osTicket 1.8.1 - How to configure the LDAP Authentication and Lookup plugin
With the release of osTicket version 1.8.1ST and of course the first three official plugins many people have been curious how to install them and configure them. This is especially true of the auth-ldap plugin. I've written a lot of responses on the forums, and thought that it might be good to actually collect some of the better snippets and put them in one place. So here is that place. As a side note I run Active Directory so this article is probably slanted towards that usage.
- Download the auth-ldap plugin from either github.com or osticket.com. If you get it from github copy the ldap-auth directory into your /plugins directory. If you get it from osticket.com put the auth-ldap.phar in /plugins/ldap-auth directory.
note: I have seen several complaints about the .phar file on the forums and recommend that you simply get the latest version from github.
- Log into your osTicket installation and go to Admin panel -> Manage -> Plugins.
- Click "Add New Plugin" in the upper right.
- Click the Install button to the left of "LDAP Authentication and Lookup".
- Click on "LDAP Authentication and Look up".
- Fill out the settings in a manner that reflects your AD/LDAP server. Here's how I configured mine.
Default domain: is your FQDN for your domain. In my configuration its corp.SHORTDOMAINNAME.local.
DNS Servers: your dns server. I use the IP Address for ours.
LDAP Servers: I put two entries in here, but you really only need one. I personally entered the ip address of my AD server, and the FQDN of my AD server. (The FQDN of your AD server should be SERVERNAME.corp.SHORTDOMAINNAME.local.
Use TLS: I did not check this. You may have to depending on what version of AD your running.
Search User: a username that has look up rights in AD. I had to user SHORTDOMAINNAME\username here to get it to bind right.
Password: the accounts password.
Search Base: I don't think that this is necessary, but I was playing with it a little. Currently I have this set to:
LDAP Schema: I have selected "Microsoft Active Directory".
- Click the Save Changes button.
- Up top in the menu bar click "Plugins".
Tick the check box to the left of "LDAP Authentication and Lookup" and then click the Enable button.
- Now that you have installed, configured, and enabled the plugin, you have to give your users permission to use the authentication backend.
Go to Admin panel -> Staff -> Staff Members
Click on the staff that you want to be able to login and change "Authentication Backend" to "Active Directory of LDAP". Once you have done that scroll down and click "Save Changes".
Note: Yes even though its already set to "- Use any available backend -" it does not properly try AD/LDAP first and then fall back to local authentication.
In this section you will find some of the questions that I have been asked and my replies. If you have more questions that are not covered here please feel free to post over on the osTicket forums.
Q: Does someone have an example of how they configured this plugin for AD and what they had installed on their Windows 2008 server?
A: I've provided as much as I can as to how I configured it. What we have installed on our Windows 2008 server though doesn't seem like its particularly important however.
Q: if it isn't needed, why the error?
A: The search user account is only needed for the lookup portion of the plugin. Authentication should work with out it.
Q: Anyway, I don't see any type-ahead or lookup happening when I create a new ticket and I *thought* I had this working in the old 1.6 installation I used to have (but I didn't upgrade it, I started from scratch).
A: There was no LDAP plugin for 1.6. Plugins were just introduced in version 1.8.1. There was a mod on the forum that you might have used, but it was written by a community member and not the osTicket devs.
Q: Are there any simple step by step instructions to configure this plugin or at least a screen shot of a typical installation you can share?
A: No, but I have just replied with some generic instructions that might get you going. Unfortunately there are a lot of ways that your AD could be configured, and your organizational units can vary from everyone else's.