LDAP LoginShare working Too Well (not authenticating)

[lacinda]

I am having a problem with the ActiveDirectory/LDAP authentication LoginShare piece.

Here's the problem: there is no authentication. Anyone can log in to my kayako site with a valid username and any password. Binding to the directory server is successful; if the username is found in the LDAP directory, it pulls back the displayName and email address from the LDAP directory to create the account, but it doesn't actually check if the password matches.

I believe that this behavior is because the global ldap directory on campus allows anonymous binding by machines in the domain. So simply being able to bind to the ldap directory does not mean that the user is authenticated.

I have submitted a support request, and am looking at the code, but thought someone here might have an easy fix.

Thanks in advance,
Lacinda

[lacinda]

We have not been reported any such issue with the default LDAP settings. Have you modified the default LoginShare script or any other known changes in the system? Moreover, we will not be able to assist you in details regarding this issue as the LoginShare scripts are shared by the clients and not created by Kayako itself. So, I would recommend you to refer Kayako community forums for more help.

This exact issue was mentioned in September 2007.

Like the previous poster, the only change I made to the LoginShare script was to replace samaccountname with my identifier (uid) as suggested by this knowledge base article.

This issue makes Kayako completely unusable in my environment. I'm a happy camper!

[lacinda]

I've written an ldap authentication function that actually verifies the username and password against ldap in those cases where anonymous binding is allowed. It works for my purposes. if you need it, drop me a message.

[Jamie Edwards]

Hi lacinda,

Great to know you have solved your issue and have written your script. If you'd like to attach it here, many would be grateful.

[Mr John]

I'm one of the many who would be grateful.
I got the same problem, LDAP finds valid usernames but I have no password validation.
If you have a script to help this problem please share.
Thanks

[lacinda]

I did not take the time to make it grab settings from the ldap loginshare config page, so you’ll need to make 3 changes in the file (search for xxx)

There are still one main problem I am having, that is I have set up a mail parser which checks an email account for help tickets. If a user submits an email ticket without having previously logged in to the web w/ LDAP credentials, an account is created for them which assigns a random password. If the user then tries to authenticate into the web interface (through LDAP, although I believe this has been documented w/ other LoginShare modules), they are unable to log in because their LDAP password does not match the kayako password of the automatically created account. More of an inconvenience than anything – the kayako-created account can be deleted, then they can log in and all future emails are parsed correctly. I haven’t looked at it in any detail, though. Maybe someone else can help.

[Mr John]

Thanks lacinda, have taken your file away to study