[otrs-de] Antwort: Re: AGENT - LDAP

27 Apr 2010

      Hi Bernd,

wenn du NUR LDAP anbinden willst dann musst du den ersten Teil 
auskommentieren, siehe Bsp. 
Ich hab dir die Änderungen die du machen musst mal fett markiert.

Es wird nicht "verglichen" sondern der Wert ensprechend dem Feld 
übernommen. Als Kundennummer wird die Mail Adresse des Users genommen, ist 
insoweit sinnvoll als das du hier zwischen den Usern differenzierst.
Wo welche Felder genommen werden siehst du im letzten Block.

  $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
  $Self->{'AuthModule::LDAP::Host'} = 'IPADRESSE';
  $Self->{'AuthModule::LDAP::BaseDN'} = 'DC=DOMAIN,DC=local';
  $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';

  $Self->{'AuthModule::LDAP::SearchUserDN'} = '
CN=USER,CN=Users,DC=DOAMIN,DC=local';
  $Self->{'AuthModule::LDAP::SearchUserPw'} = 'PASSWORD';

  # This is an example configuration for an LDAP auth. backend.
  # (take care that Net::LDAP is installed!)
  $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
  $Self->{'Customer::AuthModule::LDAP::Host'} = 'IPADRESSE';
  $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'DC=DOMAIN,DC=local';
  $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';

  # The following is valid but would only be necessary if the
  # anonymous user do NOT have permission to read from the LDAP tree
  $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = '
CN=USER,CN=Users,DC=DOAMIN,DC=local';
  $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'PASSWORD';

  # CustomerUser
  # (customer user database backend and settings)
  #  $Self->{CustomerUser} = {
  #      Name => 'Datenbank',
  #      Module => 'Kernel::System::CustomerUser::DB',
  #      Params => { Table => 'customer_user',
  #          # to use an external database
#           DSN => 'DBI:odbc:yourdsn',
#           DSN => 'DBI:mysql:database=customerdb;host=customerdbhost',
#           User => '', Password => '',
  #     },
        # customer uniq id
  #      CustomerKey => 'login',
  #      CustomerID => 'customer_id',
  #      CustomerValid => 'valid_id',
  #      CustomerUserListFields => ['first_name', 'last_name', 'email'],
#       CustomerUserListFields => ['login', 'first_name', 'last_name', 
'customer_id', 'email'],
  #      CustomerUserSearchFields => ['login', 'last_name', 
'customer_id'],
  #      CustomerUserSearchPrefix => '',
  #      CustomerUserSearchSuffix => '*',
  #      CustomerUserSearchListLimit => 250,
  #      CustomerUserPostMasterSearchFields => ['email'],
  #      CustomerUserNameFields => ['salutation', 'first_name', 
'last_name'],
#       ReadOnly => 1,
  #      Map => [
            # note: Login, Email and CustomerID needed!
            # var, frontend, storage, shown, required, storage-type, 
http-link
  #          [ 'UserSalutation', 'Salutation', 'salutation', 1, 0, 'var' 
],
  #          [ 'UserFirstname', 'Firstname', 'first_name', 1, 1, 'var' ],
  #          [ 'UserLastname', 'Lastname', 'last_name', 1, 1, 'var' ],
  #          [ 'UserLogin', 'Login', 'login', 1, 1, 'var' ],
  #          [ 'UserPassword', 'Password', 'pw', 0, 1, 'var' ],
  #          [ 'UserEmail', 'Email', 'email', 0, 1, 'var' ],
  #          [ 'UserCustomerID', 'CustomerID', 'customer_id', 0, 1, 'var' 
],
  #          [ 'UserComment', 'Comment', 'comments', 1, 0, 'var' ],
  #          [ 'ValidID', 'Valid', 'valid_id', 0, 1, 'int' ],
  #      ],
  #  };

  # CustomerUser1
  # (customer user ldap backend and settings)
  $Self->{CustomerUser1} = {
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
      # ldap host
      Host => 'IPADRESSE',
      # ldap base dn
      BaseDN => 'DC=DOMAIN,DC=local',
      # search scope (one|sub)
      SSCOPE => 'sub',
      # The following is valid but would only be necessary if the
      # anonymous user does NOT have permission to read from the LDAP tree
      UserDN => 'CN=USER,CN=Users,DC=DOMAIN,DC=local',
      UserPw => 'password',
      AlwaysFilter => '',
      SourceCharset => 'utf-8',
      DestCharset => 'utf-8',
    },
    # customer uniq id
    CustomerKey => 'sAMAccountName',
    # customer #
    CustomerID => 'mail',
    CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
    CustomerUserSearchPrefix => '',
    CustomerUserSearchSuffix => '*',
    CustomerUserSearchListLimit => 250,
    CustomerUserPostMasterSearchFields => ['mail'],
    CustomerUserNameFields => ['givenname', 'sn'],
    Map => [
      # note: Login, Email and CustomerID needed!
      # var, frontend, storage, shown, required, storage-type
      #[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
      [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
      [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
      [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
      [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
      [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
      [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
      #[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
      #[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
    ],
  };

Von:
Bernd Nachtigall 
An:
otrs-de@otrs.org
Datum:
27.04.2010 07:24
Betreff:
Re: [otrs-de] AGENT - LDAP

Hi,

hat niemand eine Idee? Habe ich zu kompliziert geschrieben, fehlen Infos
oder was habe ich falsch gemacht, dass so gar keine Reaktion kommt?

Bye

Bernd

============================================================

Hallo zusammen,

ich versuche eine Agent-Auth. via LDAP zu konfigurieren. Anscheinend
mangels ausreichender Perl-Kenntnisse habe ich dabei einige Probleme und
bitte um Nachhilfe. Die Admin-Doku ist da leider nicht ausreichend für 
mich
und in der Dev.-Doku finde ich nichts entsprechendes.

*Wie läuft die Auth. via LDAP ab? Offenbar wird die DB ebenfalls benötigt.
*Welche Attribute welcher Objekte werden womit verglichen?

*messages sagt:
OTRS-CGI-10[29564]:
[Error][Kernel::System::Auth::LDAP::Auth][Line:276]: Search failed!
base='cn=otrsagent,ou=Abt,o=company', filter='(member=testuser)', Success

-Failed und Success in einer Meldung!?!?
-member=testuser? Im Attr. member der Gruppe steht aber:
'cn=testuser,ou=Abt,o=company'
'testuser' wäre uid;

==========================
System:
-Der LDAP-Host ist eDir (KEIN MAD!)
-DB (MySQL) ist auf entferntem Host scheint aber zu funktionieren (Ohne
LDAP geht's)

Vielen Dank für eure Unterstützung

Bye

Bernd

Ab hier kommen Ausschnitte aus config.pm; messages und die Ergebnisse der
ldap abfragen.
==========================
Config.pm:
$Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
$Self->{'AuthModule::LDAP::Host'} = 'ldap.domain.tld';
$Self->{'AuthModule::LDAP::BaseDN'} = 'ou=Abt,o=company';
$Self->{'AuthModule::LDAP::UID'} = 'uid';                        <=Was
soll hier stehen? Wozu ist der Eintrag gut?

# Check if the user is allowed to auth in a posixGroup
# (e. g. user needs to be in a group xyz to use otrs)
$Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrsagent,ou=Abt,o=company';
$Self->{'AuthModule::LDAP::AccessAttr'} = 'member';             <=Was
soll hier stehen? Wozu ist der Eintrag gut?
# for ldap posixGroups objectclass (just uid)
$Self->{'AuthModule::LDAP::UserAttr'} = 'entryDN';                <=Was
soll hier stehen? Wozu ist der Eintrag gut?
# for non ldap posixGroups objectclass (with full user dn)
#$Self->{'AuthModule::LDAP::UserAttr'} = 'DN';                    <=Was
soll hier stehen? Wozu ist der Eintrag gut?

# The following is valid but would only be necessary if the
# anonymous user do NOT have permission to read from the LDAP tree
$Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=ldapproxy,o=company';
#$Self->{'AuthModule::LDAP::SearchUserPw'} = ”;

# in case you want to add always one filter to each ldap query, use
# this option. e. g. AlwaysFilter => '(mail=*)' or AlwaysFilter =>
'(objectclass=user)'
#$Self->{'AuthModule::LDAP::AlwaysFilter'} = ”;

# in case you want to add a suffix to each login name, then
# you can use this option. e. g. user just want to use user but
# in your ldap directory exists user@domain.
#$Self->{'AuthModule::LDAP::UserSuffix'} = '@domain.com';

# Net::LDAP new params (if needed - for more info see perldoc
Net::LDAP)
$Self->{'AuthModule::LDAP::Params'} = {
port => 389,
timeout => 120,
async => 0,
version => 3,
};
#
# agent data sync against ldap
$Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
$Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://ldap.domain.tld/';
$Self->{'AuthSyncModule::LDAP::BaseDN'} = 'ou=Abt,o=company';
$Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
$Self->{'AuthSyncModule::LDAP::SearchUserDN'} =
'cn=ldapproxy,o=company';
#$Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'some_pass';
$Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
# DB -> LDAP
UserFirstname => 'givenName',
UserLastname => 'sn',
UserEmail => 'mail',
Phone => 'telephoneNumber',
Username => 'uid',
comment => 'description',
};

==========================
Ausgabe messages:
OTRS-CGI-10[29564]:
[Error][Kernel::System::Auth::LDAP::Auth][Line:276]: Search failed!
base='cn=otrsagent,ou=Abt,o=company', filter='(member=testuser)', Success
OTRS-CGI-10[29564]:
[Error][Kernel::System::User::UserLookup][Line:696]: No UserID found for
'testuser'!

==========================
Ergebnis einer Abfrage via ldapsearch:
Nach dem Benutzer:
dn: cn=testuser,ou=Abt,o=company
homeDirectory: /home/testuser
mail: testuser@domain.tld
uid: testuser
eMailAddress: testuser@domain.tld

Nach der Gruppe:
dn: cn=otrsagent,ou=Abt,o=company
objectClass: groupOfNames
objectClass: top
member: cn=testuser,ou=Abt,o=company
description:
---------------------------------------------------------------------
OTRS mailing list: otrs-de - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs-de
To unsubscribe: http://lists.otrs.org/mailman/listinfo/otrs-de

NEU! ENTERPRISE SUBSCRIPTION - JETZT informieren und buchen!
http://www.otrs.com/de/support/enterprise-subscription/

[otrs-de] Antwort: Re: AGENT - LDAP

admin_doetsch