[otrs] Re: LDAP Authentication using Microsoft
ActiveDirectoryserver
Robert Aldridge
bamarob55 at gmail.com
Mon Sep 24 15:39:02 GMT 2007
Michael,
Sorry, I'm working from an Ubuntu box, so I'm not sure how you'd do it with
ActivePerl on a Windows Server.
Logging in to OTRS via the browser interface, I just use <username> (not
<domain\username> or <username at domain>), though I haven't tried the others
to see if they work, also.
Robert
On 9/24/07, Edward Kovarski <edward.kovarski at groupkae.com> wrote:
>
>
> Haven't used ActivePerl for a while but try this from a command prompt,
>
> ppm install Net::LDAP
>
> Ed
>
> On 24-Sep-07, at 3:37 PM, Michael Holland wrote:
>
> > This is actually on a Windows Server 2003 box. Any thoughts on how to
> > install NET::LDAP on a Windows box? I'm sorry, I'm not a PERL
> > expert at
> > all.
> >
> > Thanks.
> >
> > -----Original Message-----
> > From: otrs-bounces at otrs.org [mailto:otrs-bounces at otrs.org] On
> > Behalf Of
> > Edward Kovarski
> > Sent: Monday, September 24, 2007 2:28 PM
> > To: User questions and discussions about OTRS.org
> > Subject: Re: [otrs] Re: LDAP Authentication using Microsoft
> > ActiveDirectoryserver
> >
> > Mike,
> >
> > For Unix, as per http://doc.otrs.org/2.2/en/html/x354.html, you would
> > need Net::LDAP. To install the module via CPAN, you'd type in:
> >
> > perl -MCPAN -e 'install Net::LDAP'
> >
> > or, alternatively some Unices allow:
> >
> > cpan Net::LDAP
> >
> > To answer your second question, you'd login via "username" or
> > specifically the sAMAccountName LDAP attribute in Active Directory.
> >
> > Ed
> >
> > On 24-Sep-07, at 2:57 PM, Michael Holland wrote:
> >
> >> Robert and or anyone that can assist. 2 quick questions...
> >>
> >>
> >>
> >> Do you have any instructions on how to install the correct PERL
> >> Ldap modules?
> >> When you login to OTRS do you use the username or domain\username?
> >>
> >>
> >>
> >>
> >> Thanks for any help offered. I have been chasing this issue for
> >> well over a month.
> >>
> >>
> >>
> >> Mike Holland
> >>
> >>
> >>
> >> From: otrs-bounces at otrs.org [mailto:otrs-bounces at otrs.org] On
> >> Behalf Of Robert Aldridge
> >> Sent: Monday, September 24, 2007 11:43 AM
> >> To: User questions and discussions about OTRS.org
> >> Subject: Re: [otrs] Re: LDAP Authentication using Microsoft Active
> >> Directoryserver
> >>
> >>
> >>
> >> Edward,
> >>
> >> Thanks for the suggestion. I copied your configuration and now
> >> have both agents and customers successfully logging in with
> >> authentication against our AD server.
> >>
> >> Thanks!!!
> >>
> >> Robert
> >>
> >> On 9/24/07, Edward Kovarski <edward.kovarski at groupkae.com> wrote:
> >>
> >>
> >> Robert,
> >>
> >> I would suggest trying to simplify the configurations by removing the
> >> AlwaysFilter and specifying the root of your Active Directory as the
> >> BaseDN. Once it authenticates properly you can start customizing and
> >> narrowing the BaseDN scope.
> >>
> >> Here is an excerpt from Config.pm which I just tested on our dev
> >> environment as we don't use the customer interface in production. It
> >> properly authenticated and pulled in all the proper values into
> >> OTRS...
> >>
> >> # --- Customer ---
> >> $Self->{'Customer::AuthModule'} =
> >> 'Kernel::System::CustomerAuth::LDAP';
> >> $Self->{'Customer::AuthModule::LDAP::Host'} = '
> >> ad.groupkae.com';
> >> $Self->{'Customer::AuthModule::LDAP::BaseDN'} =
> >> 'ou=Customer,dc=ad,dc=groupkae,dc=com';
> >> $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
> >> $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} =
> >> 'ldap at ad.groupkae.com';
> >> $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} =
> >> 'password';
> >>
> >> $Self->{CustomerUser} = {
> >> Module => 'Kernel::System::CustomerUser::LDAP',
> >> Params => {
> >> Host => 'ad.groupkae.com',
> >> BaseDN => 'ou=Customer,dc=ad,dc=groupkae,dc=com',
> >> SSCOPE => 'sub',
> >> UserDN =>'ldap at ad.groupkae.com',
> >> UserPw => 'password',
> >> },
> >>
> >> CustomerKey => 'sAMAccountName',
> >> CustomerID => 'mail',
> >> CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
> >> CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
> >> CustomerUserSearchPrefix => '',
> >> CustomerUserSearchSuffix => '*',
> >> CustomerUserSearchListLimit => 250,
> >> CustomerUserPostMasterSearchFields => ['mail'],
> >> CustomerUserNameFields => ['givenname', 'sn'],
> >> Map => [
> >> [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
> >> [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
> >> [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
> >> [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
> >> [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
> >> [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
> >> ],
> >> };
> >>
> >> On 24-Sep-07, at 10:42 AM, Robert Aldridge wrote:
> >>
> >>> Thanks for the suggestion, Edward. Changing the SearchUserDN to
> >>> <username>@<domain> continues to work for the agent login. I still
> >>> haven't been able to get the customer login working. Any hints?
> >>> Here's my current LDAP portion of Config.pm:
> >>>
> >>> $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
> >>> $Self->{'AuthModule::LDAP::Host'} = ' ldapserver.domain.com ';
> >>> $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=Group of
> >>> Users,dc=domain,dc=com';
> >>> $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
> >>> $Self->{'AuthModule::LDAP::SearchUserDN'} = ' OTRS at domain.com';
> >>> $Self->{'AuthModule::LDAP::SearchUserPw'} = '********';
> >>>
> >>> $Self->{'Customer::AuthModule'} =
> >>> 'Kernel::System::CustomerAuth::LDAP';
> >>> $Self->{'Customer::AuthModule::LDAP::Host'} = '
> >>> ldapserver.domain.com';
> >>> $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=Group of
> >>> Users,dc=domain,dc=com';
> >>> $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
> >>> $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = '
> >>> OTRS at domain.com';
> >>> $Self->{'Customer::AuthModule::LDAP::SearchUserPW'} =
> >> '********';
> >>>
> >>> $Self->{CustomerUser} = {
> >>> Module => 'Kernel::System::CustomerUser::LDAP',
> >>> Params => {
> >>> Host => ' ldapserver.domain.com',
> >>> BaseDN => 'ou=Group of Users,dc=domain,dc=com',
> >>> SSCOPE => 'sub',
> >>> AlwaysFilter => '(&(sAMAccountName=*)(mail=*))',
> >>> UserDN => 'OTRS at domain.com',
> >>> UserPW => '********',
> >>> },
> >>> CustomerKey => 'sAMAccountName',
> >>> CustomerID => 'mail',
> >>> CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
> >>> CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
> >>> CustomerUserPostMasterSearchFields => ['mail'],
> >>> CustomerUserNameFields => ['givenname', 'sn'],
> >>> Map => [
> >>> # note: Login, Email and CustomerID needed!
> >>> # var, frontend, storage, shown, required, storage-type
> >>> # [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
> >>> [ 'UserFirstName', 'Firstname', 'givenname', 1, 1, 'var' ],
> >>> [ 'UserLastName', 'Lastname', 'sn', 1, 1, 'var' ],
> >>> [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
> >>> [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
> >>> [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
> >>> ],
> >>> };
> >>>
> >>> # UserSyncLDAPMap
> >>> # (map if agent should create/synced from LDAP to DB after
> >> login)
> >>> $Self->{UserSyncLDAPMap} = {
> >>> # DB -> LDAP
> >>> Firstname => 'givenName',
> >>> Lastname => 'sn',
> >>> Email => 'mail',
> >>> };
> >>>
> >>> # UserSyncLDAPGroups
> >>> # (If "LDAP" was selected for AuthModule, you can specify
> >> initial
> >>> # user groups for first login.)
> >>> $Self->{UserSyncLDAPGroups} = [
> >>> 'users',
> >>> ];
> >>>
> >>>
> >>>
> >>>
> >>> On 9/21/07, Edward Kovarski < edward.kovarski at groupkae.com> wrote:
> >>> Robert,
> >>>
> >>> You may also try <username>@<domain> which is the new Microsoft
> >> style
> >>> for specifying users within domains. This is what we use in
> >>> configuration...
> >>>
> >>> Ed
> >>>
> >>> On 21-Sep-07, at 2:48 PM, Robert Aldridge wrote:
> >>>
> >>>> Finally got it working...
> >>>>
> >>>> I changed every entry of:
> >>>>
> >>>> 'cn=OTRS Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com';
> >>>>
> >>>> to:
> >>>>
> >>>> 'tsteel\OTRS'
> >>>>
> >>>> and, to pull user data to the local DB, I added:
> >>>>
> >>>> # UserSyncLDAPMap
> >>>> # (map if agent should create/synced from LDAP to DB after
> >>> login)
> >>>> $Self->{UserSyncLDAPMap} = {
> >>>> # DB -> LDAP
> >>>> Firstname => 'givenName',
> >>>> Lastname => 'sn',
> >>>> Email => 'mail',
> >>>> };
> >>>>
> >>>> # UserSyncLDAPGroups
> >>>> # (If "LDAP" was selected for AuthModule, you can specify
> >>> initial
> >>>> # user groups for first login.)
> >>>> $Self->{UserSyncLDAPGroups} = [
> >>>> 'users',
> >>>> ];
> >>>>
> >>>>
> >>>> Perhaps this will help someone else who's trying to set OTRS up
> >>>> with Microsoft Active Directory.
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Robert Aldridge
> >>>>
> >>>>
> >>>>
> >>>> On 9/21/07, Robert Aldridge < bamarob55 at gmail.com> wrote: Hi
> >> folks,
> >>>>
> >>>> First let me say that OTRS appears to be a great product!
> >> Kudos to
> >>>> the developers!
> >>>>
> >>>> We are in the process of evaluating our options for a helpdesk/
> >>>> trouble-ticket system. I would really like to give OTRS a good
> >>>> evaluation, but I'm having some problems. Our chosen solution
> >> must
> >>>> be able to authenticate users (both agents and customers) via
> >>>> Microsoft Active Directory. It appears that this is possible, but
> >>>> I've yet to have any success. I'll outline the steps I've taken
> >>>> and solicit any input from the community.
> >>>>
> >>>> OTRS is working fine when authenticating against it's own
> >>>> database. Here's what I've done to try to authenticate against
> >> AD:
> >>>>
> >>>> I edited Kernel/Config.pm and added:
> >>>>
> >>>> <begin additions to Config.pm>
> >>>>
> >>>> $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
> >>>> $Self->{'AuthModule::LDAP::Host'} = ' lincoln.tsteel.com';
> >>>> $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=Tuscaloosa - Sheet
> >>>> Mill,dc=tsteel,dc=com';
> >>>> $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
> >>>> $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS
> >>>> Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com';
> >>>> $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';
> >>>>
> >>>> $Self->{'Customer::AuthModule'} =
> >>>> 'Kernel::System::CustomerAuth::LDAP';
> >>>> $Self->{'Customer::AuthModule::LDAP::Host'} = '
> >>>> lincoln.tsteel.com';
> >>>> $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=Tuscaloosa
> >>>> - Sheet Mill,dc=tsteel,dc=com';
> >>>> $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
> >>>> $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS
> >>>> Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com';
> >>>> $Self->{'Customer::AuthModule::LDAP::SearchUserPW'} =
> >>> 'password';
> >>>>
> >>>> $Self->{CustomerUser} = {
> >>>> Module => 'Kernel::System::CustomerUser::LDAP',
> >>>> Params => {
> >>>> Host => ' lincoln.tsteel.com ',
> >>>> BaseDN => 'ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com',
> >>>> SSCOPE => 'sub',
> >>>> UserDN => 'cn=OTRS Admin,ou=Tuscaloosa - Sheet
> >>>> Mill,dc=tsteel,dc=com',
> >>>> UserPW => 'password',
> >>>> },
> >>>> CustomerKey => 'sAMAccountName',
> >>>> CustomerID => 'mail',
> >>>> CustomerUserListFields => 'sAMAccountName', 'cn', 'mail',
> >>>> CustomerUserSearchFields => 'sAMAccountName', 'cn', 'mail',
> >>>> CustomerUserPostMasterSearchFields => 'mail',
> >>>> CustomerUserNameFields => 'givenname', 'sn',
> >>>> Map => [
> >>>> [ 'UserFirstName', 'Firstname', 'givenname', 1, 1, 'var' ],
> >>>> [ 'UserLastName', 'Lastname', 'sn', 1, 1, 'var' ],
> >>>> [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
> >>>> [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
> >>>> [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
> >>>> ],
> >>>> };
> >>>>
> >>>> <end additions to Config.pm>
> >>>>
> >>>>
> >>>> On my AD box, I ran: ldifde -f users.ldf -d "OU=Tuscaloosa - Sheet
> >>>> Mill,dc=tsteel,dc=com" -r "<objectClass=user>"
> >>>>
> >>>> Which returned a listing of all users in the Tuscaloosa - Sheet
> >>>> Mill org unit. Within the users.ldf file (output from the above
> >>>> command), there's an entry for OTRS Admin:
> >>>>
> >>>> <begin snippet from users.ldf>
> >>>>
> >>>> dn: CN=OTRS,OU=Tuscaloosa - Sheet Mill,DC=tsteel,DC=com
> >>>> changetype: add
> >>>> objectClass: top
> >>>> objectClass: person
> >>>> objectClass: organizationalPerson
> >>>> objectClass: user
> >>>> cn: OTRS
> >>>> sn: Admin
> >>>> givenName: OTRS
> >>>> distinguishedName: CN=OTRS,OU=Tuscaloosa - Sheet
> >>>> Mill,DC=tsteel,DC=com
> >>>> instanceType: 4
> >>>> whenCreated: 20070920125829.0Z
> >>>> whenChanged: 20070921135825.0Z
> >>>> displayName: OTRS
> >>>> uSNCreated: 8512826
> >>>> uSNChanged: 8549454
> >>>> name: OTRS
> >>>> objectGUID:: po7FpWyIxEWWQeiUc9XMwA==
> >>>> userAccountControl: 66048
> >>>> badPwdCount: 0
> >>>> codePage: 0
> >>>> countryCode: 0
> >>>> badPasswordTime: 128347689772801250
> >>>> lastLogoff: 0
> >>>> lastLogon: 128347693211238750
> >>>> pwdLastSet: 128347667099207500
> >>>> primaryGroupID: 513
> >>>> objectSid:: AQUAAAAAAAUVAAAApR5XA/l+DSsgfDsl4xwAAA==
> >>>> accountExpires: 9223372036854775807
> >>>> logonCount: 0
> >>>> sAMAccountName: OTRS
> >>>> sAMAccountType: 805306368
> >>>> userPrincipalName: OTRS at tsteel.com
> >>>> objectCategory:
> >>>> CN=Person,CN=Schema,CN=Configuration,DC=tsteel,DC=com
> >>>> dSCorePropagationData: 20070921135825.0Z
> >>>> dSCorePropagationData: 20070921135825.0Z
> >>>> dSCorePropagationData: 20070921135825.0Z
> >>>> dSCorePropagationData: 20070921131751.0Z
> >>>> dSCorePropagationData: 16010108151056.0Z
> >>>> lastLogonTimestamp: 128347680934676250
> >>>>
> >>>>
> >>>> <end snippet from users.ldf>
> >>>>
> >>>>
> >>>> With this configuration, when I attempt to login as an agent using
> >>>> my username (which I know is valid in AD), it errors out with:
> >>>>
> >>>> Login failed! Your username or password was entered incorrectly.
> >>>>
> >>>> And, when I revert the Config.pm back (so I can log in) and check
> >>>> the system log, I see:
> >>>>
> >>>> User: raldridge authentication failed, no LDAP entry found!
> >>>> BaseDN='ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com',
> >>>> Filter='(sAMAccountName=raldridge)', (REMOTE_ADDR: 10.1.1.50).
> >>>>
> >>>> Any help would be greatly appreciated.
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Robert Aldridge
> >>>>
> >>>> _______________________________________________
> >>>> OTRS mailing list: otrs - Webpage: http://otrs.org/
> >>>> Archive: http://lists.otrs.org/pipermail/otrs
> >>>> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
> >>>> Support or consulting for your OTRS system?
> >>>> => http://www.otrs.com/
> >>>
> >>>
> >>> _______________________________________________
> >>> OTRS mailing list: otrs - Webpage: http://otrs.org/
> >>> Archive: http://lists.otrs.org/pipermail/otrs
> >>> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
> >>> Support or consulting for your OTRS system?
> >>> => http://www.otrs.com/
> >>
> >> _______________________________________________
> >> OTRS mailing list: otrs - Webpage: http://otrs.org/
> >> Archive: http://lists.otrs.org/pipermail/otrs
> >> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
> >> Support or consulting for your OTRS system?
> >> => http://www.otrs.com/
> >>
> >>
> >>
> >> _______________________________________________
> >> OTRS mailing list: otrs - Webpage: http://otrs.org/
> >> Archive: http://lists.otrs.org/pipermail/otrs
> >> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
> >> Support or consulting for your OTRS system?
> >> => http://www.otrs.com/
> >
> > _______________________________________________
> > OTRS mailing list: otrs - Webpage: http://otrs.org/
> > Archive: http://lists.otrs.org/pipermail/otrs
> > To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
> > Support or consulting for your OTRS system?
> > =http://www.otrs.com/
> > _______________________________________________
> > OTRS mailing list: otrs - Webpage: http://otrs.org/
> > Archive: http://lists.otrs.org/pipermail/otrs
> > To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
> > Support or consulting for your OTRS system?
> > => http://www.otrs.com/
>
> _______________________________________________
> OTRS mailing list: otrs - Webpage: http://otrs.org/
> Archive: http://lists.otrs.org/pipermail/otrs
> To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
> Support or consulting for your OTRS system?
> => http://www.otrs.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.otrs.org/pipermail/otrs/attachments/20070924/7de9ea25/attachment-0001.html
More information about the otrs
mailing list