[otrs] Re: LDAP Authentication using Microsoft Active
Directoryserver
Edward Kovarski
edward.kovarski at groupkae.com
Mon Sep 24 15:27:55 GMT 2007
Mike,
For Unix, as per http://doc.otrs.org/2.2/en/html/x354.html, you would
need Net::LDAP. To install the module via CPAN, you'd type in:
perl -MCPAN -e 'install Net::LDAP'
or, alternatively some Unices allow:
cpan Net::LDAP
To answer your second question, you'd login via "username" or
specifically the sAMAccountName LDAP attribute in Active Directory.
Ed
On 24-Sep-07, at 2:57 PM, Michael Holland wrote:
> Robert and or anyone that can assist. 2 quick questions…
>
>
>
> Do you have any instructions on how to install the correct PERL
> Ldap modules?
> When you login to OTRS do you use the username or domain\username?
>
>
>
>
> Thanks for any help offered. I have been chasing this issue for
> well over a month.
>
>
>
> Mike Holland
>
>
>
> From: otrs-bounces at otrs.org [mailto:otrs-bounces at otrs.org] On
> Behalf Of Robert Aldridge
> Sent: Monday, September 24, 2007 11:43 AM
> To: User questions and discussions about OTRS.org
> Subject: Re: [otrs] Re: LDAP Authentication using Microsoft Active
> Directoryserver
>
>
>
> Edward,
>
> Thanks for the suggestion. I copied your configuration and now
> have both agents and customers successfully logging in with
> authentication against our AD server.
>
> Thanks!!!
>
> Robert
>
> On 9/24/07, Edward Kovarski <edward.kovarski at groupkae.com> wrote:
>
>
> Robert,
>
> I would suggest trying to simplify the configurations by removing the
> AlwaysFilter and specifying the root of your Active Directory as the
> BaseDN. Once it authenticates properly you can start customizing and
> narrowing the BaseDN scope.
>
> Here is an excerpt from Config.pm which I just tested on our dev
> environment as we don't use the customer interface in production. It
> properly authenticated and pulled in all the proper values into
> OTRS...
>
> # --- Customer ---
> $Self->{'Customer::AuthModule'} =
> 'Kernel::System::CustomerAuth::LDAP';
> $Self->{'Customer::AuthModule::LDAP::Host'} = ' ad.groupkae.com';
> $Self->{'Customer::AuthModule::LDAP::BaseDN'} =
> 'ou=Customer,dc=ad,dc=groupkae,dc=com';
> $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
> $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} =
> 'ldap at ad.groupkae.com';
> $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'password';
>
> $Self->{CustomerUser} = {
> Module => 'Kernel::System::CustomerUser::LDAP',
> Params => {
> Host => 'ad.groupkae.com',
> BaseDN => 'ou=Customer,dc=ad,dc=groupkae,dc=com',
> SSCOPE => 'sub',
> UserDN =>'ldap at ad.groupkae.com',
> UserPw => 'password',
> },
>
> CustomerKey => 'sAMAccountName',
> CustomerID => 'mail',
> CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
> CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
> CustomerUserSearchPrefix => '',
> CustomerUserSearchSuffix => '*',
> CustomerUserSearchListLimit => 250,
> CustomerUserPostMasterSearchFields => ['mail'],
> CustomerUserNameFields => ['givenname', 'sn'],
> Map => [
> [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
> [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
> [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
> [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
> [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
> [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
> ],
> };
>
> On 24-Sep-07, at 10:42 AM, Robert Aldridge wrote:
>
> > Thanks for the suggestion, Edward. Changing the SearchUserDN to
> > <username>@<domain> continues to work for the agent login. I still
> > haven't been able to get the customer login working. Any hints?
> > Here's my current LDAP portion of Config.pm:
> >
> > $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
> > $Self->{'AuthModule::LDAP::Host'} = ' ldapserver.domain.com ';
> > $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=Group of
> > Users,dc=domain,dc=com';
> > $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
> > $Self->{'AuthModule::LDAP::SearchUserDN'} = ' OTRS at domain.com';
> > $Self->{'AuthModule::LDAP::SearchUserPw'} = '********';
> >
> > $Self->{'Customer::AuthModule'} =
> > 'Kernel::System::CustomerAuth::LDAP';
> > $Self->{'Customer::AuthModule::LDAP::Host'} = '
> > ldapserver.domain.com';
> > $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=Group of
> > Users,dc=domain,dc=com';
> > $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
> > $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = '
> > OTRS at domain.com';
> > $Self->{'Customer::AuthModule::LDAP::SearchUserPW'} =
> '********';
> >
> > $Self->{CustomerUser} = {
> > Module => 'Kernel::System::CustomerUser::LDAP',
> > Params => {
> > Host => ' ldapserver.domain.com',
> > BaseDN => 'ou=Group of Users,dc=domain,dc=com',
> > SSCOPE => 'sub',
> > AlwaysFilter => '(&(sAMAccountName=*)(mail=*))',
> > UserDN => 'OTRS at domain.com',
> > UserPW => '********',
> > },
> > CustomerKey => 'sAMAccountName',
> > CustomerID => 'mail',
> > CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
> > CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
> > CustomerUserPostMasterSearchFields => ['mail'],
> > CustomerUserNameFields => ['givenname', 'sn'],
> > Map => [
> > # note: Login, Email and CustomerID needed!
> > # var, frontend, storage, shown, required, storage-type
> > # [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
> > [ 'UserFirstName', 'Firstname', 'givenname', 1, 1, 'var' ],
> > [ 'UserLastName', 'Lastname', 'sn', 1, 1, 'var' ],
> > [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
> > [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
> > [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
> > ],
> > };
> >
> > # UserSyncLDAPMap
> > # (map if agent should create/synced from LDAP to DB after
> login)
> > $Self->{UserSyncLDAPMap} = {
> > # DB -> LDAP
> > Firstname => 'givenName',
> > Lastname => 'sn',
> > Email => 'mail',
> > };
> >
> > # UserSyncLDAPGroups
> > # (If "LDAP" was selected for AuthModule, you can specify
> initial
> > # user groups for first login.)
> > $Self->{UserSyncLDAPGroups} = [
> > 'users',
> > ];
> >
> >
> >
> >
> > On 9/21/07, Edward Kovarski < edward.kovarski at groupkae.com> wrote:
> > Robert,
> >
> > You may also try <username>@<domain> which is the new Microsoft
> style
> > for specifying users within domains. This is what we use in
> > configuration...
> >
> > Ed
> >
> > On 21-Sep-07, at 2:48 PM, Robert Aldridge wrote:
> >
> > > Finally got it working...
> > >
> > > I changed every entry of:
> > >
> > > 'cn=OTRS Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com';
> > >
> > > to:
> > >
> > > 'tsteel\OTRS'
> > >
> > > and, to pull user data to the local DB, I added:
> > >
> > > # UserSyncLDAPMap
> > > # (map if agent should create/synced from LDAP to DB after
> > login)
> > > $Self->{UserSyncLDAPMap} = {
> > > # DB -> LDAP
> > > Firstname => 'givenName',
> > > Lastname => 'sn',
> > > Email => 'mail',
> > > };
> > >
> > > # UserSyncLDAPGroups
> > > # (If "LDAP" was selected for AuthModule, you can specify
> > initial
> > > # user groups for first login.)
> > > $Self->{UserSyncLDAPGroups} = [
> > > 'users',
> > > ];
> > >
> > >
> > > Perhaps this will help someone else who's trying to set OTRS up
> > > with Microsoft Active Directory.
> > >
> > > Thanks,
> > >
> > > Robert Aldridge
> > >
> > >
> > >
> > > On 9/21/07, Robert Aldridge < bamarob55 at gmail.com> wrote: Hi
> folks,
> > >
> > > First let me say that OTRS appears to be a great product!
> Kudos to
> > > the developers!
> > >
> > > We are in the process of evaluating our options for a helpdesk/
> > > trouble-ticket system. I would really like to give OTRS a good
> > > evaluation, but I'm having some problems. Our chosen solution
> must
> > > be able to authenticate users (both agents and customers) via
> > > Microsoft Active Directory. It appears that this is possible, but
> > > I've yet to have any success. I'll outline the steps I've taken
> > > and solicit any input from the community.
> > >
> > > OTRS is working fine when authenticating against it's own
> > > database. Here's what I've done to try to authenticate against
> AD:
> > >
> > > I edited Kernel/Config.pm and added:
> > >
> > > <begin additions to Config.pm>
> > >
> > > $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
> > > $Self->{'AuthModule::LDAP::Host'} = ' lincoln.tsteel.com';
> > > $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=Tuscaloosa - Sheet
> > > Mill,dc=tsteel,dc=com';
> > > $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
> > > $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS
> > > Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com';
> > > $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';
> > >
> > > $Self->{'Customer::AuthModule'} =
> > > 'Kernel::System::CustomerAuth::LDAP';
> > > $Self->{'Customer::AuthModule::LDAP::Host'} = '
> > > lincoln.tsteel.com';
> > > $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=Tuscaloosa
> > > - Sheet Mill,dc=tsteel,dc=com';
> > > $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
> > > $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS
> > > Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com';
> > > $Self->{'Customer::AuthModule::LDAP::SearchUserPW'} =
> > 'password';
> > >
> > > $Self->{CustomerUser} = {
> > > Module => 'Kernel::System::CustomerUser::LDAP',
> > > Params => {
> > > Host => ' lincoln.tsteel.com ',
> > > BaseDN => 'ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com',
> > > SSCOPE => 'sub',
> > > UserDN => 'cn=OTRS Admin,ou=Tuscaloosa - Sheet
> > > Mill,dc=tsteel,dc=com',
> > > UserPW => 'password',
> > > },
> > > CustomerKey => 'sAMAccountName',
> > > CustomerID => 'mail',
> > > CustomerUserListFields => 'sAMAccountName', 'cn', 'mail',
> > > CustomerUserSearchFields => 'sAMAccountName', 'cn', 'mail',
> > > CustomerUserPostMasterSearchFields => 'mail',
> > > CustomerUserNameFields => 'givenname', 'sn',
> > > Map => [
> > > [ 'UserFirstName', 'Firstname', 'givenname', 1, 1, 'var' ],
> > > [ 'UserLastName', 'Lastname', 'sn', 1, 1, 'var' ],
> > > [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
> > > [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
> > > [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
> > > ],
> > > };
> > >
> > > <end additions to Config.pm>
> > >
> > >
> > > On my AD box, I ran: ldifde -f users.ldf -d "OU=Tuscaloosa - Sheet
> > > Mill,dc=tsteel,dc=com" -r "<objectClass=user>"
> > >
> > > Which returned a listing of all users in the Tuscaloosa - Sheet
> > > Mill org unit. Within the users.ldf file (output from the above
> > > command), there's an entry for OTRS Admin:
> > >
> > > <begin snippet from users.ldf>
> > >
> > > dn: CN=OTRS,OU=Tuscaloosa - Sheet Mill,DC=tsteel,DC=com
> > > changetype: add
> > > objectClass: top
> > > objectClass: person
> > > objectClass: organizationalPerson
> > > objectClass: user
> > > cn: OTRS
> > > sn: Admin
> > > givenName: OTRS
> > > distinguishedName: CN=OTRS,OU=Tuscaloosa - Sheet
> > > Mill,DC=tsteel,DC=com
> > > instanceType: 4
> > > whenCreated: 20070920125829.0Z
> > > whenChanged: 20070921135825.0Z
> > > displayName: OTRS
> > > uSNCreated: 8512826
> > > uSNChanged: 8549454
> > > name: OTRS
> > > objectGUID:: po7FpWyIxEWWQeiUc9XMwA==
> > > userAccountControl: 66048
> > > badPwdCount: 0
> > > codePage: 0
> > > countryCode: 0
> > > badPasswordTime: 128347689772801250
> > > lastLogoff: 0
> > > lastLogon: 128347693211238750
> > > pwdLastSet: 128347667099207500
> > > primaryGroupID: 513
> > > objectSid:: AQUAAAAAAAUVAAAApR5XA/l+DSsgfDsl4xwAAA==
> > > accountExpires: 9223372036854775807
> > > logonCount: 0
> > > sAMAccountName: OTRS
> > > sAMAccountType: 805306368
> > > userPrincipalName: OTRS at tsteel.com
> > > objectCategory:
> > > CN=Person,CN=Schema,CN=Configuration,DC=tsteel,DC=com
> > > dSCorePropagationData: 20070921135825.0Z
> > > dSCorePropagationData: 20070921135825.0Z
> > > dSCorePropagationData: 20070921135825.0Z
> > > dSCorePropagationData: 20070921131751.0Z
> > > dSCorePropagationData: 16010108151056.0Z
> > > lastLogonTimestamp: 128347680934676250
> > >
> > >
> > > <end snippet from users.ldf>
> > >
> > >
> > > With this configuration, when I attempt to login as an agent using
> > > my username (which I know is valid in AD), it errors out with:
> > >
> > > Login failed! Your username or password was entered incorrectly.
> > >
> > > And, when I revert the Config.pm back (so I can log in) and check
> > > the system log, I see:
> > >
> > > User: raldridge authentication failed, no LDAP entry found!
> > > BaseDN='ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com',
> > > Filter='(sAMAccountName=raldridge)', (REMOTE_ADDR: 10.1.1.50).
> > >
> > > Any help would be greatly appreciated.
> > >
> > > Thanks,
> > >
> > > Robert Aldridge
> > >
> > > _______________________________________________
> > > OTRS mailing list: otrs - Webpage: http://otrs.org/
> > > Archive: http://lists.otrs.org/pipermail/otrs
> > > To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
> > > Support or consulting for your OTRS system?
> > > => http://www.otrs.com/
> >
> >
> > _______________________________________________
> > OTRS mailing list: otrs - Webpage: http://otrs.org/
> > Archive: http://lists.otrs.org/pipermail/otrs
> > To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
> > Support or consulting for your OTRS system?
> > => http://www.otrs.com/
>
> _______________________________________________
> OTRS mailing list: otrs - Webpage: http://otrs.org/
> Archive: http://lists.otrs.org/pipermail/otrs
> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
> Support or consulting for your OTRS system?
> => http://www.otrs.com/
>
>
>
> _______________________________________________
> OTRS mailing list: otrs - Webpage: http://otrs.org/
> Archive: http://lists.otrs.org/pipermail/otrs
> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
> Support or consulting for your OTRS system?
> => http://www.otrs.com/
More information about the otrs
mailing list