Active directory integration

[mharr]

Wondering if anyone else has had the following problem and has any ideas.

I have followed through everything on this thread (I think) that relates to a W2K and IIS install. However, when I turn on AD authentication and I try and login as a user, I get a blank IE page. I dont get any errors, it does not matter what I enter as the username and password, any junk will get me the same result. As soon as I switch it back to "SupportSuite Login Routine" it works as you would expect.

I obviously have something wrong....any ideas ??

Running 3.00.32 of SupportSuite.

[jaga]

It took a few minutes to get things going, but now I have supportsuite authenicating users against a fedora directory server setup. Here is the patch I needed to make:

Code:

--- supportsuite/includes/LoginShare/activedirectory.login.php.orig     2006-05-09 23:43:26.000000000 -0400
+++ supportsuite/includes/LoginShare/activedirectory.login.php  2006-05-11 12:06:51.000000000 -0400
@@ -73,7 +73,7 @@
        }

        // By now we should have binded with the server
-       $_ldapresults = ldap_search($_connection, $_loginshare["adbasedn"], "(&(samaccountname=" . trim(preg_replace( "/[^a-zA-Z0-9\-\_@\.]/", "" , $
username)) . "))", array("samaccountname", "proxyAddresses", "mail", "distinguishedname", "displayName"), 0, 0, 10);
+       $_ldapresults = ldap_search($_connection, $_loginshare["adbasedn"], "(&(uid=" . trim(preg_replace( "/[^a-zA-Z0-9\-\_@\.]/", "" , $username))
. "))", array("uid", "mail", "mail", "distinguishedname", "cn"), 0, 0, 10);
        if (!$_ldapresults)
        {
                return false;
@@ -90,9 +90,9 @@
        ldap_close($_connection);

        // By now we should have the user details
-       $_fullname = $_results[0]["displayname"][0];
-       $_username = $_results[0]["samaccountname"][0];
-       $_distinguishedname = $_results[0]["distinguishedname"][0];
+       $_fullname = $_results[0]["cn"][0];
+       $_username = $_results[0]["uid"][0];
+       $_distinguishedname = $_results[0]["dn"];
        $_maillist = array();
        if (!empty($_results[0]["mail"][0]))
        {
@@ -141,16 +141,21 @@
 //             echo "Failed to set Protocol Version<BR />";
        }

+       if (!ldap_start_tls($_connection))
+       {
+//             echo "Failed to start TLS <BR />";
+       }
+
+
        if (!ldap_set_option($_connection, LDAP_OPT_REFERRALS, 0))
        {
 //             echo "Failed to set Referrals<BR />";
        }
-
        $_userbindstatus = false;
        if (@ldap_bind($_connection, $_distinguishedname, $password))
        {
                $_userbindstatus = true;
-//             echo "User Binded to: ".$_loginshare["adrdn"].", PASS: ".$_loginshare["adpassword"]."<BR />";
+               // echo "User Binded to: ".$_distinguishedname.", PASS: ".$password."<BR />";
        }

        if (!$_userbindstatus)
@@ -272,4 +277,4 @@

        return $forms;
 }
-?>
\ No newline at end of file
+?>

[AKL-MFCU]

I figure there has to be a large amount of people who use ldap authentication against active directory for their users. It also seems to be the one thing people have the hardest part setting up at first, but once there it is a beautiful and seamless process. I figure, if anyone volunteers (or if no-one else i will eventually) lets compile the useful tips and instructions of this forum data into a pdf for kayako to give out on this.

[mharr]

I have narrowed down my problem to, not being able to get LDAP support working with php. I have no idea why. As far as I can tell I have done the correct changes to the php.ini file as well as made sure the dll is in the extensions directory.

This is on a W2K3, with IIS 6, PHP 4.4.2. I know that in the phpinfo file I should see LDAP support enabled, but I dont.

Any ideas ?

Mark.

[AKL-MFCU]

can you post your extensions part of the ini file, as well as your php info file? I'll be glad to take a look at it.

[mharr]

Thanks AKL-MFCU.

Here is the ini file.

Code:

; Directory in which the loadable extensions (modules) reside.
extension_dir = "C:\php\extensions"

; Whether or not to enable the dl() function.  The dl() function does NOT work
; properly in multithreaded servers, such as IIS or Zeus, and is automatically
; disabled on them.
enable_dl = On

; cgi.force_redirect is necessary to provide security running PHP as a CGI under
; most web servers.  Left undefined, PHP turns this on by default.  You can
; turn it off here AT YOUR OWN RISK
; **You CAN safely turn this off for IIS, in fact, you MUST.**
; cgi.force_redirect = 1

; if cgi.nph is enabled it will force cgi to always sent Status: 200 with
; every request.
; cgi.nph = 1

; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape 
; (iPlanet) web servers, you MAY need to set an environment variable name that PHP
; will look for to know it is OK to continue execution.  Setting this variable MAY
; cause security issues, KNOW WHAT YOU ARE DOING FIRST.
; cgi.redirect_status_env = ;

; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI.  PHP's
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
; what PATH_INFO is.  For more information on PATH_INFO, see the cgi specs.  Setting
; this to 1 will cause PHP CGI to fix it's paths to conform to the spec.  A setting
; of zero causes PHP to behave as before.  Default is zero.  You should fix your scripts
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
; cgi.fix_pathinfo=1

; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate
; security tokens of the calling client.  This allows IIS to define the
; security context that the request runs under.  mod_fastcgi under Apache
; does not currently support this feature (03/17/2002)
; Set to 1 if running under IIS.  Default is zero.
; fastcgi.impersonate = 1;

; Disable logging through FastCGI connection
; fastcgi.log = 0

; cgi.rfc2616_headers configuration option tells PHP what type of headers to
; use when sending HTTP response code. If it's set 0 PHP sends Status: header that
; is supported by Apache. When this option is set to 1 PHP will send
; RFC2616 compliant header.
; Default is zero.
;cgi.rfc2616_headers = 0 


;;;;;;;;;;;;;;;;
; File Uploads ;
;;;;;;;;;;;;;;;;

; Whether to allow HTTP file uploads.
file_uploads = On

; Temporary directory for HTTP uploaded files (will use system default if not
; specified).
upload_tmp_dir = c:\TEMP

; Maximum allowed size for uploaded files.
upload_max_filesize = 32M


;;;;;;;;;;;;;;;;;;
; Fopen wrappers ;
;;;;;;;;;;;;;;;;;;

; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
allow_url_fopen = On

; Define the anonymous ftp password (your email address)
;from="john@doe.com"

; Define the user agent for php to send
;user_agent="PHP"

; Default timeout for socket based streams (seconds)
default_socket_timeout = 60

; If your scripts have to deal with files from Macintosh systems,
; or you are running on a Mac and need to deal with files from
; unix or win32 systems, setting this flag will cause PHP to
; automatically detect the EOL character in those files so that
; fgets() and file() will work regardless of the source of the file.
; auto_detect_line_endings = Off


;;;;;;;;;;;;;;;;;;;;;;
; Dynamic Extensions ;
;;;;;;;;;;;;;;;;;;;;;;
;
; If you wish to have an extension loaded automatically, use the following
; syntax:
;
;   extension=modulename.extension
;
; For example, on Windows:
;
;   extension=msql.dll
;
; ... or under UNIX:
;
;   extension=msql.so
;
; Note that it should be the name of the module only; no directory information 
; needs to go here.  Specify the location of the extension with the
; extension_dir directive above.


;Windows Extensions
;Note that MySQL and ODBC support is now built in, so no dll is needed for it.
;
extension=php_pspell.dll
;extension=php_mbstring.dll
;extension=php_bz2.dll
;extension=php_cpdf.dll
;extension=php_crack.dll
;extension=php_curl.dll
;extension=php_db.dll
;extension=php_dba.dll
;extension=php_dbase.dll
;extension=php_dbx.dll
;extension=php_domxml.dll
;extension=php_exif.dll
;extension=php_fdf.dll
;extension=php_filepro.dll
;extension=php_gd2.dll
;extension=php_gettext.dll
;extension=php_hyperwave.dll
;extension=php_iconv.dll
;extension=php_ifx.dll
;extension=php_iisfunc.dll
extension=php_imap.dll
;extension=php_interbase.dll
;extension=php_java.dll
extension=php_ldap.dll
;extension=php_mcrypt.dll
;extension=php_mhash.dll
;extension=php_mime_magic.dll
;extension=php_ming.dll
;extension=php_mssql.dll
;extension=php_msql.dll
;extension=php_oci8.dll
;extension=php_openssl.dll
;extension=php_oracle.dll
;extension=php_pdf.dll
;extension=php_pgsql.dll
;extension=php_printer.dll
;extension=php_shmop.dll
;extension=php_snmp.dll
;extension=php_sockets.dll
;extension=php_sybase_ct.dll
;extension=php_w32api.dll
;extension=php_xmlrpc.dll
;extension=php_xslt.dll
;extension=php_yaz.dll
;extension=php_zip.dll

Here is a link to the phpinfo file.
http://pasupport.pa.com.au/test/test.php

Thanks.
Mark.

[AKL-MFCU]

; cgi.force_redirect is necessary to provide security running PHP as a CGI under
; most web servers. Left undefined, PHP turns this on by default. You can
; turn it off here AT YOUR OWN RISK
; **You CAN safely turn this off for IIS, in fact, you MUST.**
; cgi.force_redirect = 1

make sure to turn this off, it won't do well with iis,

uncomment php_iisfunc

anychance you can take a screenshot of your extensions directory so i can see if the right files are there?

this is something php references for win32 users:
Note to Win32 Users: In order to enable this module on a Windows environment, you must copy several files from the DLL folder of the PHP/Win32 binary package to the SYSTEM folder of your windows machine. (Ex: C:\WINNT\SYSTEM32, or C:\WINDOWS\SYSTEM). For PHP <= 4.2.0 copy libsasl.dll, for PHP >= 4.3.0 copy libeay32.dll and ssleay32.dll to your SYSTEM folder.

[mharr]

Quote:

Originally Posted by AKL-MFCU

;
this is something php references for win32 users:
Note to Win32 Users: In order to enable this module on a Windows environment, you must copy several files from the DLL folder of the PHP/Win32 binary package to the SYSTEM folder of your windows machine. (Ex: C:\WINNT\SYSTEM32, or C:\WINDOWS\SYSTEM). For PHP <= 4.2.0 copy libsasl.dll, for PHP >= 4.3.0 copy libeay32.dll and ssleay32.dll to your SYSTEM folder.

I copied libeay32.dll and ssleay32.dll to the windows\system32 directory, reset iis and now LDAP is enabled !!!!

I also uncommented the php_iisfunc dll in the php.ini file.

Thanks heaps for your help AKL-MFCU. I will now test AD integration and see what happens.

Mark.

[mharr]

WhoooHoooo. AD integration is working !!!!

I end up with 2 email addresses being imported, but I think I can sort that out.

Thanks everyone for your help (on this thread and others).

Mark

[mharr]

Now the initial excitement of getting AD working has died down and I am now testing it, I have another question.

We have a security policy that forces everyone to change their password every 90 days. Since AD integration imports from AD into SupportSuite, I am assuming it never goes back to AD to authenticate. This will mean that once the user changes their password in AD it will not be changed in SupportSuite and we will be back to having to remember 2 passwords! Is this correct ?

Mark.

[AKL-MFCU]

Everytime a user attempts to login, it bounces against the ldap connection to check for username and password. if you delete a person in ldap, it may show in supportsuite but they cannot login. If they use the remember me password, it will save the old password and not work if they had changed it in active directory. They'll just have to use their windows username and password 24/7 to get into the site. Its an actual authentication method they built in, not an import tool. I'm glad i got you started and I hope you enjoy the AD integration, i sure did.

[mharr]

Thanks AKL-MFCU, that makes sense.

Is there a way of getting around the following problem.

If we have a new user who is not in SupportSuite and they send an email to the email queue, Supportsuite adds them as a user and sends a reply email with a username and password. However, this password is not the AD password and so they cannot login to the web page.

If the user has been "created" by first logging into the web page and hence validated against AD then it all seems to work fine.

Anyway, thanks heaps for your help.
Mark.

[AKL-MFCU]

i am goign to assume that all the people that you want to use kayako are in AD. In that case, make sure to toggle the registration features off especially creating a new user from scratch. You could manually edit the mail parser but i believe when you go into the user templates and you say there are no guests and make sure that everything points to AD only, it should work. I'll go into more detail later but im pressed to make a meeting here shortly. Thanks!

[mharr]

Sorry, got lost for a few days. Thanks for the reply AKL-MFCU.

How do I toggle the registration off for a new user ? What I want it to do is allow someone to send an email to the helpdesk queue and if they are not registered then it sends the return email with a link to the web page for them to go and login (register) using their AD credentials. Not sure if it does this or how to force it to do it.

Mark.

[AKL-MFCU]

if you go into the templates part of the admin, there is the sections for the e-mail autoresponder and has the swift source for everything. I would show you how to do it, but thats alot of custom work for no true benefit to myself since i wont be using it. However, if you've dealt with any coding or looking at it before, then finding where the autoresponse features are and edit them at your will.

As for toggling the user registration, i would recommend that you go to the admin->settings->User Registration part and select no on everything that has a toggle switch. Reason being is AD holds most of these answers already and having these on can bypass some of the functionality of AD.

It may or may not automatically create a user from the e-mail based on AD credentials if they have never logged in before to be honest- i haven't tried it myself. Best way is if you have the ability, create a test account and send an e-mail in with all those options toggled off and see if it spurts back what you want or if it errors out.