[otrs] Re: LDAP Authentication using Microsoft Active Directoryserver

Edward Kovarski edward.kovarski at groupkae.com
Mon Sep 24 15:27:55 GMT 2007


Mike,

For Unix, as per http://doc.otrs.org/2.2/en/html/x354.html, you would  
need Net::LDAP. To install the module via CPAN, you'd type in:

perl -MCPAN -e 'install Net::LDAP'

or, alternatively some Unices allow:

cpan Net::LDAP

To answer your second question, you'd login via "username" or  
specifically the sAMAccountName LDAP attribute in Active Directory.

Ed

On 24-Sep-07, at 2:57 PM, Michael Holland wrote:

> Robert and or anyone that can assist.  2 quick questions…
>
>
>
> Do you have any instructions on how to install the correct PERL  
> Ldap modules?
> When you login to OTRS do you use the username or domain\username?
>
>
>
>
> Thanks for any help offered. I have been chasing this issue for  
> well over a month.
>
>
>
> Mike Holland
>
>
>
> From: otrs-bounces at otrs.org [mailto:otrs-bounces at otrs.org] On  
> Behalf Of Robert Aldridge
> Sent: Monday, September 24, 2007 11:43 AM
> To: User questions and discussions about OTRS.org
> Subject: Re: [otrs] Re: LDAP Authentication using Microsoft Active  
> Directoryserver
>
>
>
> Edward,
>
> Thanks for the suggestion.  I copied your configuration and now  
> have both agents and customers successfully logging in with  
> authentication against our AD server.
>
> Thanks!!!
>
> Robert
>
> On 9/24/07, Edward Kovarski <edward.kovarski at groupkae.com> wrote:
>
>
> Robert,
>
> I would suggest trying to simplify the configurations by removing the
> AlwaysFilter and specifying the root of your Active Directory as the
> BaseDN. Once it authenticates properly you can start customizing and
> narrowing the BaseDN scope.
>
> Here is an excerpt from Config.pm which I just tested on our dev
> environment as we don't use the customer interface in production. It
> properly authenticated and pulled in all the proper values into  
> OTRS...
>
>      # --- Customer ---
>      $Self->{'Customer::AuthModule'} =
> 'Kernel::System::CustomerAuth::LDAP';
>      $Self->{'Customer::AuthModule::LDAP::Host'} = ' ad.groupkae.com';
>      $Self->{'Customer::AuthModule::LDAP::BaseDN'} =
> 'ou=Customer,dc=ad,dc=groupkae,dc=com';
>      $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
>      $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} =
> 'ldap at ad.groupkae.com';
>      $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';
>
>      $Self->{CustomerUser} = {
>        Module => 'Kernel::System::CustomerUser::LDAP',
>        Params => {
>        Host => 'ad.groupkae.com',
>        BaseDN => 'ou=Customer,dc=ad,dc=groupkae,dc=com',
>        SSCOPE => 'sub',
>        UserDN =>'ldap at ad.groupkae.com',
>        UserPw => 'password',
>      },
>
>      CustomerKey => 'sAMAccountName',
>      CustomerID => 'mail',
>      CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
>      CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
>      CustomerUserSearchPrefix => '',
>      CustomerUserSearchSuffix => '*',
>      CustomerUserSearchListLimit => 250,
>      CustomerUserPostMasterSearchFields => ['mail'],
>      CustomerUserNameFields => ['givenname', 'sn'],
>      Map => [
>        [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
>        [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
>        [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
>        [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
>        [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
>        [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
>      ],
> };
>
> On 24-Sep-07, at 10:42 AM, Robert Aldridge wrote:
>
> > Thanks for the suggestion, Edward.  Changing the SearchUserDN to
> > <username>@<domain> continues to work for the agent login.  I still
> > haven't been able to get the customer login working.  Any hints?
> > Here's my current LDAP portion of Config.pm:
> >
> >     $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
> >     $Self->{'AuthModule::LDAP::Host'} = ' ldapserver.domain.com ';
> >     $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=Group of
> > Users,dc=domain,dc=com';
> >     $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
> >     $Self->{'AuthModule::LDAP::SearchUserDN'} = ' OTRS at domain.com';
> >     $Self->{'AuthModule::LDAP::SearchUserPw'} = '********';
> >
> >     $Self->{'Customer::AuthModule'} =
> > 'Kernel::System::CustomerAuth::LDAP';
> >     $Self->{'Customer::AuthModule::LDAP::Host'} = '
> > ldapserver.domain.com';
> >     $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=Group of
> > Users,dc=domain,dc=com';
> >     $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
> >     $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = '
> > OTRS at domain.com';
> >     $Self->{'Customer::AuthModule::LDAP::SearchUserPW'} =  
> '********';
> >
> >     $Self->{CustomerUser} = {
> >       Module => 'Kernel::System::CustomerUser::LDAP',
> >       Params => {
> >         Host => ' ldapserver.domain.com',
> >         BaseDN => 'ou=Group of Users,dc=domain,dc=com',
> >         SSCOPE => 'sub',
> >         AlwaysFilter => '(&(sAMAccountName=*)(mail=*))',
> >         UserDN => 'OTRS at domain.com',
> >         UserPW => '********',
> >       },
> >       CustomerKey => 'sAMAccountName',
> >       CustomerID => 'mail',
> >       CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
> >       CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
> >       CustomerUserPostMasterSearchFields => ['mail'],
> >       CustomerUserNameFields => ['givenname', 'sn'],
> >       Map => [
> >         # note: Login, Email and CustomerID needed!
> >         # var, frontend, storage, shown, required, storage-type
> >         # [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
> >         [ 'UserFirstName', 'Firstname', 'givenname', 1, 1, 'var' ],
> >         [ 'UserLastName', 'Lastname', 'sn', 1, 1, 'var' ],
> >         [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
> >         [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
> >         [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
> >       ],
> >     };
> >
> >     # UserSyncLDAPMap
> >     # (map if agent should create/synced from LDAP to DB after  
> login)
> >     $Self->{UserSyncLDAPMap} = {
> >         # DB -> LDAP
> >         Firstname => 'givenName',
> >         Lastname => 'sn',
> >         Email => 'mail',
> >     };
> >
> >     # UserSyncLDAPGroups
> >     # (If "LDAP" was selected for AuthModule, you can specify  
> initial
> >     # user groups for first login.)
> >     $Self->{UserSyncLDAPGroups} = [
> >         'users',
> >     ];
> >
> >
> >
> >
> > On 9/21/07, Edward Kovarski < edward.kovarski at groupkae.com> wrote:
> > Robert,
> >
> > You may also try <username>@<domain> which is the new Microsoft  
> style
> > for specifying users within domains. This is what we use in
> > configuration...
> >
> > Ed
> >
> > On 21-Sep-07, at 2:48 PM, Robert Aldridge wrote:
> >
> > > Finally got it working...
> > >
> > > I changed every entry of:
> > >
> > > 'cn=OTRS Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com';
> > >
> > > to:
> > >
> > > 'tsteel\OTRS'
> > >
> > > and, to pull user data to the local DB, I added:
> > >
> > >     # UserSyncLDAPMap
> > >     # (map if agent should create/synced from LDAP to DB after
> > login)
> > >     $Self->{UserSyncLDAPMap} = {
> > >         # DB -> LDAP
> > >         Firstname => 'givenName',
> > >         Lastname => 'sn',
> > >         Email => 'mail',
> > >     };
> > >
> > >     # UserSyncLDAPGroups
> > >     # (If "LDAP" was selected for AuthModule, you can specify
> > initial
> > >     # user groups for first login.)
> > >     $Self->{UserSyncLDAPGroups} = [
> > >         'users',
> > >     ];
> > >
> > >
> > > Perhaps this will help someone else who's trying to set OTRS up
> > > with Microsoft Active Directory.
> > >
> > > Thanks,
> > >
> > > Robert Aldridge
> > >
> > >
> > >
> > > On 9/21/07, Robert Aldridge < bamarob55 at gmail.com> wrote: Hi  
> folks,
> > >
> > > First let me say that OTRS appears to be a great product!   
> Kudos to
> > > the developers!
> > >
> > > We are in the process of evaluating our options for a helpdesk/
> > > trouble-ticket system.  I would really like to give OTRS a good
> > > evaluation, but I'm having some problems.  Our chosen solution  
> must
> > > be able to authenticate users (both agents and customers) via
> > > Microsoft Active Directory.  It appears that this is possible, but
> > > I've yet to have any success.  I'll outline the steps I've taken
> > > and solicit any input from the community.
> > >
> > > OTRS is working fine when authenticating against it's own
> > > database.  Here's what I've done to try to authenticate against  
> AD:
> > >
> > > I edited Kernel/Config.pm and added:
> > >
> > > <begin additions to Config.pm>
> > >
> > >     $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
> > >     $Self->{'AuthModule::LDAP::Host'} = ' lincoln.tsteel.com';
> > >     $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=Tuscaloosa - Sheet
> > > Mill,dc=tsteel,dc=com';
> > >     $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
> > >     $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS
> > > Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com';
> > >     $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';
> > >
> > >     $Self->{'Customer::AuthModule'} =
> > > 'Kernel::System::CustomerAuth::LDAP';
> > >     $Self->{'Customer::AuthModule::LDAP::Host'} = '
> > > lincoln.tsteel.com';
> > >     $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=Tuscaloosa
> > > - Sheet Mill,dc=tsteel,dc=com';
> > >     $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
> > >     $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS
> > > Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com';
> > >     $Self->{'Customer::AuthModule::LDAP::SearchUserPW'} =
> > 'password';
> > >
> > >     $Self->{CustomerUser} = {
> > >     Module => 'Kernel::System::CustomerUser::LDAP',
> > >     Params => {
> > >     Host => ' lincoln.tsteel.com ',
> > >     BaseDN => 'ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com',
> > >     SSCOPE => 'sub',
> > >     UserDN => 'cn=OTRS Admin,ou=Tuscaloosa - Sheet
> > > Mill,dc=tsteel,dc=com',
> > >     UserPW => 'password',
> > >     },
> > >     CustomerKey => 'sAMAccountName',
> > >     CustomerID => 'mail',
> > >     CustomerUserListFields => 'sAMAccountName', 'cn', 'mail',
> > >     CustomerUserSearchFields => 'sAMAccountName', 'cn', 'mail',
> > >     CustomerUserPostMasterSearchFields => 'mail',
> > >     CustomerUserNameFields => 'givenname', 'sn',
> > >     Map => [
> > >     [ 'UserFirstName', 'Firstname', 'givenname', 1, 1, 'var' ],
> > >     [ 'UserLastName', 'Lastname', 'sn', 1, 1, 'var' ],
> > >     [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
> > >     [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
> > >     [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
> > >     ],
> > >     };
> > >
> > > <end additions to Config.pm>
> > >
> > >
> > > On my AD box, I ran: ldifde -f users.ldf -d "OU=Tuscaloosa - Sheet
> > > Mill,dc=tsteel,dc=com" -r "<objectClass=user>"
> > >
> > > Which returned a listing of all users in the Tuscaloosa - Sheet
> > > Mill org unit.  Within the users.ldf file (output from the above
> > > command), there's an entry for OTRS Admin:
> > >
> > > <begin snippet from users.ldf>
> > >
> > >     dn: CN=OTRS,OU=Tuscaloosa - Sheet Mill,DC=tsteel,DC=com
> > >     changetype: add
> > >     objectClass: top
> > >     objectClass: person
> > >     objectClass: organizationalPerson
> > >     objectClass: user
> > >     cn: OTRS
> > >     sn: Admin
> > >     givenName: OTRS
> > >     distinguishedName: CN=OTRS,OU=Tuscaloosa - Sheet
> > > Mill,DC=tsteel,DC=com
> > >     instanceType: 4
> > >     whenCreated: 20070920125829.0Z
> > >     whenChanged: 20070921135825.0Z
> > >     displayName: OTRS
> > >     uSNCreated: 8512826
> > >     uSNChanged: 8549454
> > >     name: OTRS
> > >     objectGUID:: po7FpWyIxEWWQeiUc9XMwA==
> > >     userAccountControl: 66048
> > >     badPwdCount: 0
> > >     codePage: 0
> > >     countryCode: 0
> > >     badPasswordTime: 128347689772801250
> > >     lastLogoff: 0
> > >     lastLogon: 128347693211238750
> > >     pwdLastSet: 128347667099207500
> > >     primaryGroupID: 513
> > >     objectSid:: AQUAAAAAAAUVAAAApR5XA/l+DSsgfDsl4xwAAA==
> > >     accountExpires: 9223372036854775807
> > >     logonCount: 0
> > >     sAMAccountName: OTRS
> > >     sAMAccountType: 805306368
> > >     userPrincipalName: OTRS at tsteel.com
> > >     objectCategory:
> > > CN=Person,CN=Schema,CN=Configuration,DC=tsteel,DC=com
> > >     dSCorePropagationData: 20070921135825.0Z
> > >     dSCorePropagationData: 20070921135825.0Z
> > >     dSCorePropagationData: 20070921135825.0Z
> > >     dSCorePropagationData: 20070921131751.0Z
> > >     dSCorePropagationData: 16010108151056.0Z
> > >     lastLogonTimestamp: 128347680934676250
> > >
> > >
> > > <end snippet from users.ldf>
> > >
> > >
> > > With this configuration, when I attempt to login as an agent using
> > > my username (which I know is valid in AD), it errors out with:
> > >
> > > Login failed! Your username or password was entered incorrectly.
> > >
> > > And, when I revert the Config.pm back (so I can log in) and check
> > > the system log, I see:
> > >
> > > User: raldridge authentication failed, no LDAP entry found!
> > > BaseDN='ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com',
> > > Filter='(sAMAccountName=raldridge)', (REMOTE_ADDR: 10.1.1.50).
> > >
> > > Any help would be greatly appreciated.
> > >
> > > Thanks,
> > >
> > > Robert Aldridge
> > >
> > > _______________________________________________
> > > OTRS mailing list: otrs - Webpage: http://otrs.org/
> > > Archive: http://lists.otrs.org/pipermail/otrs
> > > To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
> > > Support or consulting for your OTRS system?
> > > => http://www.otrs.com/
> >
> >
> > _______________________________________________
> > OTRS mailing list: otrs - Webpage: http://otrs.org/
> > Archive: http://lists.otrs.org/pipermail/otrs
> > To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
> > Support or consulting for your OTRS system?
> > => http://www.otrs.com/
>
> _______________________________________________
> OTRS mailing list: otrs - Webpage: http://otrs.org/
> Archive: http://lists.otrs.org/pipermail/otrs
> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
> Support or consulting for your OTRS system?
> => http://www.otrs.com/
>
>
>
> _______________________________________________
> OTRS mailing list: otrs - Webpage: http://otrs.org/
> Archive: http://lists.otrs.org/pipermail/otrs
> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
> Support or consulting for your OTRS system?
> => http://www.otrs.com/



More information about the otrs mailing list