PHP AD LDAP Authenticator v2

Discussion in 'LoginShare' started by Technocrat, Jun 22, 2012.

  1. Technocrat

    Technocrat Established Member

  2. Call it a stroke of luck but now my regular user login's are working.. Now when I enable staff, I am getting error type 5
  3. Technocrat

    Technocrat Established Member

    Did you put in your AD group => Teams in the config? It could mean there is a error some where in PHP. Best thing to do is to try the html file as per the wiki troubleshooting section and see what is happening.
  4. dallows

    dallows Member

    Is anyone at Kayako willing to help us troubleshoot the multiple domain issue? Surely the have a test environment?
  5. I did... I get not in a valid AD Group... When you say Teams in the config... are you talking about in the Admin Panel or the config.php file?
  6. Jesse Adams

    Jesse Adams Member

    ( Don't mean to hijack things, but not sure where to put this, even if anyone cared! Thank you very much Technocrat for your time and support on this!)

    While its fresh in my mind, I thought I would state what I did to get the PHP AD LDAP Authenticator working. I discovered the wiki late in the game and went by the forum posts - the wiki looks fantastic and should be the place to start! http://forge.kayako.com/projects/ad-ldap-authenticator/wiki

    This is as of version 2.0.0, running in Ubuntu 10.04 TurnkeyLinux somethingorother.

    DL the latest package from http://forge.kayako.com/projects/ad-ldap-authenticator/files.

    unzip it and move the contents and ldap subfolder of the upload folder to the root of your kayako site, such that ldap.php is along side kayako's index.php. Something like mv /path/to/ad-ldap-loginshare/upload/* /path/to/kayako.

    Edit ldap/config.php. The original forum thread suggests editing adLDAP.php - the package has been fantastically updated since those posts. Just stick with config.php.

    The comments in config.php are strong. In my case, I had to set the $ldap_domain_info and have two of my domain controllers in the $ldap_domain_controllers array.

    For the IT staff, who are all in an AD security group "MIS", I have (note - in Kayako, the group "Staff" came with the install by default):
    $staff_groups = array('MIS' => 'Staff');

    For users, I have an AD security group "All Employees" and have set:
    $valid_user_groups = array('All Employees');

    Note on LOG - if you set KAYAKO_LDAP_LOG to true, be sure to chmod 777 the /ldap/log folder so that the file can get written.

    Note on testing - in the downloaded package is /tools/ldap.html - move this to the root of your kayako, so it exists next to ldap.php, and open it in a browser. You should be able to test your config.php file at this point, by providing a domain username and password.

    You'll see the outputted xml, and you should see something in the log (if you've enabled it of course!). The outputted XML is important, because Kayako is expecting certain fields a certain way - if for some reason your AD is responding differently, you'll run into troubles. I think 90% of the time everything will be fine. I think fixing this would take more wizardry than I could muster.

    Now onto the Kayako side...

    For users:
    Enabling loginshare in Kayako has a few not-so-obvious steps. I'm super new to Kayako, so forgive some small amount of ignorance.

    Admin CP - Settings - LoginShare, enable User and set the URL to the ldap.php file, for example http://webserver/kayako/ldap.php. Note - I had problems using the apache virtualhost name for my kayako site (http://help/) in this URL - once I switched it to the absolute path (http://<ip>/help/ldap.php) it worked like a charm. When I had problems, Kayako would cough the Invalid Data 1 error.

    Next go to Admin CP - Templates - Groups, click to edit the Default group, and enable Loginshare here.

    Users in my "All Employees" AD group can now log into the user portion of Kayako with just their windows username.

    For Staff:
    same 1st step as for users, but add ?type=Staff to the URL, like http://webserver/kayako/ldap.php?type=Staff.

    Now IT in the "MIS" AD group can log in to the staff side. I'm in both the All Employees and Staff AD groups, and can log in to both sites.

    Final steps for me were in the wiki (disable kayako registration, remove lost password and change the login box text).

    I really appreciate the work that went into this! Super big thanks!
  7. Technocrat

    Technocrat Established Member

    You can ask but I don't know if anyone will. As I stated before I am willing to look at it if you give me access. I would need FTP, web, and a AD username/password to test with. I will sign an NDR or any other legal document if you would like. This is not my first time working on projects like this so I have no problem with it. But I understand if not.

    I dont know if you saw my post on the other thread, but in order for staff to work you have to have a valid AD group and Kayako Team. The team you setup in admin and the link you need to setup in the config.php So what I did in my environment was to create an AD group called Kayako Staff. Assign users to it in AD. Then in Kayako I just setup a standard Staff team. Then set it in the config.

    Jesse Adams - Thanks. If you (or anyone) has any changes to make to the WIKI please feel free to make it or let me know so I can change it.
  8. Ok I have a Team setup as Staff in Kayako.
    for login share for staff I have the link as http://myserver.mydomain.com/testticket/ldap.php?=Staff

    In my config file I have:
    $staff_groups = array('Corporate Helpdesk', 'Corp IT' => 'Staff');

    When I use the html file to perform the check...

    loginshare>
    <result>1</result>
    <staff>
    <team>Corporate Helpdesk</team>
    <firstname>Davey</firstname>
    <lastname>Roberson</lastname>
    <designation>Help Desk/Computer Analyst</designation>
    <email>(myemail is showing here)</email>
    <mobilenumber/>
    <signature/>
    </staff>

    </loginshare>
  9. Technocrat

    Technocrat Established Member

    $staff_groups = array('Corporate Helpdesk', 'Corp IT' => 'Staff'); is not correct. It needs to be 'AD Group' => 'Kayako Team'. So only 'Corp IT' => 'Staff' is correct
  10. Tried that too... still get an error message...

    This is from the log file...

    [06-22-12 - 17:40] ldap_account_suffix: '@amcity.com'
    [06-22-12 - 17:40] ldap_base_dn: 'DC=amcity,DC=com'
    [06-22-12 - 17:40] ldap_domain_controllers: array (
    0 => 'dc01.amcity.com',
    1 => 'dc02.amcity.com',
    2 => 'dc10.amcity.com',
    3 => 'dc11.amcity.com',
    )
    [06-22-12 - 17:40] KAYAKO_LDAP_TEST: false
    [06-22-12 - 17:40] UNKNOWN: [2] ldap_bind(): Unable to bind to server: Invalid credentials
    [06-22-12 - 17:40] Could not create new Kayako_LDAP (@amcity.com => DC=amcity,DC=com) message: -- Invalid credentials
    [06-22-12 - 17:40] Bad login, error sent
    [06-22-12 - 17:40] Session End

    [06-22-12 - 17:40] ldap_account_suffix: '@amcity.com'
    [06-22-12 - 17:40] ldap_base_dn: 'DC=amcity,DC=com'
    [06-22-12 - 17:40] ldap_domain_controllers: array (
    0 => 'dc01.amcity.com',
    1 => 'dc02.amcity.com',
    2 => 'dc10.amcity.com',
    3 => 'dc11.amcity.com',
    )
    [06-22-12 - 17:40] KAYAKO_LDAP_TEST: false
    [06-22-12 - 17:40] Authenticated: true
    [06-22-12 - 17:40] Type: Empty
    [06-22-12 - 17:40] No special user restrictions, user logged in
    [06-22-12 - 17:40] Session End

    [06-22-12 - 17:40] ldap_account_suffix: '@amcity.com'
    [06-22-12 - 17:40] ldap_base_dn: 'DC=amcity,DC=com'
    [06-22-12 - 17:40] ldap_domain_controllers: array (
    0 => 'dc01.amcity.com',
    1 => 'dc02.amcity.com',
    2 => 'dc10.amcity.com',
    3 => 'dc11.amcity.com',
    )
    [06-22-12 - 17:40] KAYAKO_LDAP_TEST: false
    [06-22-12 - 17:40] Authenticated: true
    [06-22-12 - 17:40] Type: Empty
    [06-22-12 - 17:40] No special user restrictions, user logged in
    [06-22-12 - 17:40] Session End
  11. Technocrat

    Technocrat Established Member

    You are showing that someone is logging in. What is the message you get from Kayako?
  12. Invalid Data Type Provided 5
  13. I just tried to create a new team and login with AD credentials... now Kayako has locked that account out in its system for 15 minutes.. .
  14. Technocrat

    Technocrat Established Member

    Ok that means something is screwing up the XML coming back. So something in your PHP is causing a problem. You dont see anything weird in the text XML? What about when you do test mode and do the url as ldap?staff=1
  15. This XML file does not appear to have any style information associated with it. The document tree is shown below.
    <loginshare>
    <result>1</result>
    <staff>
    <team>Helpdesk_Team</team>
    <firstname>Davey</firstname>
    <lastname>R******</lastname>
    <designation>Help Desk/Computer Analyst</designation>
    <email>myemailishere</email>
    <mobilenumber/>
    <signature/>
    </staff>
    </loginshare>
  16. Technocrat

    Technocrat Established Member

    Looks right. Might want to edit your post and remove your email address.

    So something else is happening. Are you on a virtual host?
  17. When I turn Test on...

    This XML file does not appear to have any style information associated with it. The document tree is shown below.
    <loginshare>
    <result>0</result>
    <message>Not in a valid AD staff group</message>
    </loginshare>
  18. Not a virtual host. Mac OS X 10.6.8 Server
  19. Technocrat

    Technocrat Established Member

  20. oh wait.. that account is not part of the group ... let me test...

Share This Page