1. Kayako Download customers: we will continue to develop and support Kayako Download beyond July 2017, alongside the new Kayako for existing customers.

    Find out more.

  2. The forum you are viewing relates to Kayako Classic. If you signed up or upgraded to the new Kayako (after the 4th July 2016), the information in this thread may not apply to you. You can visit the forums for the new Kayako here.

PHP AD LDAP Authenticator

Discussion in 'LoginShare' started by koltzc, Oct 20, 2010.

Thread Status:
Not open for further replies.
  1. DXS

    DXS New Member

    It would appear that you need to go to each template group and enable loginshare. Not just globally in the settings.
     
  2. DXS

    DXS New Member

    Is there a way to accomplish the following?

    Have Kayako check active directory first for a username and password, if the user isn't there, have it then check the kayako database for the user, and finally if not there then show the invalid username and password error?

    We would like our employees and staff members to use the login share, but would prefer not to have our customers cluttering up our active directory.

    Matt
     
  3. DXS

    DXS New Member

    Does anyone have an idea how we can work this?

    The register page on Kayako is useless to us now, because even though users can create their own accounts, they cannot login to them when using the PHP AD LDAP loginshare.

    How hard would it be to add an additional set of functions to adLDAP.php that if a user request fails via the loginshare that it attempt to pull data from the local Kayako database?

    Anyone?
     
  4. Krafty

    Krafty Established Member

    Could anybody tell me why i'm able to get the staff login working and not the user? Here's my code:

    PHP:
    $adminGroup = "Kayako-Administrator";
    $staffGroup = "Kayako-Staff";

    function getRealIpAddr()
    {
        if (!empty($_SERVER['HTTP_CLIENT_IP']))   //check ip from share internet
        {
          $ip=$_SERVER['HTTP_CLIENT_IP'];
        }
        elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))   //to check ip is pass from proxy
        {
          $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
        }
        else
        {
          $ip=$_SERVER['REMOTE_ADDR'];
        }
        return $ip;
    }

    include './adLDAP.php';
    $adldap = new adLDAP();
    $username=$_POST["username"];
    $password=$_POST["password"];
    $ipaddress=getRealIpAddr();
    $authUser = $adldap->authenticate($username, $password);
    $authAdminGroup = $adldap->user_ingroup($username,$adminGroup,$recursive=NULL);
    $authStaffGroup = $adldap->user_ingroup($username,$staffGroup,$recursive=NULL);

    if ($authUser == true && $authStaffGroup == false && $authAdminGroup == false) {
            session_start();
            $_SESSION["username"]=$username;
            $userinfo=$adldap->user_info($username, array("givenname","sn","title","mail","mobile","info"));
            echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>";
            echo "<loginshare>";
            echo "  <result>1</result>";
            echo "  <user>";
            echo "  <usergroup>Registered</usergroup>";
            echo "   <fullname>".$userinfo[0]["sn"][0]." ".$userinfo[0]["givenname"][0]."</fullname>";
            echo "   <designation>".$userinfo[0]["title"][0]."</designation>";
            echo "   <emails>";
            echo "   <email>".$userinfo[0]["mail"][0]."</email>";
            echo "   </emails>";
            echo "  <phone>".$userinfo[0]["mobile"][0]."</phone>";
            echo "  </user>";
            echo "</loginshare>";
    }

    else if ($authAdminGroup == true && $authUser == true && $authStaffGroup == true) {
            session_start();
            $_SESSION["username"]=$username;
            $userinfo=$adldap->user_info($username, array("givenname","sn","title","mail","mobile","info"));
            echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>";
            echo "<loginshare>";
            echo "  <result>1</result>";
            echo "  <staff>";
            echo "          <firstname>".$userinfo[0]["givenname"][0]."</firstname>";
            echo "          <lastname>".$userinfo[0]["sn"][0]."</lastname>";
            echo "          <designation>".$userinfo[0]["title"][0]."</designation>";
            echo "          <email>".$userinfo[0]["mail"][0]."</email>";
            echo "          <mobilenumber>".$userinfo[0]["mobile"][0]."</mobilenumber>";
            echo "          <signature>".$userinfo[0]["info"][0]."</signature>";
            echo "          <team>Administrator</team>";
            echo "  </staff>";
            echo "</loginshare>";
    }

    else if ($authStaffGroup == true && $authUser == true && $authAdminGroup == false) {
            session_start();
            $_SESSION["username"]=$username;
            $userinfo=$adldap->user_info($username, array("givenname","sn","title","mail","mobile","info"));
            echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>";
            echo "<loginshare>";
            echo "  <result>1</result>";
            echo "  <staff>";
            echo "          <firstname>".$userinfo[0]["givenname"][0]."</firstname>";
            echo "          <lastname>".$userinfo[0]["sn"][0]."</lastname>";
            echo "          <designation>".$userinfo[0]["title"][0]."</designation>";
            echo "          <email>".$userinfo[0]["mail"][0]."</email>";
            echo "          <mobilenumber>".$userinfo[0]["mobile"][0]."</mobilenumber>";
            echo "          <signature>".$userinfo[0]["info"][0]."</signature>";
            echo "          <team>Staff</team>";
            echo "  </staff>";
            echo "</loginshare>";
    }

    else
    {
            echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>";
            echo "<loginshare>";
            echo "  <result>0</result>";
            echo "  <message>Invalid Username or Password</message>";
            echo "</loginshare>";
    }

    ?>
     
  5. ryanjcanning

    ryanjcanning Member

    Hi Everyone,

    I am getting the same issue as a few people in this forum
    [Warning]: simplexml_load_string() [function.simplexml-load-string]: Entity: line 98: parser error : Entity 'raquo' not defined (LoginShare/class.SWIFT_LoginShareStaff.php:115)
    Any help would be greatly appreciated.

    Cheers
    Ryan
     
  6. sem

    sem Member

    Hi. Recently upgraded to v4 and used this LoginShare for users - all fine but was getting random users having trouble logging in - this error kept showing up [Warning]: simplexml_load_string(): Entity: line 1: parser error : xmlParseEntityRef: no name (LoginShare/class.SWIFT_LoginShareUser.php:113)

    Turns out that it wasn't random users - the one's who couldn't authenticate all had '&' in their title/designation in AD. So changing Leanrning & Developement to Learning and Development in AD solved the problem.

    hope this helps some people.

    sem
     
  7. Francisco Gomez

    Francisco Gomez New Member

    Hello,

    I am in the same situation you were in right now. I really don't want to have my users use their full domain details. I'm curious if you have figured out a solution for this?
     
  8. Gary McGrath

    Gary McGrath Staff Member

    Krafty, did you go into your default template group ( or the appropriate group ) and actually enable loginshare on the template? ( this was new in .240, each template can have its own loginshare settings, so you need to enable it per template as well as in the admin CP )

    Gary
     
  9. Gary McGrath

    Gary McGrath Staff Member

    If you don't mind a hacky solution, you could simply code your loginshare to "try each domain prefix" and hard code each domain you have. It would not be ideal, but it would certainly work and let your users avoid having to enter domain information.

    Gary
     
  10. Francisco Gomez

    Francisco Gomez New Member

    I think I'm just going to add another field for the users to select their domain prefix and use the global catalog server for authentication.
     
  11. Francisco Gomez

    Francisco Gomez New Member

    Another problem has now occured, when I do use user@subdomain.domain.local I get this error:
    Invalid data provided: No Emails

    Any input on this error? If i use user@domain.local, the authentication works...
     
  12. Krafty

    Krafty Established Member

    Once again Gary, thanks. You hit that one on the head. Works perfect now. :)
     
  13. Gary McGrath

    Gary McGrath Staff Member

    Excellent :D glad to help

    Gary
     
  14. Francisco Gomez

    Francisco Gomez New Member

    Can you please post some sample code on how to do this. I've gotten this to work for one subdomain, but not all of my subdomains.

    Thanks in advance!
     
  15. Casey E

    Casey E Member

    After a lot of pain and suffering, I finally got this working!!! :)

    I have two questions, though...

    I would like to save the user's username as part of their profile. For example, I created a user profile field in Kayako and called it 'username', and I would like this to be their active directory username. Is there any way to add this to the xml file, and then have Kayako automatically update its records?

    Second, I'm having difficulty getting the user's phone number into Kayako. The XML file that gets returned by adLDAP looks like this:


    Code:
    
    Array (     [count] => 1     [0] => Array         (             [telephonenumber] => Array                 (                     [count] => 1                     [0] => 123-1234                 )              [0] => telephonenumber             [displayname] => Array                 (                     [count] => 1                     [0] => Eyr, Casey                 )              [1] => displayname             [memberof] => Array                 (                     [count] => 4                     [0] => CN=Dept - Durham & Pettee Offices,OU=DistList,OU=Exchange,DC=ad,DC=unh,DC=edu                     [1] => CN=Dept - All Members,OU=DistList,OU=Exchange,DC=ad,DC=unh,DC=edu                     [2] => CN=Global.Mailing,OU=DistList,OU=Exchange,DC=ad,DC=unh,DC=edu                     [3] => CN=Domain Users,CN=Users,DC=ad,DC=unh,DC=edu                 )              [2] => memberof             [department] => Array                 (                     [count] => 1                     [0] => Our Department Here                 )              [3] => department             [primarygroupid] => Array                 (                     [count] => 1                     [0] => 513                 )              [4] => primarygroupid             [objectsid] => Array                 (                     [count] => 1                     [0] => ÛëP)œ‚‹¦(Ó²                 )              [5] => objectsid             [samaccountname] => Array                 (                     [count] => 1                     [0] => abc123                 )              [6] => samaccountname             [mail] => Array                 (                     [count] => 1                     [0] => myemailaddresshere@unh.edu                 )              [7] => mail             [count] => 8             [dn] => CN=Eyr\, Casey,OU=People,DC=ad,DC=unh,DC=edu         )  )
    
    
    I changed the line with the phone number to be this in the ldap.php file provided by koltzc to be this:

    Code:
    echo "          <usergroup>Registered</usergroup>\n";
            echo "          <fullname>".$userinfo[0]["displayname"][0]."</fullname>\n";
            echo "                <designation>".$userinfo[0]["title"][0]."</designation>\n";
            echo "          <emails>\n";
            echo "                  <email>".$userinfo[0]["mail"][0]."</email>\n";
            echo "          </emails>\n";
            echo "          <phone>".$userinfo[0]["telephonenumber"][0]."</phone>\n";
            echo "  </user>\n";
            echo "</loginshare>\n";
    But its still not working... any ideas why that's the case?
     
  16. Casey E

    Casey E Member

    I answered the second part of my question - I just neede to edit this line:
    Code:
            $userinfo=$adldap->user_info($username, array("displayname","title","mail","telephone"));
    
    to be

    Code:
            $userinfo=$adldap->user_info($username, array("displayname","title","mail","telephonenumber"));
    
    Still not sure how to address the first part of the problem though. Thoughts?
     
  17. mross

    mross New Member

    Just got this working finally!!! The server is running linux. Here's what I did:

    1. In active directory, I made sure that users had First, Last, Display Name, Description, Office, Telephone Number, and E-mail on General Settings, and Job Title, Department, and Company on the Organization tab (not all was necessary, but better to have more than enough)
    2. Downloaded files and used WinSCP to copy both files to the same directory on server (/srv/www/htdocs)
    3. Edited adLDAP.php:

    protected $_account_suffix = "@local.example.com";
    protected $_base_dn = "DC=local,DC=example,DC=com";
    protected $_ad_username=administrator;
    protected $_ad_password=password;

    I left everything else default.

    4. Logged in to Kayako admin interface and went to Users (at the top) > LoginShare

    Enable User LoginShare = Yes
    User LoginShare URL = http://helpdesk.example.com/ldap.php

    Now it works!!

    Remember to use ldap.php in the LogShare URL field, and not adLDAP.php. I was doing that and it would return an error:1
    When the URL was not pointing to the script correctly, I kept getting an error:2

    Hope this helps!
     
  18. s_110_z

    s_110_z New Member

    Hi everyone,

    I checked all Threads in this topic but also get the following error :

    [Warning]: simplexml_load_string() [function.simplexml-load-string]: Entity: line 2: parser error : Extra content at the end of the document (LoginShare/class.SWIFT_LoginShareUser.php:113)

    And after debugging i got these messages :

    ------------------------------------------------------------------------------------
    Message 1:
    From apache@localhost.localdomain Thu Aug 11 09:58:15 2011
    Date: Thu, 11 Aug 2011 09:58:15 +0430
    From: Apache <apache@localhost.localdomain>
    To: root@localhost.localdomain
    Subject: Kayako debug 1 of 2

    Username received by post: user
    IP address: 172.20.255.15successfulsuccessfulsuccessful

    &
    Message 2:
    From apache@localhost.localdomain Thu Aug 11 09:58:15 2011
    Date: Thu, 11 Aug 2011 09:58:15 +0430
    From: Apache <apache@localhost.localdomain>
    To: root@localhost.localdomain
    Subject: Kayako debug 2 of 2

    array (
    'count' => 1,
    0 =>
    array (
    'sn' =>
    array (
    'count' => 1,
    0 => 'user2',
    ),
    0 => 'sn',
    'givenname' =>
    array (
    'count' => 1,
    0 => 'user1',
    ),
    1 => 'givenname',
    'objectsid' =>
    array (
    'count' => 1,
    0 => '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '��\\pg�R
    ��' . "\0" . '' . "\0" . '',
    ),
    2 => 'objectsid',
    'mail' =>
    array (
    'count' => 1,
    0 => 'user@testdomain.com',
    ),
    3 => 'mail',
    'count' => 4,
    'dn' => 'CN=user user,OU=testou1,OU=testou2,DC=testdomain,DC=com',
    ),
    )

    ------------------------------------------------------------------------------------

    Please help me :(
    tanx
     
  19. jlc

    jlc Established Member

    All,

    I'm using the script provided and works great authenticating differenct AD groups.
    The problem that i'm having and hoping I can get resolved is that our AD gets updated by HR and if a + or space is added it breaks the login.

    How can we exclude the loginshare from requiring Telephone numbers and or other attributes?
    We cannot exclude them from the HR update as some are needed for international calling options in our mobile devices so it must be from Kayako.

    Any urgent help is appreciated.
     
  20. Gary McGrath

    Gary McGrath Staff Member

    I beleive Koltzc acutally has a different version of his ldap authenticator you can pay for which will avoid errors such as usernames with spaces etc.., you should send him a private message :)

    RE making loginshare not require a telephone number, rather than trying to hack the kayako loginshare, its probably more easy to just get Koltzc to simply assign a default telehphone number ( as in a static one ) to all users. Then your not looking it up in AD :)

    Gary
     
Thread Status:
Not open for further replies.

Share This Page