Free Kayako eSupport and Novell eDirectory

[ph0rse]

I was able to get Kayako to authenticate against Novell eDirectory with very little work and I thought I'd share my results.

I use OES Linux and so I don't know if everything is the same if one runs pure Netware, but I assume so.

There are 3 required attributes that are required to be in your LDAP-eDirectory attribute map:

One is 'mail' which is included in the map by default and will be populated as long as you have filled in your email field in eDirectory for each user.

The second is 'displayName' which will need to be manually created. In iManager click LDAP, then click on LDAP Options. Click on the LDAP group for the tree you wish to use for authentication. At the dropdown box on the top, select Attribute Map. Click the "+" button on the right hand side of the map listings. For eDirectory Attribute select "Full Name" and for Primary LDAP Attribute type in "displayName". Click OK and then click Apply to save the changes.

The third attribute is 'sAMAccountName' which is basically just your user ID. I could not find an attribute that was not already used in eDirectory and so I just made a very small patch to make LoginShare grab a different value from eDirectory. Here is the patch:

Code:

--- includes/LoginShare/activedirectory.login.php.orig  2007-07-18 16:12:48.000000000 -0400
+++ includes/LoginShare/activedirectory.login.php       2007-07-18 15:49:29.000000000 -0400
@@ -73,7 +73,7 @@
        }
 
        // By now we should have binded with the server
-       $_ldapresults = ldap_search($_connection, $_loginshare["adbasedn"], "(&(samaccountname=" . trim(preg_replace( "/[^a-zA-Z0-9\-\_@\.]/", "" , $username)) . "))", array("samaccountname", "proxyAddresses", "mail", "distinguishedname", "displayName"), 0, 0, 10);
+       $_ldapresults = ldap_search($_connection, $_loginshare["adbasedn"], "(&(cn=" . trim(preg_replace( "/[^a-zA-Z0-9\-\_@\.]/", "" , $username)) . "))", array("cn", "proxyAddresses", "mail", "distinguishedname", "displayName"), 0, 0, 10);
        if (!$_ldapresults)
        {
                return false;
@@ -91,7 +91,7 @@
 
        // By now we should have the user details
        $_fullname = $_results[0]["displayname"][0];
-       $_username = $_results[0]["samaccountname"][0];
+       $_username = $_results[0]["cn"][0];
        $_distinguishedname = $_results[0]["distinguishedname"][0];
        $_maillist = array();
        if (!empty($_results[0]["mail"][0]))

Now all that is left to do is login into the helpdesk as admin and configure the helpdesk to use "Active Directory/LDAP" or "Active Directory/LDAP SSL" as the login method. You can use your eDirectory credentials such as:

Base DN: ou=MyCorp,o=MyTree
RDN: cn=admin,o=MyTree

Let me know how it works out for you.

[jgodfrey]

Has anyone tested with this recently? Has anyone else been able to get this to work with the newer releases of Novell and with Kayako?

Thanks for your help with this.

[koltzc]

Doesn't look like it works now because the file is encrypted. Is there anyway to get an unencrypted version of activedirectory.login.php so we can make this modification, or is maybe standard LDAP support in the works. I honestly find it strange that AD is implemented which is really a closed architecture while LDAP in general isn't directly supported. To be honest, all that is needed to make the changes is instead of using Microsoft's LDAP naming conventions, either let users type them in or have a pull-down that allows them to select certain system.

[koltzc]

Ok, well just an update. I requested an unencrypted file and was promptly supplied with one (Thanks Kayako). Anyway, most of the code above works, except that there are couple other changes that need to be done so it pulls the name from eDirectory also. If Kayako doesn't mind, I can post the full file to replace, but since it is copyright, they would need to approve it. I sent them an email though mentioning all they really need to make this full LDAP compliant with any system is add three fields to the LoginShare/LDAP/AD that requests the user to enter the Username Directory Name, Full Name, and DisplayName. Then the user can enter it themselves. Otherwise with my info, they could have a pull-down menu that allows them to choose either Active Directory or eDirectory.

[jgodfrey]

Koltzc, were you able to post the changes that you made to the file? I would be very interested in seeing the adjustments that you made.

Thank you in advance for your help with this.

[koltzc]

Nobody responded on if I could or couldn't. It isn't working out perfectly. It isn't allowing certain people in different groups to be able to login. Not sure why because there wasn't any groups for it to sync to. Also, when the initial LDAP sync is done, it isn't copying over the name properly. Not sure if this is a Kayako problem or a Novell problem. Though at least the majority of it is working.