[otrs] R: how to configure the otrs customer login Single signon

Hi Ramana Here the steps we followed in order to have otrs users automatically logon in otrs system without password request (SSO with windows domain) Our installation: Server: Fedora 11 with Apache 2.2.14, mysql 5.1.37 on virtual machine, OTRS 2.4.6 1 Create 2 user on A.D., one for http service, one for apache host 2 Generate the keys for authentication launching the following commands on domain controller: ktpass -princ HOST/hostname@YOURDOMAIN -mapuser userforapache@ YOURDOMAIN -crypto DES-CBC-MD5 -DesOnly -pass XXXXXPASSWORDXXXX -ptype KRB5_NT_SRV_HST -out krb5.keytab ktpass -princ HTTP/ hostname@YOURDOMAIN -mapuser httpserviceuser@ YOURDOMAIN -pass XXXXXPASSWORDXXXX -out keytab.HTTP 3 Copy these files on apache machine 4 Configure your krb5.conf as following: [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = YOURDOMAIN default_keytab_file = /etc/krb5.keytab dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms] YOURDOMAIN = { kdc = fqdn_name_of_yourDC:88 kdc = fqdn_name_of_yoursecondDC:88 admin_server = fqdn_name_of_yourDC:749 default_domain = yourdomain (lowercase) } [domain_realm] .yourdomain = YOURDOMAIN yourdomain = YOURDOMAIN [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } 5 Install mod_auth_kerb into apache server 6 Modify your conf file add the following directives. Here we added them in otrs.conf LoadModule auth_kerb_module modules/mod_auth_kerb.so AllowOverride None AuthType Kerberos AuthName "YOURDOMAIN" Krb5Keytab /usr/local/apache2.2.14/conf/keytab.HTTP KrbAuthRealms YOURDOMAIN KrbMethodNegotiate on KrbSaveCredentials off Require valid-user Options +ExecCGI -Includes Order allow,deny Allow from all </Directory> 7 Configuring OTRS In config.pm enable HttpBasicAuth both for customer and agents: $Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth'; $Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@YOURDOMAIN'; # Note: # # If you use this module, you should use as fallback # the following config settings if user isn't login through # apache ($ENV{REMOTE_USER}) $Self->{LoginURL} = 'http://your_webserver_fqdn/otrs-web/not-authorised-for-otrs.html'; $Self->{LogoutURL} = 'http://your_webserver_fqdn/otrs-web/thanks-for-using-otrs.html'; $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::HTTPBasicAuth'; $Self->{'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@YOURDOMAIN'; $Self->{CustomerUser} = { Module => 'Kernel::System::CustomerUser::LDAP', Params => { Host => '1.1.1.1', BaseDN => 'dc=yourdomain,dc=xxx', SSCOPE => 'sub', UserDN => 'cn=<userwith read permission>,cn=users,dc=yourdomain,dc=xxx', UserPw => 'password', }, CustomerKey => 'sAMAccountName', CustomerID => 'mail', CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'], CustomerUserPostMasterSearchFields => ['mail'], CustomerUserNameFields => ['givenname', 'sn'], Map => [ # note: Login, Email and CustomerID needed! # var, frontend, storage, shown, required, storage-type # [ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ], [ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ], [ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ], [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ], [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ], [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ], # [ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ], # [ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ], # [ 'UserComment', 'Comment', 'description', 1, 0, 'var' ], ], }; o IT'S IMPORTANT TO USE {'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp'} in order to cut off your domain name from the credential passed by kerberos or sso won't work. 8 Restart apache Bye Luca -----Messaggio originale----- Da: otrs-bounces@otrs.org [mailto:otrs-bounces@otrs.org] Per conto di ramana Inviato: martedì 23 febbraio 2010 07:29 A: User questions and discussions about OTRS. Oggetto: [otrs] how to configure the otrs customer login Single signon Hi Is there a way to configure the Single sign on Customer login. like while clicking the OTRS url : it automatically use the domain credential and login I am using orts 2.4.5 Regards, Ramanachary --------------------------------------------------------------------- OTRS mailing list: otrs - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/otrs To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs NEW! ENTERPRISE SUBSCRIPTION - Get more information NOW! http://www.otrs.com/en/support/enterprise-subscription/ -------------------------------------------------------- Luca Gatti ICT System Administrator LGatti@bindagroup.com tel +39 02 39245.380 fax +39 02 39245.200 Via Montefeltro, 4 - 20156 Milano - Italy bindagroup.com -------------------------------------------------------- This e-mail and any file transmitted with it may contain material that is confidential and for the sole use of the intended recipient. If you are not the intended recipient of this e-mail, please do not read this e-mail and notify us immediately by reply e-mail and then delete this message and any file attached from your system. Any other use is prohibited. Il presente messaggio di posta elettronica e ogni eventuale documento a quest'ultimo allegato potrebbe avere carattere riservato ed è ad esclusivo utilizzo del destinatario indicato in indirizzo. Qualora non foste il destinatario del presente messaggio per cortesia avvisateci immediatamente tramite posta elettronica e cancellate il presente messaggio e ogni documento ad esso allegato dal Vostro sistema. Ogni altro uso è proibito.