[otrs] LDAP Authentication using Microsoft Active Directory server

21 Sep 2007

      Hi folks,

First let me say that OTRS appears to be a great product!  Kudos to the
developers!

We are in the process of evaluating our options for a
helpdesk/trouble-ticket system.  I would really like to give OTRS a good
evaluation, but I'm having some problems.  Our chosen solution must be able
to authenticate users (both agents and customers) via Microsoft Active
Directory.  It appears that this is possible, but I've yet to have any
success.  I'll outline the steps I've taken and solicit any input from the
community.

OTRS is working fine when authenticating against it's own database.  Here's
what I've done to try to authenticate against AD:

I edited Kernel/Config.pm and added:

<begin additions to Config.pm>

    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'lincoln.tsteel.com';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'ou=Tuscaloosa - Sheet
Mill,dc=tsteel,dc=com';
    $Self->{'AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS Admin,ou=Tuscaloosa
- Sheet Mill,dc=tsteel,dc=com';
    $Self->{'AuthModule::LDAP::SearchUserPw'} = 'password';

    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = 'lincoln.tsteel.com';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'ou=Tuscaloosa - Sheet
Mill,dc=tsteel,dc=com';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'sAMAccountName';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=OTRS
Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPW'} = 'password';

    $Self->{CustomerUser} = {
    Module => 'Kernel::System::CustomerUser::LDAP',
    Params => {
    Host => 'lincoln.tsteel.com',
    BaseDN => 'ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com',
    SSCOPE => 'sub',
    UserDN => 'cn=OTRS Admin,ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com',
    UserPW => 'password',
    },
    CustomerKey => 'sAMAccountName',
    CustomerID => 'mail',
    CustomerUserListFields => 'sAMAccountName', 'cn', 'mail',
    CustomerUserSearchFields => 'sAMAccountName', 'cn', 'mail',
    CustomerUserPostMasterSearchFields => 'mail',
    CustomerUserNameFields => 'givenname', 'sn',
    Map => [
    [ 'UserFirstName', 'Firstname', 'givenname', 1, 1, 'var' ],
    [ 'UserLastName', 'Lastname', 'sn', 1, 1, 'var' ],
    [ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
    [ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
    [ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
    ],
    };

<end additions to Config.pm>

On my AD box, I ran: ldifde -f users.ldf -d "OU=Tuscaloosa - Sheet
Mill,dc=tsteel,dc=com" -r ""

Which returned a listing of all users in the Tuscaloosa - Sheet Mill org
unit.  Within the users.ldf file (output from the above command), there's an
entry for OTRS Admin:

<begin snippet from users.ldf>

    dn: CN=OTRS,OU=Tuscaloosa - Sheet Mill,DC=tsteel,DC=com
    changetype: add
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: user
    cn: OTRS
    sn: Admin
    givenName: OTRS
    distinguishedName: CN=OTRS,OU=Tuscaloosa - Sheet Mill,DC=tsteel,DC=com
    instanceType: 4
    whenCreated: 20070920125829.0Z
    whenChanged: 20070921135825.0Z
    displayName: OTRS
    uSNCreated: 8512826
    uSNChanged: 8549454
    name: OTRS
    objectGUID:: po7FpWyIxEWWQeiUc9XMwA==
    userAccountControl: 66048
    badPwdCount: 0
    codePage: 0
    countryCode: 0
    badPasswordTime: 128347689772801250
    lastLogoff: 0
    lastLogon: 128347693211238750
    pwdLastSet: 128347667099207500
    primaryGroupID: 513
    objectSid:: AQUAAAAAAAUVAAAApR5XA/l+DSsgfDsl4xwAAA==
    accountExpires: 9223372036854775807
    logonCount: 0
    sAMAccountName: OTRS
    sAMAccountType: 805306368
    userPrincipalName: OTRS@tsteel.com
    objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=tsteel,DC=com
    dSCorePropagationData: 20070921135825.0Z
    dSCorePropagationData: 20070921135825.0Z
    dSCorePropagationData: 20070921135825.0Z
    dSCorePropagationData: 20070921131751.0Z
    dSCorePropagationData: 16010108151056.0Z
    lastLogonTimestamp: 128347680934676250

<end snippet from users.ldf>

With this configuration, when I attempt to login as an agent using my
username (which I know is valid in AD), it errors out with:

Login failed! Your username or password was entered incorrectly.

And, when I revert the Config.pm back (so I can log in) and check the system
log, I see:

User: raldridge authentication failed, no LDAP entry
found!BaseDN='ou=Tuscaloosa - Sheet Mill,dc=tsteel,dc=com',
Filter='(sAMAccountName=raldridge)', (REMOTE_ADDR: 10.1.1.50).

Any help would be greatly appreciated.

Thanks,

Robert Aldridge