[otrs] Re: LDAP Authentication using Microsoft Active Directory
server
Robert Aldridge
bamarob55 at gmail.com
Mon Sep 24 09:42:25 GMT 2007
Thanks for the suggestion, Edward. Changing the SearchUserDN to
<username>@<domain> continues to work for the agent login. I still haven't
been able to get the customer login working. Any hints? Here's my current
LDAP portion of Config.pm:
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = ' ldapserver.domain.com';
$Self->{'AuthModule::LDAP::BaseDN'} = 'ou=Group of
Users,dc=domain,dc=com';
$Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'AuthModule::LDAP::SearchUserDN'} =
'OTRS at domain.com<OTRS at tsteel.com>
';
$Self->{'AuthModule::LDAP::SearchUserPw'} = '********';
$Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
$Self->{'Customer::AuthModule::LDAP::Host'} = ' ldapserver.domain.com';
$Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=Group of
Users,dc=domain,dc=com';
$Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
$Self->{'Customer::AuthModule::LDAP::SearchUserDN'} =
'OTRS at domain.com<OTRS at tsteel.com>';
$Self->{'Customer::AuthModule::LDAP::SearchUserPW'} = '********';
$Self->{CustomerUser} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Host => ' ldapserver.domain.com',
BaseDN => 'ou=Group of Users,dc=domain,dc=com',
SSCOPE => 'sub',
AlwaysFilter => '(&(sAMAccountName=*)(mail=*))',
UserDN => 'OTRS at domain.com <OTRS at tsteel.com>',
UserPW => '********',
},
CustomerKey => 'sAMAccountName',
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
# [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstName', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastName', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
],
};
# UserSyncLDAPMap
# (map if agent should create/synced from LDAP to DB after login)
$Self->{UserSyncLDAPMap} = {
# DB -> LDAP
Firstname => 'givenName',
Lastname => 'sn',
Email => 'mail',
};
# UserSyncLDAPGroups
# (If "LDAP" was selected for AuthModule, you can specify initial
# user groups for first login.)
$Self->{UserSyncLDAPGroups} = [
'users',
];
On 9/21/07, Edward Kovarski < edward.kovarski at groupkae.com> wrote:
>
>
> Robert,
>
> You may also try <username>@<domain> which is the new Microsoft style
> for specifying users within domains. This is what we use in
> configuration...
>
> Ed
>
> On 21-Sep-07, at 2:48 PM, Robert Aldridge wrote:
>
> > Finally got it working...
> >
> > I changed every entry of:
> >
> > 'cn=OTRS Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com';
> >
> > to:
> >
> > 'tsteel\OTRS'
> >
> > and, to pull user data to the local DB, I added:
> >
> > # UserSyncLDAPMap
> > # (map if agent should create/synced from LDAP to DB after login)
> > $Self->{UserSyncLDAPMap} = {
> > # DB -> LDAP
> > Firstname => 'givenName',
> > Lastname => 'sn',
> > Email => 'mail',
> > };
> >
> > # UserSyncLDAPGroups
> > # (If "LDAP" was selected for AuthModule, you can specify initial
> > # user groups for first login.)
> > $Self->{UserSyncLDAPGroups} = [
> > 'users',
> > ];
> >
> >
> > Perhaps this will help someone else who's trying to set OTRS up
> > with Microsoft Active Directory.
> >
> > Thanks,
> >
> > Robert Aldridge
> >
> >
> >
> > On 9/21/07, Robert Aldridge <bamarob55 at gmail.com> wrote: Hi folks,
> >
> > First let me say that OTRS appears to be a great product! Kudos to
> > the developers!
> >
> > We are in the process of evaluating our options for a helpdesk/
> > trouble-ticket system. I would really like to give OTRS a good
> > evaluation, but I'm having some problems. Our chosen solution must
> > be able to authenticate users (both agents and customers) via
> > Microsoft Active Directory. It appears that this is possible, but
> > I've yet to have any success. I'll outline the steps I've taken
> > and solicit any input from the community.
> >
> > OTRS is working fine when authenticating against it's own
> > database. Here's what I've done to try to authenticate against AD:
> >
> > I edited Kernel/Config.pm and added:
> >
> > <begin additions to Config.pm>
> >
> > $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
> > $Self->{'AuthModule::LDAP::Host'} = ' lincoln.tsteel.com';
> > $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=Tuscaloosa - Sheet
> > Mill,dc=tsteel,dc=com';
> > $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
> > $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS
> > Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com';
> > $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';
> >
> > $Self->{'Customer::AuthModule'} =
> > 'Kernel::System::CustomerAuth::LDAP';
> > $Self->{'Customer::AuthModule::LDAP::Host'} = '
> > lincoln.tsteel.com';
> > $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=Tuscaloosa
> > - Sheet Mill,dc=tsteel,dc=com';
> > $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
> > $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS
> > Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com';
> > $Self->{'Customer::AuthModule::LDAP::SearchUserPW'} = 'password';
> >
> > $Self->{CustomerUser} = {
> > Module => 'Kernel::System::CustomerUser::LDAP',
> > Params => {
> > Host => ' lincoln.tsteel.com ',
> > BaseDN => 'ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com',
> > SSCOPE => 'sub',
> > UserDN => 'cn=OTRS Admin,ou=Tuscaloosa - Sheet
> > Mill,dc=tsteel,dc=com',
> > UserPW => 'password',
> > },
> > CustomerKey => 'sAMAccountName',
> > CustomerID => 'mail',
> > CustomerUserListFields => 'sAMAccountName', 'cn', 'mail',
> > CustomerUserSearchFields => 'sAMAccountName', 'cn', 'mail',
> > CustomerUserPostMasterSearchFields => 'mail',
> > CustomerUserNameFields => 'givenname', 'sn',
> > Map => [
> > [ 'UserFirstName', 'Firstname', 'givenname', 1, 1, 'var' ],
> > [ 'UserLastName', 'Lastname', 'sn', 1, 1, 'var' ],
> > [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
> > [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
> > [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
> > ],
> > };
> >
> > <end additions to Config.pm>
> >
> >
> > On my AD box, I ran: ldifde -f users.ldf -d "OU=Tuscaloosa - Sheet
> > Mill,dc=tsteel,dc=com" -r "<objectClass=user>"
> >
> > Which returned a listing of all users in the Tuscaloosa - Sheet
> > Mill org unit. Within the users.ldf file (output from the above
> > command), there's an entry for OTRS Admin:
> >
> > <begin snippet from users.ldf>
> >
> > dn: CN=OTRS,OU=Tuscaloosa - Sheet Mill,DC=tsteel,DC=com
> > changetype: add
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: user
> > cn: OTRS
> > sn: Admin
> > givenName: OTRS
> > distinguishedName: CN=OTRS,OU=Tuscaloosa - Sheet
> > Mill,DC=tsteel,DC=com
> > instanceType: 4
> > whenCreated: 20070920125829.0Z
> > whenChanged: 20070921135825.0Z
> > displayName: OTRS
> > uSNCreated: 8512826
> > uSNChanged: 8549454
> > name: OTRS
> > objectGUID:: po7FpWyIxEWWQeiUc9XMwA==
> > userAccountControl: 66048
> > badPwdCount: 0
> > codePage: 0
> > countryCode: 0
> > badPasswordTime: 128347689772801250
> > lastLogoff: 0
> > lastLogon: 128347693211238750
> > pwdLastSet: 128347667099207500
> > primaryGroupID: 513
> > objectSid:: AQUAAAAAAAUVAAAApR5XA/l+DSsgfDsl4xwAAA==
> > accountExpires: 9223372036854775807
> > logonCount: 0
> > sAMAccountName: OTRS
> > sAMAccountType: 805306368
> > userPrincipalName: OTRS at tsteel.com
> > objectCategory:
> > CN=Person,CN=Schema,CN=Configuration,DC=tsteel,DC=com
> > dSCorePropagationData: 20070921135825.0Z
> > dSCorePropagationData: 20070921135825.0Z
> > dSCorePropagationData: 20070921135825.0Z
> > dSCorePropagationData: 20070921131751.0Z
> > dSCorePropagationData: 16010108151056.0Z
> > lastLogonTimestamp: 128347680934676250
> >
> >
> > <end snippet from users.ldf>
> >
> >
> > With this configuration, when I attempt to login as an agent using
> > my username (which I know is valid in AD), it errors out with:
> >
> > Login failed! Your username or password was entered incorrectly.
> >
> > And, when I revert the Config.pm back (so I can log in) and check
> > the system log, I see:
> >
> > User: raldridge authentication failed, no LDAP entry found!
> > BaseDN='ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com',
> > Filter='(sAMAccountName=raldridge)', (REMOTE_ADDR: 10.1.1.50).
> >
> > Any help would be greatly appreciated.
> >
> > Thanks,
> >
> > Robert Aldridge
> >
> > _______________________________________________
> > OTRS mailing list: otrs - Webpage: http://otrs.org/
> > Archive: http://lists.otrs.org/pipermail/otrs
> > To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
> > Support or consulting for your OTRS system?
> > => http://www.otrs.com/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.otrs.org/pipermail/otrs/attachments/20070924/b4dfad93/attachment-0001.html
More information about the otrs
mailing list