Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

osTicket v1.10 (stable) and Maintenance Release v1.9.15 are now available! Go get it now

http passthru

Could someone explain to me how HTTP Passthru is supposed to work? Maybe my expectations are not correct. I have ldap enabled, which does work. I was expecting to see the user not prompted to login if passthru was enabled. Using the latest v1.9.4-rc2.  IIS

Thanks!

Matthew

«1

Comments

  • @Chefkeks I think that you can give a better description of this since you all are doing it (and I still need to set it up here).
  • Yes, will give an detailed answer tomorrow ;)
  • So, sorry for the delay but was a bit hectic here.

    Using the auth-passthru plugin basically works like this:

    - You create an osTicket user / staff account by typing in the username from the AD/LDAP user in the field "username" - in osTicket should now appear a dropdown list with all usernames matching the search of ldap users - select the username you like to add and the info like "username" "firstname" "lastname" etc. should be pulled automatically from ldap. As auth backend select "any backend".

    - This first step is important since you this needs to work so that you know osTicket ldap search / auth is properly configured! If you don't see a dropdown list appearing, something is wrong with the ldap search.

    - You install and enable the auth-passthru plugin itself as well as you enable the options for staff and/or clients auth inside the plugin

    - Now, you need to configure you webserver, so that the authentication is done by your webserver. We use an apache here, so can't exactly tell you how SSO works with IIS, but guess there are several tutorials to get SSO working with an IIS webserver either here at the forum or in the world wide web ;) Basically you need to tell the webserver to use SSO for the address / directory where your osTicket installation resides.

    - Another important step: Make sure SSO is working and you get authenticated against the webserver with you windows user account and don't get asked for you password or get any other kind of error.

    - The webserver now should pass the SSO authentication thru to osTicket which checks if the user-account that was given by the webserver also exists in the osTicket database and if yes, automatically logs in the user into osTicket. Works great for staff, for users it works also, but the need to click on "Sign In" button at the users portal. To fix this we created a little index.html at the root dir of the webserver that redirects the user to the sub-dir with osTicket inside and does an auto-login by calling the login.php in the background before redirecting. 

    - That way the user account here with the registrationmethod "public" and "allow to register for everyone" (if i remember correctly) the user account gets automatically created! :D Even if the user enters the ticket system (website) for the first time - great thing! :D
    Since regtistration method is set to public and we like to avoid that some users register an account we simply added a redirect for several pages - here the apache config for that which should help you even though your on IIS:
    RewriteEngine On
            RedirectMatch ^/osticket/view.php$ /osticket/tickets.php
            RedirectMatch ^/osticket/account.php$ /osticket/tickets.php


    Here is the content of that file if you like to use it too:



    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
           "http://www.w3.org/TR/html4/strict.dtd">
    <html>
    <head>
    <title>osTicket @ YOUR COMPANY</title>
    </head>
    <body>
    
    <!-- Load osticket/login.php in background (silent login) -->
    <!-- Redirect to osticket/index.php afterwards -->
    <script type="text/javascript">
    window.onload = function() {
        var login = new XMLHttpRequest();
        login.open('GET', 'osticket/login.php', false);
        login.send(null);
        location.href = 'osticket/index.php';
    };
    </script>
    
    <!-- In case redirection fails, show instructions for users -->
    <h1>Welcome to the Support Center</h1>
    <h2>Signing you in, so please wait a few seconds...<br><br>You will be redirected automatically...</h2>
    <h3>In case redirect does not work:<br><br><a href="osticket/index.php">Support Center</a></h3>
    
    
    </body>
    </html>

  • @Chefkeks What guide did you follow to get Apache SSO working? on your webserver?
  • @Energy

    I used the following guide to get Apache SSO working on my webserver and worked like a charm:

    Before I had tried some other guides, but that one worked best and also has a section what errors can happen and how to fix them ;)
  • @Chefkeks 

    I have LDAP Auth Plugin working, as it validates my username/password for me to gain access. But, I'm concerned that I can't get osTicket to "search" for a username as you suggest. Under the Admin panel, when I click on "Add New Staff", no drop down is generated for me to select a new user. Any ideas?
  • @ppasquin

    Please do not hijack this thread and instead start a new discussion regarding your issue and include some more information about your osTicket installation and environment: http://osticket.com/forum/discussion/77766/please-read-before-requesting-assistance#latest

    Thank you.
  • How can I use this plugin to pass the username from my cms to the osticket system and auto login
  • @afandino
    Quoting myself:

    Please do not hijack this thread and instead start a new discussion regarding your issue and include some more information about your osTicket installation and environment: http://osticket.com/forum/discussion/77766/please-read-before-requesting-assistance#latest

    Thank you.
  • I'm reading about this as it might be that I need the same solution.

    Do I still need to create each user first using the drop down in OST or will this be done automaticly ?

    I actually need to be able to just login a user that is recognized in the LDAP serverand "automaticly" created. SSO is not needed directly here for me.
  • Our solution with SSO does it automatically.

    Not sure, whether only LDAP will do it automatically to - just give it a try ;)
  • OK, but what do I need outside of SSO. My default LDAP install doesn't.
  • edited March 2015
    Our solution with SSO does it automatically. Not sure, whether only LDAP will do it automatically to - just give it a try ;)


    I just looked at your solution but that doesn't create the user by default, so some dev should have been done.
  • If I remember correctly it does not work only with LDAP, so SSO does the trick that the account will be automatically created without any manual action and maybe the registration options are playing another important role. So... What registration method do you use and have you set registration as required or not?
  • Here's a little update for the index file. Needs now to be saved as index.php and included in the kerberos / sso config of the web server.
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
           "http://www.w3.org/TR/html4/strict.dtd">
    <html>
    <head>
    <title>osTicket @ Your Company</title>
    </head>
    <body>
    
    <!-- In case redirection fails, show instructions for users -->
    <h1>Welcome to the Support Center</h1>
    <h2>Signing you in, please wait a few seconds.<br>You will be redirected automatically...</h2><br><br>
    <h1>In case redirect does not work:<br></h1>
    <h1><a href="osticket/index.php">Support Center</a></h1>
    
    <?php
    // Get username from webserver using REMOTE_USER
    // Separate username and domain - method: split after @ symbol
    $usernameATdomain = $_SERVER['REMOTE_USER'];
    $ATposition = strpos($usernameATdomain,"@");
    $username = substr($usernameATdomain, 0, $ATposition);
    
    // Alternative method:
    // Separate username and domain - method: using domain array
    //$domain = array('@DOMAIN.COM' => '');
    //$username = $_SERVER['REMOTE_USER'];
    //$username = strtr($username, $domain);
    
    // Make sure username has a value before querying database
    if (!empty($username))
    {
            // MySQL connection settings - readonly account recommended:
            // CREATE USER 'osticket-readonly'@'localhost' IDENTIFIED BY 'PASSWORD';
            // GRANT SELECT (username) ON osticket.ost_staff TO 'osticket-readonly'@'localhost';
            define('DBHOST','localhost');
            define('DBNAME','osticket');
            define('DBUSER','osticket-readonly');
            define('DBPASS','PASSWORD');
    
            // Connect to database
            $mysqli = new mysqli(DBHOST, DBUSER, DBPASS, DBNAME);
    
            // Check for connection errors
            if (!$mysqli->connect_errno)
            {
                    // Query ost_staff table for REMOTE_USER username 
                    $qry_is_agent = "SELECT username FROM ost_staff WHERE username LIKE '" . $username . "'";
                    $res_is_agent = $mysqli->query($qry_is_agent);
                    $is_agent = $res_is_agent->num_rows;
            }
    }
    else
    {
            // Assume user is not an agent
            $is_agent = 0;
    }
    ?>
    
    <!-- Load login.php in background for silent login -->
    <script type="text/javascript">
    window.onload = function() {
            var login = new XMLHttpRequest();
            login.open('GET', 'osticket/login.php', false);
            login.send(null);
    };
    </script>
    
    <?php
    // Username found in the ost_staff table?
    // YES --> 1 --> Agent          --> Redirect to scp after timeout
    // NO  --> 0 --> User           --> Redirect to end user portal
    if ($is_agent == "1")
    {
            ?>
    
            <!-- Redirect to scp after timeout, 1000 = 1 second -->
            <script type="text/javascript">
            setTimeout('location.href = "osticket/scp/"', 5000);
            </script>
    
            <?php
    }
    else
    {
            ?>
    
            <!-- Redirect to end user portal -->
            <script type="text/javascript">
            location.href = "osticket/open.php";
            </script>
    
            <?php
    }
    
    ?>
    
    </body>
    </html>
  • edited May 2015
    Hi,I don't know if this will help anyone, but just in case, here's what I found to work.

    I was trying to get osTicket to create accounts automatically when a user (client) signed in with their AD creds without any additional work needed for the agents. I read through all the guides I could find, and had ldap-auth & http passthrough working (they were not giving errors), but my users still couldn't log straight in! If I created the account manually and selected AD/LDAP as the auth backend, the users could then log in with their AD credentials, but that wasn't going to help a business with 500+ staff!

    After sifting through tutorials and php libraries for days, I finally re-read this post, and noticed the following from @Chefkeks:
    If I remember correctly it does not work only with LDAP, so SSO does the trick that the account will be automatically created without any manual action and maybe the registration options are playing another important role. So... What registration method do you use and have you set registration as required or not?

    I didn't think it would help, but I tried
    changing the setting so that it was Public rather than Private, and boom, accounts are automatically created when staff log in for the first time! 


    It was so simple that I didn't even think of it, of course clients need to be able to create accounts (register) themselves for this to work!


    Hope this helps someone who is in a similar bind. Sorry if it has been stated a million times before!
  • edited May 2015
    @srussell
    Glad you got it working finally!

    I edited your post to emphasize the important change a bit more, hope that's ok ;)
  • @srussellGlad you got it working finally! I edited your post to emphasize the important change a bit more, hope that's ok ;)
    Of course :)
  • We are trying to configure auth passthru with osticket v1.9.5.1 on CentOS 7.1 and PHP version.  The webserver is joined to AD using realmd and I can log into the webserver using my AD creds.  Looking on the osticket side, when I add users we can type in the first few letter of their username and it pulls AD info automatically so I know LDAP is working we just aren't sure why the passthru isn't. 

    Any direction or assistance would be appreciated. 

  • We are trying to configure auth passthru with osticket v1.9.5.1 on CentOS 7.1 and PHP version.  The webserver is joined to AD using realmd and I can log into the webserver using my AD creds.  Looking on the osticket side, when I add users we can type in the first few letter of their username and it pulls AD info automatically so I know LDAP is working we just aren't sure why the passthru isn't.  Any direction or assistance would be appreciated. 
    Didn't finish my thought.  PHP version is 5.5.25
  • Users can also login with their AD creds to view ticket status, post replys, etc... by clicking the sign in link in the upper right of the splash page. 
  • >CentOS 7.1
    Are you running SELinux?
    If so try disabling it and see what happend.  If it works then you are running afoul a SELinux rule.
  • We are not.  sestatus is disabled
  • @CBIIT
    Sorry for late response, but in your case, I'd look at the log files of apache. Maybe change loglevel to debug ;)

    Beside, you can try to setup directory protected with SSO login and try login there. If that works osTicket should work too.

    Also maybe your apache config regarding SSO would be helpful.
  • @Energy I used the following guide to get Apache SSO working on my webserver and worked like a charm: http://blog.stefan-macke.com/2011/04/19/single-sign-on-with-kerberos-using-debian-and-windows-server-2008-r2/ Before I had tried some other guides, but that one worked best and also has a section what errors can happen and how to fix them ;)
    The link is not working. Please give us another one if possible. Thanks!
  • @Zholaman
    Works fine here. I attached 5 screenshots showing the whole instructions from the linked page.
    imageimageimageimageimage

    Cheers,
    Michael
  • In addition, since the screenshots cannot be scrolled:

    ktpass -princ HOST/webserver.yourdomain.com@YOURDOMAIN.COM -mapuser tukerberos@YOURDOMAIN.COM -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass Kerber0s -out c:\krb5.keytab
    ktpass -princ HTTP/webserver.yourdomain.com@YOURDOMAIN.COM -mapuser tukerberos@YOURDOMAIN.COM -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass Kerber0s -out c:\krb5.keytab -in c:\krb5.keytab

    webserver:~# ktutil
    ktutil:  addent -password -p HOST/webserver.yourdomain.com@YOURDOMAIN.COM -k 18 -e rc4-hmac
    Password for HTTP/webserver.yourdomain.com@YOURDOMAIN.COM: Kerber0s
    ktutil:  addent -password -p HTTP/webserver.yourdomain.com@YOURDOMAIN.COM -k 18 -e rc4-hmac
    Password for HTTP/webserver.yourdomain.com@YOURDOMAIN.COM: Kerber0s
    ktutil:  wkt /etc/krb5.keytab
    ktutil:  q
  • Him

    Can this be done on windows+wamp environment ?
  • I have and error in my apache 
    [Thu Jul 16 11:57:39 2015] [error] [client 192.168.14.20] PHP Notice:  Undefined index: REMOTE_USER in /var/www/index.php on line 18, referer: http://osticket/open.php

    But i can't see where i have made a mistake.
  • edited July 2015
    Another error.
    root@osTicket:~# kinit -k -t /etc/krb5.keytab

    kinit: Client 'host/osticket.diakonissen.local@DIAKONISSEN.LOCAL' not found in Kerberos database while getting initial credentials

    Dunno if this helps, but wbinfo seems to be working atleast.

    root@osTicket:~# wbinfo -t
    checking the trust secret for domain DIAKONISSEN via RPC calls succeeded
    root@osTicket:~#

    Info about my system.
    Server Information
    osTicket Versionv1.9.9-1-gbe2f138 (be2f138)
    Web Server SoftwareApache/2.2.22 (Debian)
    MySQL Version5.5.43
    PHP Version5.4.39-0+deb7u2
    PHP Extensions
    gdlib Used for image manipulation and PDF printing
    imap Used for email fetching
    xml XML API
    xml-dom Used for HTML email processing
    json Improves performance creating and processing JSON
    mbstring Highly recommended for non western european language content
    phar Highly recommended for plugins and language packs
    fileinfo Used to detect file types for uploads

Sign In or Register to comment.