So I asked for some help concerning LDAP

[ZeroIQ]

Have a gander at the transcript. Nothing has been change except for my name. This took ~1 hour and 30 minutes.

Quote:

You are now chatting with Rohit Khatri (Support (General))

Rohit Khatri: Hi, how can I help you?
ZeroIQ: I am working on setting up eSupport to work with LDAP on active directory and am having a little trouble
ZeroIQ: I would like to know what needs to go into the "Base DN" and "RDN" input boxes.
ZeroIQ: And how to test to be sure we can query active directory
Rohit Khatri: Please refer at http://docs.kayako.net
ZeroIQ: I was unable to find LDAP information in the SupportSuite user manual (the windows help format version)
Rohit Khatri: Please wait
Rohit Khatri: First of all, you need to make sure your php is compiled with the LDAP option. To check this, create a file in your webserver root named phpinfo.php In this file put the following. go to your webserver http://webserver.domain.com/phpinfo.php You should see something like this. ldap LDAP Support enabled RCS Version $Id: ldap.c,v 1.154.2.2 2005/01/19 00:27:42 sniper Exp $ Total Links 0/unlimited API Version 3001 Vendor Name OpenLDAP Vendor Version 20223 Next thing to consider is where your webserver is in relation to your AD. If you have your webserver in a DMZ, and it is not on the same network as your AD, you will have to open a connection on your firewall between the webserver and the AD server. You will want to open port 389 that is the default LDAP port. Next you will want to configure Loginshare. login to your Kayako as the admin user. Click on Templates in the left pane. Click on LoginShare Click on Microsoft Active Directory Enter your AD hostname or IP address. (I had to use IP, because my host would not resolve) Enter port number. 389 is default. Enter base DN. (this part may be tricky, but by default it is your domainname and com I.E. DC=yourdomain, DC=com (this is the user DN, so you can be more specific if you like such as CN=users, DC=domain, DC=com and point directly to the container that holds your users. You can use something like LDP to find this if needed, but for testing I would enter the higher level DN first, and granulate it later for better performance. Next you enter the user with permissions to read the directory such as CN=administrator, CN=users, DC=domain, DC=com Next enter the password for this user. Note: the password stays here in clear text. I do not like this, but I'm not sure how to get around it. Hopefully with the php encryption the password is somewhat protected in the files. Next you can test it out by logging in as a domain user. Note: if you already have a user that you manually entered in with the same username, you will need to delete it first, or the login will fail. Note: admin and staff users must be entered manually. You cannot use AD authentication for admin and staff users.
ZeroIQ: I have already read that.
Rohit Khatri: IMPORTANT: With ActiveDirectory you might need to change "samaccountname" to "userPrincipalName" in includes/LoginShare/activedirectorylogin.php to get the authentication to work.
ZeroIQ: ok, I've read that
ZeroIQ: I would like to know what needs to go into the "Base DN" and "RDN" input boxes. AND how to test to be sure we can query active directory
Rohit Khatri: Ok
ZeroIQ: It's not very specific
ZeroIQ: I assume Base DN: domain.local correct?
ZeroIQ: Mostly, I'm unsure of RDN.
ZeroIQ: Hello?
ZeroIQ: Hello?
Rohit Khatri: Please wait
Rohit Khatri: Well, I am not sure about the details. Please see the AD details and you need to find the details there.0:37
ZeroIQ: You have been such a great help. Who is your supervisor?
Rohit Khatri: Please wait i will transfer you to him
Raghav Arora: Hi, how can I help you?
ZeroIQ: Rohit was unable to answer my questions, and basically told me to just keep looking instead of offering me a solution such as sending me to someone who could help me.
Raghav Arora: Please let me know the question you have.
ZeroIQ: I would like to know what needs to go into the "Base DN" and "RDN" input boxes and And how to test to be sure we can query active directory
ZeroIQ: I have found this post in the forums: Active directory integration
ZeroIQ: and I have mine set what appears to be correctly, and still, anytime I try to login I get an invalid username/password
Raghav Arora: Please wait.
ZeroIQ: How long do you suppose I should wait?
Raghav Arora: Well, I am lloking for the details.
Raghav Arora: Please give me some more time.
ZeroIQ: ok
Raghav Arora: Please refer to this:
Raghav Arora: http://www.ldapman.org/articles/intro_to_ldap.html
ZeroIQ: cn=Oatmeal Deluxe,ou=recipes,dc=foobar,dc=com
ZeroIQ: ok. say my username is in the Organizational Unit (OU) of Administrators, and I wanted my username to be used to connect to the AD LDAP server
ZeroIQ: would I put cn=username,ou=Administrators,dc=fife,dc=local
ZeroIQ: would I leave any of it out?
ZeroIQ: There are a ton of variables there, maybe you can tell me what your program is looking for.
ZeroIQ: Do I need to specify the OU?
Raghav Arora: Are you there?
ZeroIQ: Yes
ZeroIQ: ZeroIQ: cn=Oatmeal Deluxe,ou=recipes,dc=foobar,dc=com
ZeroIQ: ok. say my username is in the Organizational Unit (OU) of Administrators, and I wanted my username to be used to connect to the AD LDAP server
ZeroIQ: would I put cn=username,ou=Administrators,dc=fife,dc=local
ZeroIQ: would I leave any of it out?
ZeroIQ: There are a ton of variables there, maybe you can tell me what your program is looking for.
ZeroIQ: Do I need to specify the OU?
ZeroIQ: Hello?
ZeroIQ: Ok. I am now connecting ok to my active directory
ZeroIQ: however, when i loggin, it tells me that my username and password are incorrect
ZeroIQ: but I looked at the logs, it tells me it has connected and binded to the server
ZeroIQ: HELLO?
ZeroIQ: This is completely ridiculous

Rohit Khatri has left the chat conversation

[Jamie Edwards]

Hi and welcome to the forums, despite me wishing it could be on better terms!

I am very sorry for the length of time taken for you to receive the non-help as you've shown in the transcript. Unfortunately, Rohit was dealing with a number of chats at that time which is why each reply of his was delayed.

Even more unfortunately, Raghav's connection dropped and the chat was not reconnected afterwards, which is why you received no response.

However, Raghav was preparing an e-mail to send to you with information on LDAP.

With the amount of information that needed to be collected and communicated with regards to your query, I'd advise that submitting a ticket would have been a better choice of action (so you yourself have a record of it as well).

[craigbrass]

For more complicated problems, tickets are better I find. Live Support is nice for quick issues though like changing a licenced domain.

The problem is the rep is dealing with maybe 2-3 customers at once and if they get to doing a lot for one person they are talking to, the other two are kept waiting.

[craigbrass]

Looks like you beat me to it Jamie!

[sureshkumar.mr]

First learn to accept your mistakes.

-----------------------------------

Quote:

Originally Posted by Jamie Edwards

Raghav's connection dropped and the chat was not reconnected afterwards, which is why you received no response.

If the connection is lost how can the below message appear.

Quote:

Originally Posted by ZeroIQ

Rohit Khatri has left the chat conversation

-----------------------------------


-----------------------------------

Quote:

Originally Posted by Jamie Edwards

Raghav was preparing an e-mail to send to you with information on LDAP.

Raghav should have sent a mail immediately, it is not preparing an e-mail after the issue is raised by ZeroIQ in the forums.
-----------------------------------

-----------------------------------

Quote:

Originally Posted by Jamie Edwards

With the amount of information that needed to be collected and communicated with regards to your query

How much time you need to provide information for two fields (Base DN and RDN). Atleast they could have requested him to open a ticket.
-----------------------------------

Some times I get doubt whether these guys are the real developers of Kayako products.

[craigbrass]

Doesn't it assume they have left the convo when the WinApp doesn't connect to the server? Thats the way I thought it worked...

[Sheep]

Quote:

If the connection is lost how can the below message appear.

It's called timeout drop

[Jamie Edwards]

Suresh, your "Customer Service 101s" are appreciated as always. However, sometimes I do feel that you browse these forums only to add fuel to a fire where you can find one, which does not come appreciated. Mistakes sometimes happen.

Quote:

If the connection is lost how can the below message appear.

We're unsure why the message is not displaying - it is something we are looking into. In this case the reason why the message did not appear is that the timeouts on either end had not yet expired.

Quote:

Raghav should have sent a mail immediately, it is not preparing an e-mail after the issue is raised by ZeroIQ in the forums.

Raghav was preparing the e-mail before the issue was raised on the forums (when Raghav stopped receiving a response form ZeroIQ).

Quote:

How much time you need to provide information for two fields (Base DN and RDN). Atleast they could have requested him to open a ticket.

It is something Raghav needed to lookup, which is why it took time.

[supportskins]

I do not believe all support techs are comfortable solving LDAP issues. It would be a good idea to create a support ticket which in most cases would be forwarded to the developers who will assist you with the issue. I believe support department will assist you in solving issues you might be having with the software. Answering development questions would be out of their scope.

[tejohnson]

I do find this a bit curious. Not to be critical of the developers, or the support personnel, but the configuration of the plugin *is* a bit misleading. The term RDN is for "Relative Distinguished Name". I believe the configuration requires the FQDN of an account that has "read" access to the part of the Directory Information Tree (DIT) you specified in the "Base DN" value. (i.e.,

Active Directory Host: ad.corp.com
Port (Default: 389): 389
Base DN: dc=corp,dc=com
RDN [sic]: cn=Administrator,ou=Users,dc=corp,dc=com
Password: ******** [This _Should_ be masked, please fix]


)

Given the example above the host and port are obvious. For the Base DN, if you make this the actual base suffix of your directory, the entire directory will be searched. If you want to only search "ou=Users,dc=corp,dc=com" consider setting the "Base DN" to "ou=Users,dc=corp,dc=com". As for the field "RDN", it should be termed "FQDN". If the above were to actually be the "RDN", then the value would be "cn=Administrator".

The password is also obvious, but for some reason in the form, the password is not a password input type (i.e., not masked). This should be fixed ASAP.

The DN and Password that is configured in this plugin is to simply search the directory for the email supplied to the user. Once it finds the user's directory entry, it takes the FQDN of the user and the password supplied by the end user and attempts a "bind" to the directory (i.e., the plugin tries to log in as that user). If the bind succeeds, then they (the user) are authenticated.

It would take little work to re-write this plugin to add support for OpenLDAP, Sun Java Directory Server, and *other* directory servers as well. But, I agree, the documentation for this is.... sparse.

[craigbrass]

You should submit this in the feature requests board (http://forums.kayako.com/f63/) so the developers notice it when they have their meeting about V4.