Firstly, I've only got it set to one domain right now as we're still in early testing phase. I've double checked the settings in the wiki and the only major difference I can see is in the Info lookups search filter (&(objectCategory=person)(objectClass=user)(|(memberOf=CN=Domain Users,CN=Builtin,DC=siil,DC=local)(primaryGroupID=513))

The LDAP string is missing a final bracket because the field isn't big enough. What do I need to edit to modify the field length or do you have a more appropriate search string (I'm looking for domain users only)?

The other issue I've had with your config form is the Report Address field is also too short! I also need to edit that.

When I try login with a user account (that is already registered) I just get the access denied on the screen and nothing in the osTicket system logs screen. Are there any other logs I can look in on the server itself (I have root access)? What I am seeing in the logs is as follows

results {"totalldap":0, "totalagents":8, "updatedusers":0, "executetime":"0:00:00.01"} Log Date: Thursday, August 17, 2017 at 3:42 PM IP Address:

LDAP Sync Sync executed on (August 17 2017 3:42 pm) next execution in (January 01 1970 5:47 am)Total ldapusers: (0) Total agents: (8) Total Updated Users: (0) Execute Time: (0:00:00.01) Log Date: Thursday, August 17, 2017 at 3:42 PM IP Address:

[philbertphotos]

This is my Search Filter "(&(objectCategory=person)(objectClass=user)(|(sAMAccountName={q})(firstName={q})(lastName={q})(displayName={q})))"

in the config.php the length is 120 change it to what you may need.

        'search_base' => new TextboxField(array(
            'label' => $__('Search Filter') ,
            'hint' => $__('Filter used when searching for users') ,
            'configuration' => array(
                'size' => 70,
                'length' => 120
            ) ,
        )) ,

[philbertphotos]

I suggest you check the search filter with a LDAP query tool to see that it work correctly

[philbertphotos]

made a change to the config.php to help others understand the search filter.

[EBS-DarkD]

I dug hard and fast and found the settings for both fields thanks. I'll give your string a try and see if it makes any difference.

[EBS-DarkD]

My string test out ok though it will need refining before I go live. Using your string didn't make a difference. If I attempt a login with a brand new account that's not listed in the users list already and I have the Force client registration set for your plugin, will it sync the required info out of AD or will I need to actually need to go through the registration process?

[philbertphotos]

It will not sync users until the next schedule cycle I working on a update that will sync new users on the fly. I am confident that it will create the user once they login.

[philbertphotos]

So no ...users will not have to register... and I modified the front-end and remove the Registration part so no one can even try to.

[EBS-DarkD]

Below is the config I've got set, I've even put your search string in.

Whenever it does ldap sync, I see the following in the logs still

 LDAP Sync
Sync executed on (August 20 2017 4:09 pm) next execution in (January 01 1970 5:08 am)Total ldapusers: (0) Total agents: (8) Total Updated Users: (0) Execute Time: (0:00:00.543)

Log Date: Sunday, August 20, 2017 at 4:09 PM 

results
{"totalldap":0, "totalagents":8, "updatedusers":0, "executetime":"0:00:00.543"}

Log Date: Sunday, August 20, 2017 at 4:09 PM 

I have two users showing as active and registered (one was created by me but is an AD account, one logged in when the single LDAP mod was running). With your mod enabled, neither user can login and any other of our standard user accounts can't login either.

I'm running the latest versions of your files and have set everything up as per the wiki (as far as I can tell). Is there anything else I can do to try diagnose where this is falling over? Credentials are fine as if I use them in the standard ldap plugin, they work and the plugin will let my domain users login with their credentials.

[philbertphotos]

Ok dont use quotes in the schedule that seems to throw it out of whack ...hence why to displaying a negative date in 1970.

[philbertphotos]

For ldap servers is "local" a real server name? Check my config

[philbertphotos]

Do you have debugging turned on?? How does the login log look like (I need to expand the debugging) If there is a login error it will show in the log as to why ...some what.

[EBS-DarkD]

Cleared out the quotes We have over 40 domains amongst our various companies, our internal AD domain is .local to separate it from our external .org, .com and all the rest! First thing I turned on was the debugging but I've only been seeing log entries if I enter something wrong on the login. When the users get access denied, there is no error logged! I've restarted your plugin, will test over the next hour or so and feedback if I have anything change

[EBS-DarkD]

So we're still getting access denied for the users and it's still not syncing the users according to the LDAP sync results!!!

[philbertphotos]

Also can you look at the PHP logs if any? If they get denied its supposed to show all the domains that it tried authenticating to. It trys the first one then goes down the list.

If that does not work I will make a custom verbose debug version so we can find the problem if you are willing.

[EBS-DarkD]

I'll dig into the php logs and am more than happy to try a verbose debug. This is driving me scatty and is probably something stupid I've done during the install and config as it's been a mental few months in work and my brain has reached the frazzled state now!

[EBS-DarkD]

Don't be in too much of a rush with the verbose. I've just patched the server, had to shutdown as I needed to patch the host system and it seems to be working since the restart!?! I'm doing some testing now and will add in one of the other domains to see what happens.

Quick query, if you have the same username in two different domains, how does it get round that as I'm currently not using a domain identifier with the login?

[philbertphotos]

Yea that would be a problem but its a simple enough patch to have it use the email address instead of the username.

[EBS-DarkD]

Please let me know what I need to change to use email as we have around 20 duplicate names over the different domains. Joys of working in this region!

[philbertphotos]

it strips the email part... for the user name

[philbertphotos]

In "auth.php" markout Line 512 mark out should allow userprincipal name function authenticate($username, $password = null) { if (!$password) { LdapMultiAuthPlugin::logger('info', 'auth (' . $username . ')', ""); return null; } //check if they used their email to login. if (!filter_var($username, FILTER_VALIDATE_EMAIL) === false) { Line 512 mark out //$username = explode('@', $username) [0]; }

Here is the thing if the username thats the same in all domains is the same user then you could leave it this way else do the patch.

They would be john@local or john@local2

[EBS-DarkD]

I've lost the LDAP sync errors in the logs but I'm now seeing this

Invalid CSRF Token CSRFToken Invalid CSRF token [ca8e76edc5821916fbdf60526f42aa398f0086bc] on https://support.***.com:443/login.php

Log Date: Wednesday, August 23, 2017 at 10:46 AM

The users are getting a 500 page?

[philbertphotos]

That is strange. Anything in helpdesk log?

[EBS-DarkD]

The log is not being very helpful neither are the system logs!

I've got things working for one of my child domains by doing a manual import of the users from an AD dump, marked them all as 'registered' and once they click on the link in the activation email, they can login using their email and password. Even had some of the maniacs raising tickets this morning!

It seems to be struggling with the adding of new users from another domain. If you do that for it, it works from that point on.

If you want to do some further digging on this, we're not live with this yet and I'm happy to modify, tweak and test code. Just bear in mind that they're calling Eid al-Adha this weekend so I may not be sober much/ quick to respond over the next 5 days! I've been piling in some serious hours and need a bit of downtime!!

[philbertphotos]

Going over the issue and this one seems to still be open ...do you still need help with this?