PHP AD LDAP Authenticator

Have you upgraded to the most recent version?

Well I am not sure what to say. I dont have two domains to test against, so I can only try with what limited resources I have. I am willing to look at any system that someone wants to give me access to. But I understand that is a lot to ask.

I don't know about the PM. You can start a conversation with me if you want. Then I will send you my email address.

trying to get this up and running. read through the instructions you have posted, which are pretty good. authentication isnt working for me and i have logging enabled but its not actually writing any logs. also I was trying to figure out if I need to actually configure adLDAP or are you passing it variables from the config.php file you have listed for editing.

The config handles everything you don't need to do anything else to adLDAP. I assume you have logging set to true? Is the file even being made in the log folder? If not is the folder writable?

yes logging is set to true. no file is being written to the log folder. its completely empty. log folder has permissions of drwxr-xr-x

also I have noticed that adLDAP calls for an administrative user to be able to search AD. the config.php files has no where to specifiy this. i assume then that its binding anonymously to AD?

Well if I had to take a guess 755 or drwxr-xr-x is not enough permissions on your server for PHP to write to that folder. Try 777.

You can also do:
http://forge.kayako.com/projects/ad-ldap-authenticator/wiki/Troubleshooting
Enable testing. Then you should see some more information

In this case you are not searching you are simply trying to authenticate. So you don't need a admin AD account for adLDAP. If say you wanted to see if the user existed without authenticating them then that would be an example where you would need that.

did a chmod 777 on the log folder, still nothing. I did try the ldap.html page and here is the error it spit out.

Warning: include(/var/www/ldap/kayako_ldap.php): failed to open stream: Permission denied in /var/www/ldap.php on line 28 Warning: include(): Failed opening '/var/www/ldap/kayako_ldap.php' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/ldap.php on line 28 Fatal error: Class 'Kayako_LDAP' not found in /var/www/ldap.php on line 90

ok so i just did a 777 on everything in the directory where kayako and all the ldap auth files are stored and its now writing log files and ldap.html is working like it should. seems to be a permissions issue somewhere. I will figure out where after I get a working test up and running

so my next question is, what is the correct login name that a user or staff should use? What exactly is it querying AD for? Email address, samAccountName?

The correct login is simply their AD username (without the suffix) and password. It only queries their info when they authenticate.

Ok. So i have tried username and password. The page returns "invalid username or password" the log reads as follows:

[06-21-12 - 13:45] ldap_account_suffix: '@si.lan'
[06-21-12 - 13:45] ldap_base_dn: 'DC=si,DC=lan'
[06-21-12 - 13:45] ldap_domain_controllers: array (
0 => '10.1.132.5',
)
[06-21-12 - 13:45] KAYAKO_LDAP_TEST: true
[06-21-12 - 13:45] Authenticated: true
[06-21-12 - 13:45] Type: Empty
[06-21-12 - 13:45] No special user restrictions, user logged in
[06-21-12 - 13:45] Session End

Is that all the log says? Because as you can see from the second to last line, it logs you in. Are you still in test mode?

i have tried both in test mode and with test mode set to false. yes, thats the only output in the log. There is nothing else. I do not get logged in either and thats the part that is really confusing. the log says successful, the website says its not.

the staff page returns "Invalid data provided:5"

Test mode doesn't let you login, it just will show you information on the page. So if you are trying to login with Kayako you want to turn it off.

If you are getting Invalid data provided:5 then that means something in PHP is causing an error which is causing your XML to screw up. You can test that by using the html file provided and switch it to staff

here is the output from the test: (*=placeholder for censored data)

<loginshare>
<result>1</result>
<user>
<usergroup>Registered</usergroup>
<fullname>A***** P****</fullname>
<designation>IT</designation>
<emails>
<email>a****@si.lan</email>
</emails>
<phone>3**-2**-4****</phone>
</user>
</loginshare>

The lack of native AD authentication in this product really amazes me. It really limits the use of it to anyone that is willing to take the time to populate an entire user base by hand. I appreciate all the help you are providing Technocrat and hopefully we can figure this stuff out.

Ok I got the customer side of the auth working. Figured our there was another place you have to tell the software to use LoginShare, Templates>Groups>Default

So i can login to the customer side of the portal. The staff side still fails with the invalid data error

Once you get this working it works well. Its just the initial setup. If you dont follow all the steps laid out in the wiki then you can run into issues.

Was the XML you posted from the staff? Did you enable login share for the staff per the directions on the wiki?
http://forge.kayako.com/projects/ad-ldap-authenticator/wiki/Setup

I'm super close to getting this off the ground but can't get around this last bit. I think I'm missing something.
The ldap.html works just great, outputs as I'd expect, and logs correctly!

But modifying config.php into test mode (and supplying the same user/pass) I only get errors in the log

Code:

[06-21-12 - 23:13] UNKNOWN: [2] ldap_bind(): Unable to bind to server: Invalid credentials

And consequently, Kayako is only giving me Invalid data provided: 1 And the dashboard's error log reads "empty data received for user loginshare plugin".

Works for the test, but fails everywhere else. Sadface. Any help would be GREATLY appreciated!