1. Kayako Download customers: we will continue to develop and support Kayako Download beyond July 2017, alongside the new Kayako for existing customers.

    Find out more.

  2. The forum you are viewing relates to Kayako Classic. If you signed up or upgraded to the new Kayako (after the 4th July 2016), the information in this thread may not apply to you. You can visit the forums for the new Kayako here.

PHP AD LDAP Authenticator v2

Discussion in 'LoginShare' started by Technocrat, Jun 22, 2012.

  1. Technocrat

    Technocrat Established Member

    I would like to think it would be easy. Just make an option that says LoginShare data can overwrite user data, then check it. I guess I could make a mod, but it would be better in the core. However they still haven't added the one line change I suggest over a year ago: http://dev.kayako.com/browse/SWIFT-3128 to fix the duplicate staff :p so I am not going to hold my breath.
     
  2. mindo

    mindo New Member

    Hi,

    I am getting this error (either using kayako's login page or ldap.html):

    Code:
    [02-03-14 - 19:47] ldap_account_suffix: '@auth.*****.com'
    [02-03-14 - 19:47] ldap_base_dn: 'DC=auth,DC=*****,DC=com'
    [02-03-14 - 19:47] ldap_domain_controllers: array (
      0 => 'auth.*****.com',
    )
    [02-03-14 - 19:47] KAYAKO_LDAP_TEST: false
    [02-03-14 - 19:47] UNKNOWN: [2] ldap_bind(): Unable to bind to server: Invalid DN syntax
    [02-03-14 - 19:47] Could not create new Kayako_LDAP class or authentication failed (@auth.*****.com => DC=auth,DC=*****,DC=com).  Message:  -- Invalid DN syntax
    [02-03-14 - 19:47] Bad login. Error message sent
    [02-03-14 - 19:47] ----------[ Session End ]----------
    
    Any pointers/ideas to sort this out?

    Thank you.
     
  3. Technocrat

    Technocrat Established Member

    It appears your ldap_base_dn is wrong judging from the error message. I would guess you dont need DC=auth,
     
  4. mindo

    mindo New Member

    Hi,

    But I need the DC=auth, that's how my ldap server is configure - also when running a ldapsearch without it I get no results.
    This does not appear to be a problem with my ldap config because using the default values I get the same error:

    Code:
    [02-03-14 - 18:48] ldap_account_suffix: '@mydomain.local'
    [02-03-14 - 18:48] ldap_base_dn: 'DC=mydomain,DC=local'
    [02-03-14 - 18:48] ldap_domain_controllers: array (
      0 => 'auth.es4b.com',
    )
    [02-03-14 - 18:48] KAYAKO_LDAP_TEST: false
    [02-03-14 - 18:48] UNKNOWN: [2] ldap_bind(): Unable to bind to server: Invalid DN syntax
    [02-03-14 - 18:48] Could not create new Kayako_LDAP class or authentication failed (@mydomain.local => DC=mydomain,DC=local).  Message:  -- Invalid DN syntax
    [02-03-14 - 18:48] HTML Test: user
    [02-03-14 - 18:48] Bad login. Error message sent
    [02-03-14 - 18:48] ----------[ Session End ]----------
    
     
  5. Technocrat

    Technocrat Established Member

    I Google'ed the error and I seem some references to older versions of PHP and MS AD. What is your PHP version and AD environment? Are you using MS AD or something else?

    Another post suggests the username should be something like: 'cn=user,dc=subdomain,dc=domain,dc=com' when using a subdomain in your AD
     
  6. Luke Pinion

    Luke Pinion Established Member

    Hey Technocrat,

    Have you considered rewriting the code to make it more inline with PHP 5.5? I'm primarily asking because when I have error logging turned on, I get the following message:
    Code:
    UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    I was able to pinpoint the code at about line 104 in adLDAPUtils.php, but I'm not very good with PHP nor regular expressions and wasn't able to properly convert preg_replace() to preg_replace_callback().

    It's not a big deal. It's just kind of annoying as the warning message is usually posted consecutively about 20 times in the log anytime someone logs in successfully.
     
  7. Technocrat

    Technocrat Established Member

    Good question. I probably will once I move from 5.4 or there is more push for me to change it.

    One hold up would be the underlying lib, which is adLDAP 4.0.4. They are working on a version 5, which is 5.5 compatible. So I wouldn't move until that is done as well.

    If you would like to silence that error, I found the problem and its fix, in the working copy of adLDAP 5.5 they have it fixed. Obviously I haven't tested it, but I don't see a reason why it would not work.

    Its coming from ldap/adLDAP/classes/adLDAPUtils.php

    Find this code:
    PHP:
        public function ldapSlashes($str){
            return 
    preg_replace('/([\x00-\x1F\*\(\)\\\\])/e',
                                
    '"\\\\\".join("",unpack("H2","$1"))',
                                
    $str);
        }
    Replace with:
    PHP:
        public function ldapSlashes($str) {
            return 
    preg_replace_callback(
          
    '/([\x00-\x1F\*\(\)\\\\])/',
            function (
    $matches) {
                return 
    "\\".join(""unpack("H2"$matches[1]));
            },
            
    $str
        
    );
        }
     
  8. mindo

    mindo New Member

    $ php --version
    PHP 5.3.10-1ubuntu3.9 with Suhosin-Patch (cli) (built: Dec 12 2013 04:27:25)

    I am using OpenLdap 2.4.28.

    Code:
    ldapsearch -vv -h auth.*****.com -p 389 -x -b "dc=auth,dc=*****,dc=com"
    This works, so I am not sure I understood what you meant with the username part.
     
  9. Luke Pinion

    Luke Pinion Established Member

    Awesome, man. That worked perfectly. I'd written something similar to that based on some suggestions I'd found online, but there were a couple things I didn't get quite right.
     
  10. Technocrat

    Technocrat Established Member

    Mindo, at the bottom of the config is:

    Code:
    $use_adldap_options = false;
    $admin_user_name = '';
    $admin_password = '';
    Set the use to true and put in an admin credentials that can search the AD. If that doesn't work change the admin username to be in format:
    'cn=user_name,dc=subdomain,dc=domain,dc=com'
     
  11. mindo

    mindo New Member

    Techocrat,

    I tried both versions:
    Code:
    $admin_user_name = 'admin';
    
    Code:
    $admin_user_name = 'cn=admin,dc=auth,dc=*****,dc=com';
    
    and I always get the same error:

    Code:
    [02-05-14 - 20:05] ldap_account_suffix: '@auth.*****.com'
    [02-05-14 - 20:05] ldap_base_dn: 'DC=auth,DC=*****,DC=com'
    [02-05-14 - 20:05] ldap_domain_controllers: array (
      0 => 'auth.*****.com',
    )
    [02-05-14 - 20:05] KAYAKO_LDAP_TEST: false
    [02-05-14 - 20:05] UNKNOWN: [2] ldap_bind(): Unable to bind to server: Invalid DN syntax
    [02-05-14 - 20:05] Could not create new Kayako_LDAP class or authentication failed (@eufinity.com => DC=auth,DC=*****,DC=com).  Message:  -- Invalid DN syntax
    [02-05-14 - 20:05] Bad login. Error message sent
    [02-05-14 - 20:05] <loginshare>
      <result>0</result>
      <message>Invalid Username or Password</message>
    </loginshare>
     
    [02-05-14 - 20:05] <?xml version="1.0" encoding="UTF-8"?>
    <loginshare>
      <result>0</result>
      <message>Invalid Username or Password</message>
    </loginshare>
     
    [02-05-14 - 20:05] ----------[ Session End ]----------
    I even tried changing
    Code:
    define('KAYAKO_LDAP_TEST', false);
    
    to true, but the result was the same.
     
  12. Technocrat

    Technocrat Established Member

    Sorry I wish I had some better answers for you. I have been thinking and Google'ing and I am not sure what to suggest. I am not terribly familiar with OpenLDAP.

    For some reason it either doesn't like you credentials or your DN or something is wrong with adLDAP. I did find this:
    https://github.com/nilsteampassnet/TeamPass/issues/98
    Which seems similar you could try what is suggested there.

    But beyond that I am sort of at a loss as to what to suggest.
     
  13. Dominic Kirby

    Dominic Kirby New Member

    OK, I'm new to LoginShare, but I thought this was pretty straight forward. We have Kayako Fusion on a Server 2008 R2 machine, I added the ldap.php and associated files, completed config.php. If I use ldap.html, it seems fine. But, when I go to login I get error "Invalid data provided: 2." Here is the log (modified to hide all of the top secret stuff):
    Code:
    [03-29-14 - 14:29] ldap_account_suffix: '@ourdomain.org'
    [03-29-14 - 14:29] ldap_base_dn: 'DC=ourdomain,DC=org'
    [03-29-14 - 14:29] ldap_domain_controllers: array (
      0 => 'dc1.ourdomain.org',
      1 => 'dc2.ourdomain.org',
    )
    [03-29-14 - 14:29] KAYAKO_LDAP_TEST: false
    [03-29-14 - 14:29] Authenticated: true
    [03-29-14 - 14:29] HTML Test: user
    [03-29-14 - 14:29] Type: Empty (Default to user)
    [03-29-14 - 14:29] Usergroups are enabled
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] UNKNOWN: [8192] preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead
    [03-29-14 - 14:29] Usergroup was not found. User did logged in because of KAYAKO_LDAP_ERROR_USERGROUP
    [03-29-14 - 14:29] <loginshare>
      <result>1</result>
      <user>
              <usergroup>Registered</usergroup>
              <fullname>Test Account</fullname>
              <designation/>
              <emails>
                      <email>Test.Account@ouremaildomain.org</email>
              </emails>
              <phone></phone>
      </user>
    </loginshare>
    
    [03-29-14 - 14:29] <?xml version="1.0" encoding="UTF-8"?>
    <loginshare>
      <result>1</result>
      <user>
              <usergroup>Registered</usergroup>
              <fullname>Test Account</fullname>
              <designation/>
              <emails>
                      <email>Test.Account@ouremaildomain.org</email>
              </emails>
              <phone></phone>
      </user>
    </loginshare>
    
    [03-29-14 - 14:29] ----------[ Session End ]----------
    Here is config.php (also modified):
    PHP:
    <?php

    /**
    * Please read the wiki first!
    * http://forge.kayako.com/projects/ad-ldap-authenticator/wiki
    */
    //#########################################################################################

    /**
    * YOU MUST CHANGE THESE FOR THIS TO WORK
    */

    /**
    * LDAP domain info
    * AD Prefix => Base DN
    * array('@mydomain.local' => 'DC=mydomain,DC=local')
    */
    $ldap_domain_info = array('@domain.org' => 'DC=domain,DC=org');

    /**
    * Domain controller(s).  You can use names or IPs
    * You can have more than one domain server by using
    * array('dc01.mydomain.local', 'dc02.mydomain.local', 'dc03.mydomain.local');
    */
    $ldap_domain_controllers = array('dc1.domain.org''dc2.domain.org');

    /**
    * Change for AD staff groups a user must be in to login
    * AD_Group => Kayako_Staff_Team
    * Example:
    *     $staff_groups = array('IS Group' => 'IS');
    * This is required only if you are using this for staff
    */
    // $staff_groups = array('Group' => 'Staff');

    //Everything below here is optional
    //#########################################################################################

    /**
    * Change for valid AD user groups (see KAYAKO_LDAP_ERROR_USERGROUP as well)
    * AD_Group => Kayako_User_Group
    * Example:
    *     $user_groups = array('Customer Service' => 'CS');
    * This is not required for a user!!
    */
    $user_groups = array('Confirmed' => 'Domain Users');

    /**
    * Allows single users to bypass the default (Registered) group
    * 'AD Username' => 'Kayako_Group'
    * Example:
    *     $user_group_bypass = array('jdoe' => 'Technicians');
    * This is not required
    * MUST use lowercase for AD username!!
    */
    $user_group_bypass = array();

    /**
    * Change to include any AD groups you want the user to be in to authenticate
    * Example:
    *  $valid_user_groups = array('Customer Service', 'IT');
    * If they are not in one of these groups they will not be able to login
    */
    $valid_user_groups = array('Domain Users');

    /**
    * Change to false if you want users not in the $user_group to still be able to login
    */
    define('KAYAKO_LDAP_ERROR_USERGROUP'false);

    /**
    * If more than one domain controller is used adLDAP will attempt
    * to connect to one of the controllers.  If failed it will try another.
    * If set to false it will use the default behavior which is to try to connect
    * to a controller no matter what.  If failed it will NOT try another server
    */
    define('KAYAKO_LDAP_VERIFY_CONTROLLER'true);

    /**
    * Change to true to enable testing mode
    * If left disabled username and password is ignored
    */
    define('KAYAKO_LDAP_TEST'false);

    /**
    * Change to true to show all errors & warnings
    */
    define('KAYAKO_LDAP_SHOW_ERRORS'false);

    /**
    * Change to true to enable logging mode
    * Your ldap/log directory must be writable
    */
    define('KAYAKO_LDAP_LOG'true);

    /**
    * Logs the outgoing XML
    * Logging must be enable for this to work
    */
    define('KAYAKO_LDAP_LOG_XML'true);

    /**
    * Attempts to log everything that is displayed to the screen
    * Logging must be enable for this to work
    */
    define('KAYAKO_LDAP_LOG_OUTPUT'true);

    /**
    * Enter values to test with
    */
    define('KAYAKO_LDAP_USERNAME''');
    define('KAYAKO_LDAP_PASSWORD''');

    /**
    * Change to false if you do not want to try to get mobile or home number if the telephone number is empty
    */
    define('KAYAKO_LDAP_PHONE_NUMBER'true);

    /**
    * Change to false if you do not want to import AD Department to Organization in the user's profile
    */
    define('KAYAKO_LDAP_IMPORT_DEPARTMENT'false);

    /**
    * Change to false if you do not want to import AD Job Title to Title/Position in the user's profile
    */
    define('KAYAKO_LDAP_IMPORT_TITLE'false);

    /**
    * Change to false if you do not want to strip @domain
    */
    define('KAYAKO_LDAP_STRIP_EMAIL'true);

    //Everything below here is optional adLDAP settings
    //#########################################################################################
    //See http://adldap.sourceforge.net/wiki/doku.php?id=documentation_configuration

    /**
    * Ignore these!
    */
    global $use_adldap_options$adldap_options;

    /**
    * If you want to use ANY of the options below then change this to true FIRST
    * Example:
    *     $use_adldap_options = true;
    */
    $use_adldap_options false;

    /**
    * Admin Username / Password is an account with higher privileges to perform privileged operations.
    * Example
    *     $admin_user_name = 'CIO';
    *    $admin_password = 'MyPa$$w0rd';
    * This is not required!
    */
    $admin_user_name '';
    $admin_password '';

    /**
    * Use SSL
    * Example:
    *     $use_ssl = true;
    */
    $use_ssl false;

    /**
    * Use TLS
    * Example:
    *     $use_tls = true;
    */
    $use_tls false;

    /**
    * Change AD Port from default
    * Example:
    *     $ad_port = 12345;
    */
    $ad_port 389;

    /**
    * Ignore this!
    */
    $adldap_options = array(
        
    'admin_user_name'    => $admin_user_name,
        
    'admin_password'    => $admin_password,
        
    'use_ssl'            => $use_ssl,
        
    'use_tls'            => $use_tls,
        
    'ad_port'            => $ad_port,
    );
    Any help would be greatly appreciated. Seriously! My boss is on me about integrating the damn helpdesk w/ AD. Note: we only want users to auth over AD, not staff.
     
  14. Dominic Kirby

    Dominic Kirby New Member

    As I was clicking Post, I thought of something and corrected it. I was using our internal server name in the LoginShare settings, and upon review of the Kayako log, was getting 404. So now, I get Invalid data provided: 1. The Kayako error log says the XML output was blank. However, when I use ldap.html to test my login I get:
    HTML:
      <?xml version="1.0" encoding="UTF-8" ?>
    - <loginshare>
      <result>1</result>
    - <user>
      <usergroup>Registered</usergroup>
      <fullname>Dominic Kirby</fullname>
      <designation />
    - <emails>
      <email>Dominic.Kirby@ouremaildomain.org</email>
      </emails>
      <phone />
      </user>
      </loginshare>
    The mystery continues... that's definitely not blank...
     
  15. Technocrat

    Technocrat Established Member

    Are you 100% sure you did the LoginShare right? Because that sounds like you have the URL still wrong.

    Are you still seeing the warnings that were noted in the log in the previous post? That could be causing the problem.
     
  16. Technocrat

    Technocrat Established Member

    Unfortunately due to an issue having to do with my companies purchasing department and the payment of taxes by Kayako, we are unable to come to terms to continue to pay for support of Kayako. This issue has nothing to do with the system itself or anyone involved in the project. It's simply an monetary impasse that seems unable to be overcome by both sides.

    Because of this my company will no longer be using Kayako. We are in the process of evaluating alternatives. :(

    Sadly this will mean I will no longer be working on or supporting this project. Hopefully someone will be able to take over this project and continue to move it forward. I have put the ideas I had for the next release in the forge ticket system for the next person.

    I have enjoyed working on this project and the positive results we have made.

    Thank you to everyone
     
  17. Torbjörn S.

    Torbjörn S. Reputed Member

    Has anyone got this working with php 5.4?
    I just updated my testenvironment to 5.4 to be ready for the future and then this mod stopped working.
     
  18. Xsi_pl

    Xsi_pl Member

    PHP 5.4.29 here - works ok without any modifications, just standard installation as it is written in wiki
     
  19. Torbjörn S.

    Torbjörn S. Reputed Member

    I have version 5.5.11 and that does not work. I have the latest authenticatorversion installed.
    I get error: 'Invalid data provided: 1' on the login-page
     
    Last edited: Jul 15, 2014
  20. Torbjörn S.

    Torbjörn S. Reputed Member

    Does anyone have any news about using this with php 5.5 or newer? I need to get this working for my customers but don't know where to start looking in the app for needed changes.
     

Share This Page