[otrs] LDAP Authentication

Miller, Tim Tim.Miller at dbtamerica.com
Tue Nov 28 15:33:00 CET 2006


I had quite a time getting it to work, but in the end I got it.  Have
you created a user account in AD to authenticate with for the LDAP
lookup?  Windows will not allow anonymous LDAP queries, you must create
the account and add the following lines to your config.pm file.

$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=otrs
ldap,OU=Users,DC=domain,DC=local';
$Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';

There should also be some error messages in the system log with OTRS if
you log in using your admin agent account.  What errors are you seeing
there?

-Tim

-----Original Message-----
From: otrs-bounces at otrs.org [mailto:otrs-bounces at otrs.org] On Behalf Of
Mike Pietersen
Sent: Wednesday, November 22, 2006 12:33 PM
To: User questions and discussions about OTRS.org
Subject: RE: [otrs] LDAP Authentication

Tim,

 

How do you have your user's logging in?

 

When I go through and try to log myself into OTRS with;

mpietersen

mpietersen at allstatefastener.local

ASFCORP\mpietersen

 

My bind isn't working properly according to my httpd log which is
pumping out

 

 

ERROR: OTRS-CGI-10 Perl: 5.8.6 OS: linux Time: Wed Nov 22 11:50:27 2006

 

 Message: First bind failed! 80090308: LdapErr: DSID-0C09030F, comment:

 

 Traceback (24085):

   Module: Kernel::System::CustomerUser::LDAP::new (v1.29) Line: 71

   Module: Kernel::System::CustomerUser::new (v1.28) Line: 91

   Module: Kernel::System::Ticket::new (v1.229) Line: 121

   Module: Kernel::System::Web::InterfaceAgent::Run (v1.17) Line: 173

   Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_inde

   Module: (eval) (v1.81) Line: 203

   Module: ModPerl::RegistryCooker::run (v1.81) Line: 203

   Module: ModPerl::RegistryCooker::default_handler (v1.81) Line: 169

   Module: ModPerl::Registry::handler (v1.99) Line: 30

 

ERROR: OTRS-CGI-10 Perl: 5.8.6 OS: linux Time: Wed Nov 22 11:50:36 2006

 

 Message: First bind failed! 80090308: LdapErr: DSID-0C09030F, comment:

 

 Traceback (24086):

   Module: Kernel::System::CustomerUser::LDAP::new (v1.29) Line: 71

   Module: Kernel::System::CustomerUser::new (v1.28) Line: 91

   Module: Kernel::System::Ticket::new (v1.229) Line: 121

   Module: Kernel::System::Web::InterfaceAgent::Run (v1.17) Line: 173

   Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_inde

   Module: (eval) (v1.81) Line: 203

   Module: ModPerl::RegistryCooker::run (v1.81) Line: 203

   Module: ModPerl::RegistryCooker::default_handler (v1.81) Line: 169

   Module: ModPerl::Registry::handler (v1.99) Line: 30

 

Every time I try and log in.

 

Have you experienced any problems when implementing your AD auth?

 

BTW, it's running on FC4

 

Thanks,

Mike Pietersen, A+, MCP

IT (586) 498-1388

________________________________

From: otrs-bounces at otrs.org [mailto:otrs-bounces at otrs.org] On Behalf Of
Miller, Tim
Sent: Wednesday, November 22, 2006 9:44 AM
To: User questions and discussions about OTRS.org
Subject: RE: [otrs] LDAP Authentication

 

I am no expert in giving a step by step, but here is a copy of my
config.pm file which is working for customer LDAP auth via my Windows AD
domain...  hope it helps:

 

As always, make a backup copy of the original Config.pm file before you
start modifying....

 

I created a user account in AD called "otrs ldap" and use that account
to authenticate the LDAP query from otrs.  Windows AD will not allow
anonymous lookups so this is a necessary step...

 

 # This is an example configuration for an LDAP auth. backend.
    # (take care that Net::LDAP is installed!)
    $Self->{'Customer::AuthModule'} =
'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = '10.xxx.xxx.xx';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} =
'dc=domain,dc=local';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'CN=otrs
ldap,OU=Users,DC=domain,DC=local';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';

 

 

The section below is for the customer lookups via the Phone Ticket/Email
Ticket screen to add a new ticket for a customer.  It allows the agent
type a piece of the customer info and search AD for the user...  The
system must be able to verify the customer in AD before it will let you
enter a ticket.

 

 

# (customer user ldap backend and settings) $Self->{CustomerUser1} = {
    Name =>'LDAP Backend',
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
            # ldap host
            Host => '10.xxx.xxx.xx',
            # ldap base dn
            BaseDN => 'dc=domain,dc=local',
            # search scope (one|sub)
            SSCOPE => 'sub',
            # The following is valid but would only be necessary if the
            # anonymous user does NOT have permission to read from the
LDAP tree
            UserDN => 'CN=otrs ldap,OU=Users,DC=domain,DC=local',
            UserPw => 'password',
            AlwaysFilter => '',
           #SourceCharset => 'utf-8',
           #DestCharset => 'iso-8859-1',
        },
# customer uniq id
        CustomerKey => 'sAMAccountName',
        # customer #
        CustomerID => 'mail',
        CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
        CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
        CustomerUserSearchPrefix => '',
        CustomerUserSearchSuffix => '*',
        CustomerUserSearchListLimit => 250,
        CustomerUserPostMasterSearchFields => ['mail'],
        CustomerUserNameFields => ['givenname', 'sn'],
        Map => [
            # note: Login, Email and CustomerID needed!
            # var, frontend, storage, shown, required, storage-type
            #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
            [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
            [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
            [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
            [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
            [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
            [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
            #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
            #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
     ],
    };

With Best Regards,

 

Tim Miller

Network Administrator

DBT America, Inc.

Houston, PA

 

 

________________________________

From: otrs-bounces at otrs.org [mailto:otrs-bounces at otrs.org] On Behalf Of
VI - Mario Tonin
Sent: Wednesday, November 22, 2006 6:30 AM
To: otrs at otrs.org
Subject: [otrs] LDAP Authentication

Is there anyone who can give me a step-by-step guide to configure ldap
autentiation for costumers?

 

I've added this entry:

 

    $Self->{'Customer::AuthModule'} =
'Kernel::System::CustomerAuth::LDAP'; 

    $Self->{'Customer::AuthModule::LDAP::Host'} =
'vidc2.battistolligroup.it';

    $Self->{'Customer::AuthModule::LDAP::BaseDN'} =
'dc=battistolligroup,dc=it';

 

 

. . . . . . . . . . . . . . . . . . .

 

Mario Tonin

mario.tonin at battistolli.it

<mailto:mario.tonin at battistolli.it>  

 

B.T.V. s.p.a.- Sistemi Informativi

 

Via Luca della Robbia 60

36100 - Vicenza - Italy

 

w http://www.battistolli.it <http://www.battistolli.it/> 

 

 





More information about the otrs mailing list