LDAP integration

[freescout-helpdesk]

Implement LDAP integration

[tareko]

This is one of those things that's obvious to all of us, but it would be very helpful if we could have LDAP integration, especially since this application is targeted at the enterprise.

[freescout-helpdesk]

Will try to implement this

[tareko]

Hi.

I'm curious why this is closed. I looked through the remaining open issues and don't see something open that covers LDAP. Should we reopen this?

tarek : )

[freescout-helpdesk]

It will not be included in the core, but implemented as module.

[freescout-helpdesk]

@tareko do you need integration with one LDAP server or multiple LDAP servers?

[tareko]

Personally, one.

[tareko]

Do you have a mechanism for putting bounties on these things? I'd be happy to contribute to this effort.

[freescout-helpdesk]

No need, thanks.

Do you need to map all your LDAP users into same mailboxes or different departments (different Search Bases) need to have access to different mailboxes?

[tareko]

FOR ME, using it as a login mechanism is enough (authentication). For others, using it as an authorization mechanism is necessary like you say. Happy to try to map it out.

[freescout-helpdesk]

What LDAP server are you using? Active Directory, OpenLDAP or any other?

[tareko]

I use OpenLDAP exclusively

[freescout-helpdesk]

Do you have emails in your LDAP database? Without emails in LDAP database it will be impossible to authenticate. First name and Last name also will be obligatory attributes.

[tareko]

Not sure what you mean? Yes, I have the email attribute assigned. I have first name, last name, and common name attributes.

[freescout-helpdesk]

You can check it: https://freescout.net/module/ldap/

[laurivosandi]

I found LDAP module to be quite fustrating to configure.

Modern AD setup requires encryption so AD-s CA cert must be made accessible inside the deployment. I found it quite fustrating to blindly debug, for instance what is the difference between SSL and TLS? Knowing PKI quite a bit I found this distinction nonsense in this case. Docs don't mention anything about how to make the CA cert available for the deployment.

In the end I had to specify Encryption: SSL and TLS_CACERT /etc/openldap/ca.pem in ldap.conf and mount it to use it with Docker images:

volumes: 
- path/to/tls/ca.pem:/etc/openldap/ca.pem:ro
- path/to/ldap.conf:/etc/openldap/ldap.conf:ro

Bind DN as used in the UI currently definitely diverges what is known in the LDAP ecosystem. I think you should use "Base DN" term, or just omit username and let the user specify the full Bind DN.

Connect & Fetch resets fristname and surname selectors to objectclass which doesn't make sense and if attribute is not set for whatever user is picked (eg sn) it is not shown in the combobox.

Finally I got the group membership filter working and users imported and updated including the user for myself which was created during Freescout install, but at Freescout login prompt my user still is authenticated with the password initially created by Freescout install. I expected my user object to be updated to use LDAP auth as well.

Final issue is SSO - it just does not work. I inserted var_dump into the code to see what PHP sees for $_SERVER and HTTP_REMOTE_USER is definitely there with my username and the attribute is set to samaccountname in the LDAP config UI. Additionally when I change the header name or attribute name in the UI and hit Save the changes are not made permanent. I have to click around randomly on the page before Save actually makes it permanent.

tl;dr - For paid feature like this please have some testing. You can setup Samba instance which is for this usecase 100% AD compatible and you can test the behaviour.